宁静的查询权限

I am creating a simple app to control user access.

I have one database table which have all user information and I need to create different privilege for different user group. For example, the manager can search all people, the Team leader can only list all team members.

I would like to know how I can approach this.

Authenticate based on session via cookie, or an authentication token.

For example: /api/userinfo?api_key={insert key here}.

In your back end (Sudo code):

<?php
$user = $db->query("SELECT * FROM users where api_key = `{$_GET[api_key]}`");

if ( $user is manager ) {
   $results = $db->query("RUN THIS QUERY, because user is a manager, and return results");
} else {
   $results = $db->query("RUN THIS QUERY, because user is normal users, and return results");
}

echo json_parse($results);