Checking permissions

Where are we?

We want to restrict access to the administration section of a Web site. We have some log in code that checks for a valid user name and password. If it finds one, it puts data into the session.

Let’s see how we can use that session data to restrict access to pages.

This lesson’s goals

Learn:

  • Every admin page checks the log in flag in the session. You can put the code in a separate file, and use the require statement to insert it.
  • Admin pages can check permission data in the session.
  • Use permission data from the session to change the admin interface. Don’t show users actions they’re not allowed to do.

Using session data

Here’s Louise’s workflow again:

Louise's workflow

Figure 1. Louise’s workflow

The figure omits pages Louise doesn’t see, like check-log-in.php.

We saw the log in process in the previous lesson. It stores session data about the user, like this:

$_SESSION['logged in'] = 'y';
$_SESSION['user name'] = $user_name;
...
$_SESSION['permission add'] = $row['permission_add']; $_SESSION['permission edit'] = $row['permission_edit'];
$_SESSION['permission delete'] = $row['permission_delete'];

Figure 2. Storing log in data into the session

Pages like index.php, add-product.php, and edit-product.php will use the session data to check:

  • Whether the user is logged in.
  • What permissions the user has.

Let’s see how that works.

Is the user logged in?

During log in, check-log-in.php does this if the user gives a valid user name and password:

$_SESSION['logged in'] = 'y';

Other pages, like add-product.php, can use this to check whether the user is logged in. Here’s some code.

<?php
//Start session mechanism.
session_start();
//User logged in?
if ( $_SESSION['logged in'] != 'y' ) {
  //No - jump to log in page.
  header("location:$path_to_root/admin/log-in.php");
  exit();
}
?>

Figure 3. Log in check

Line 3 starts the session. Line 5 checks the variable $_SESSION['logged in']. Recall that != means “not equal to.” So if $_SESSION['logged in'] has anything other than y, the browser is sent back to the log in page.

W00f!

This check needs to be done on every page of the site’s admin section. We could copy-and-paste the code everywhere, but there’s a better way. We’ll put the code in Figure 3 in the file library/restrict.php. Then we’ll use the require statement to insert it into all the admin pages. Here’s how add-product.php starts:

<?php
//Get data from user for a new product.
//Input:
//  None.

//Path from this page to the site root.
$path_to_root = '..';
//Security check
require $path_to_root . '/library/restrict.php';

Figure 4. Code from add-product.php

Line 9 loads the file. That’s all add-product.php needs to do.

Checking permissions

We can make an admin page check whether a user is logged in. But what about checking individual permissions?

There are two parts to this:

  • Stopping the user from doing things s/he is not allowed to do.
  • Changing the interface, so that links to things the user is not allowed to do don’t even show up.

Stopping the user

Remember this, from check-log-in.php:

$_SESSION['permission add'] = $row['permission_add'];

Admin pages can check $_SESSION['permission add'], to see whether the user is allowed to add products.

Here’s code from add-products.php:

<?php
...
//Security check
require $path_to_root . '/library/restrict.php';
if ( $_SESSION['permission add'] != 'y' ) {
  //Exit if user doesn't have add permission.
  header("location:$path_to_root/admin/index.php");
  exit();
}

Figure 5. More code from add-product.php

Line 4 checks whether the user is logged in, as we saw above.

Line 5 checks whether the user has permission to add products. If not, the browser is sent to the admin menu.

Here’s code from delete-product.php.

<?php
...
//Security check
require $path_to_root . '/library/restrict.php';
if ( $_SESSION['permission delete'] != 'y' ) {
  //Exit if user doesn't have delete permission.
  header("location:$path_to_root/admin/index.php");
  exit();
}

Figure 6. Code from delete-product.php

It’s the same, except that it checks a different permission.

Changing the interface

The admin interface should change, depending on what permissions the user has. Here’s Kieran’s admin menu:

Kieran's admin menu

Figure 7. Kieran’s admin menu

Because Kieran has permission to add, edit, and delete products, links for all of those tasks appear in the menu.

Here’s Renata’s admin menu:

Renata's admin menu

Figure 8. Renata’s admin menu

Renata does not have permission to add or delete products. Only to edit products. So only edit links show up in the interface.

How to make this happen? Let’s start with the “Add a new product” link. We want that to appear only for users who have permission to add new products. Here’s code from the admin menu:

<p>User: <?php print $_SESSION['user name']; ?></p>
<p>What do you want to do?</p>
<ul>
  <li><a href="log-out.php">Log out</a></li>
  <?php
  if ( $_SESSION['permission add'] == 'y' ) {
    ?>
      <li><a href="add-product.php">Add a new product</a></li>
    <?php
  }
  ?>

Figure 9. Code from admin/index.php

Line 1 shows the user name. You can see it on the page:

Kieran's admin menu

Figure 7 (again). Kieran’s admin menu

Line 4 shows a link to the log out page. We’ll look at that in the next lesson.

The next lines are:

if ( $_SESSION['permission add'] == 'y' ) {
   ?>
   <li><a href="add-product.php">Add a new product</a></li>
   <?php
}

The link to add-product.php is output to the page only if the user has permission to add pages.

What about the edit and delete links?

Kieran's admin menu

Figure 7 (again). Kieran’s admin menu

They’re done the same way.

print "
...
<td>
";
if ( $_SESSION['permission edit'] == 'y' ) {
  print "<a href='edit-product.php?id=$product_id'>Edit</a><br>";
}
if ( $_SESSION['permission delete'] == 'y' ) {
  print "<a href='confirm-delete-product.php?id=$product_id'>Delete</a>";
}
print "
</td>
...";

Figure 10. More code from admin/index.php

The code that outputs the links is wrapped in if statements that check permissions.

Summary

  • Every admin page checks the log in flag in the session. You can put the code in a separate file, and use the require statement to insert it.
  • Admin pages can check permission data in the session.
  • Use permission data from the session to change the admin interface. Don’t show users actions they’re not allowed to do.

What now?

You know how to make log in pages store security data in the session. You know how to use that data to restrict what users can do.

Now let’s see how users can log out.


How to...

Lessons

User login

Log in problems? Try here


Dogs