Home » ServerCore » Restricting access

The goal

See more about:

Where are we?

We want to restrict who can see what pages on a site. Let’s make sure we understand what that means.

This lesson’s goals

Learn:

  • There two parts to restricting access: authentication and permissions.
  • Authentication is about knowing who the user is.
  • Permissions is about knowing what the user is allowed to do.
  • Create a database table with information about users, including their user names, passwords, and permissions.

Authentication and permissions

Here’s the situation:

Louise wants to change a price

Figure 1. Louise wants to change a price

Louise wants to change a product’s price. edit-product.php is the page that lets her do that.

We’ll add some code to DogToys, including edit-product.php. The new stuff needs to handle two things:

  • Authentication. Knowing which person is making the request. Is it Louise? Larry? Luna? Lenore?
  • Permissions. Is Louise allowed to change product data?

Authentication

We’ll give every person in the company a user name and a password. They’ll have to log in before they can use any of the administrative functions of DogToys (like edit prices, add products, and delete products).

The log in page will look like this:

Log in page

Figure 2. Log in page

The person types in his/her user name and password:

Louise logs in

Figure 3. Louise logs in

All of the admin pages are in a separate part of the site. They’re in the admin/ directory. There’s an admin menu, that shows all of the tasks authorized users are allowed to do.

Here is part of the admin menu, shown after the user logs in:

Admin menu

Figure 4. Admin menu

It shows the name of the logged in user. It has a link to log out. Click it, and the browser will jump back to the log in page.

Every admin page, like edit-product.php, will have some new PHP at the very beginning. It will make sure that someone is logged in:

if ( nobody is logged in )
  Jump to the log in page.
...

Figure 5. Log in check

If nobody is logged in, the browser will be sent to the log in page.

Permissions

So now we know who is logged in. But what is that user allowed to do?

Let’s add a table to the DogToys database.

users table

Figure 6. users table

We’ll actually use different field names later.

For each user, there’s a set of permissions. There’s a y if the user is allowed to do a task, like edit. If the user isn’t allowed, there’s an n.

Each page will check the permissions before running.

Let’s add to the security code in edit-product.php:

if ( nobody is logged in )
  Jump to log in page.
if ( edit permission is 'n' )
  Show "Permission denied" message.
  Stop.
...

Figure 7. Log in and permissions check

What we need to do

We need to figure out how to:

  • Store data on user names, passwords, and permissions in the database.
  • Check this information on log in.
  • Check the user’s permissions when s/he visits a page.
  • Let the user log out.

You already know all the PHP you need, except for one thing: remembering who a user is once s/he has logged in. We’ll look at that in the next lesson.

Summary

  • There two parts to restricting access: authentication and permissions.
  • Authentication is about knowing who the user is.
  • Permissions is about knowing what the user is allowed to do.
  • Create a database table with information about users, including their user names, passwords, and permissions.

What now?

Let’s talk about PHP sessions. DogToys will use sessions to remember who has logged in.


How to...

Lessons

User login

Log in problems? Try here


Dogs