|Nov 19, 2012, 12:47 PM||#1|
PHP admin control panel
I am currently making my website. I have a "Type" column in my users table in my database. For most users it says "Standard" in the type column but for me and a few other uses, it says "Admin". Does anybody know the best and most secure way to give users with "Admin" in the type column access to special admin control pages without giving access to standard users.
|Nov 20, 2012, 07:59 AM||#2|
Does your website have a third party CMS under the hood?
If yours is a DIY web site, the essential elements in writing a basic permissions system to control access to content could be (one of many ways):
Roles table defining fields role ID and name (1="Admin",2="Standard", etc)
Users table joining role table based on role ID
Content table with content and field which defines which roles ID are permissed.
When the user visits a given page, a permissions check function is called which queries their role ID and permissed role ID's and ensures a match and display content. Otherwise deny access to the page.
Most custom CMS's follow this same basic procedure except some of them groups content into content types as an easy way to invoke permissions, or they create SDK's or API's which make it easier for developers to query user/content/role data without SQL statements. As you mentioned you prefer the "best and most secure" way - be aware of these pitfalls in your design:
Try to avoid shortcuts like storing roles only in cookies. Cookies are easily spoofed. Use sessions (which also involve cookies) with limited information such as user ID and a hash with a hash table and session expiry on the back end. Make sure all forms are protected from SQL injection and follow basic XSS procedures to ensure safe session control. These are reasons folks use third party CMS's.
Hope this helped you in terms of generic, high level view of things.
Sr. Web Developer, owner GoldTechPro, LLC
Last edited by SrWebDeveloper; Nov 20, 2012 at 08:23 AM. Reason: Added some info about roles.
|Thread Tools||Search this Thread|
All times are GMT -5. The time now is 11:32 PM.