I have an admin with 5 or 6 user types (admins, users, partners, curators, vendors, etc.) each can have access to different pages as well as different functions within a page. Wondering what best practices might be in designing a methodology for this with least amount of if statements, which is pretty much how I handle it now.
Hi,
I have been a PHP developer for 13 years and have experience building enterprise applications.
What framework are you using? Most PHP frameworks have a built in authentication and authorization mechanism. For example, Yii has a builtin RBAC system that allow you to define a hierarchical permission system.
If you're not using a framework or you just want to implement your own system for whatever reason then you can utilize Object Oriented Design and implement a Base controller (if MVC) that checks the permission for each request. That won't use a lot of if statements.
Probably need more info, to give definitive guidance. Hope that helps.
Are you using a MySQL Database? And is your PHP application coded using any frameworks that you know of, Zend, Symfony, Yii, Laravel, Codeigniter? A lot of those frameworks already have permission systems built in.
Assuming you're not using any of those, one option is creating roles, then assigning those roles to your different PHP pages, and you would then assign the roles to a user.
Here's an example of how to structure the database.
You need at least 4 tables
roles: id, name
This would be for adding the role names (admin, users, partners, etc)
role_permissions: id, role_id, page_name
This would be assigning what pages a specific role can access.
user_roles: id, user_id, role_id
This is where you assign a user to a role
users: id, username, password, email
(I'm assuming you already have a users table, but this is were your users would be stored)
Now let's assume you have all the roles configured and a users assigned.
SELECT COUNT(rp.page_name) FROM user_roles AS ur
JOIN role_permissions AS rp ON rp.role_id=ur.role_id
WHERE ur.user_id=:user_id AND
rp.page_name=:page_name
If the result equals 1 the user has permission to view the page, if 0, they do not.
This is one of the most scalable and configurable ways to handle RBAS (Role Based Access Systems)
If you'd like I can draw out detailed blueprints (WireFrames) on how the UI would look for configuring roles and assigning them to users and how to implement a re-useable class so you only need to write 1 line of code to check if a user has permission to access a specific page.
I'd be happy to speak with you over the phone to go over this more in detail.
