By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
426,133 Members | 1,113 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 426,133 IT Pros & Developers. It's quick & easy.

Restricting Access to Menu Options

P: n/a
Good morning everyone.

I'm building a very simple content management site that tracks
"tasks."

The options available are:
1. Add Task
2. Edit Task
3. View Task
4. Print Task

I need to restrict some users to only View and Print and I'm trying to
find a way to tell the page not to load the menu options (the text)
for those not having access to the Add and Edit functions.

IOW, they would only see View and Print.

I have three basic users:
1. System Admin
2. Subject Matter Expert (SME)
3. Viewers

Obviously the System Admin and SME will have full access so it's the
Viewers that are to have access to only View and Print.

I have a users table but haven't set it up for the distinction. What
I was thinking was creating a field labeled users_group and assign a
numeric value for each user using the numbering system above.

I have my page load the menu options:

<a href="home.php" class="navlink">Home</a><br />
<a href="view_tasks.php" class="navlink">View Tasks</a><br />
<a href="edit_task.php" class="navlink">Edit Task</a><br />
<a href="add_task.php" class="navlink">Add Task</a><br />

into here...

<BODY>

<table width="90%" border="1" cellspacing="10" cellpadding="0"
align="center">

<tr><td colspan="2"><h1 id="mainhead">ICAO Tasks —
WAFS</h1></td></tr>

<tr>
<td align= "center" valign="top" nowrap="nowrap" width="10%">
Menu<br />
<?php include ('./includes/menu.html'); ?>
</td>

<td valign="top" class="content">
How can I tell the system not to load the last two lines unless they
are a System Admin or SME?

I read a chapter on Cookies/Sessions...but it wasn't that helpful for
this case.

Can I setcookie('user_group', '3') and use that somehow???

Am I in the ballpark with this solution?

Thanks.

Ward
Mar 6 '06 #1
Share this Question
Share on Google+
1 Reply


P: n/a
>I'm building a very simple content management site that tracks
"tasks."

The options available are:
1. Add Task
2. Edit Task
3. View Task
4. Print Task

I need to restrict some users to only View and Print and I'm trying to
find a way to tell the page not to load the menu options (the text)
for those not having access to the Add and Edit functions.
For an application like this it is very important that you check
if the user is authorized when they try to EXECUTE that function,
not just when they bring up the menu. Hint: users are added and
deleted, and they sometimes change jobs. Browsers cache pages and
people can manually type in links.
IOW, they would only see View and Print.
Presumably, it is also important that they can only DO View and
Print.
I have three basic users:
1. System Admin
2. Subject Matter Expert (SME)
3. Viewers

Obviously the System Admin and SME will have full access so it's the
Viewers that are to have access to only View and Print.
Do you already have a way of telling which type of user is logged
in? I recommend using sessions to store that info after getting
it from the login page.
I have a users table but haven't set it up for the distinction. What
I was thinking was creating a field labeled users_group and assign a
numeric value for each user using the numbering system above.
Typically this sort of thing is done by an "access level" number.
It may be attached to individual users or groups of users. Each
function has an access level required to use it. This isn't suitable
for every setup (e.g. A needs privileges B doesn't have, and B needs
privileges A doesn't have), but it fits many situations.
I have my page load the menu options:

<a href="home.php" class="navlink">Home</a><br />
<a href="view_tasks.php" class="navlink">View Tasks</a><br />
<a href="edit_task.php" class="navlink">Edit Task</a><br />
<a href="add_task.php" class="navlink">Add Task</a><br />
Then you'd typically do something like this:

... fetch $access_level from database based on user here ...
if ($access_level >= 5) {
echo '<a href="edit_task.php" class="navlink">Edit Task</a><br />';
echo '<a href="add_task.php" class="navlink">Add Task</a><br />';
}
into here...

<BODY>

<table width="90%" border="1" cellspacing="10" cellpadding="0"
align="center">

<tr><td colspan="2"><h1 id="mainhead">ICAO Tasks —
WAFS</h1></td></tr>

<tr>
<td align= "center" valign="top" nowrap="nowrap" width="10%">
Menu<br />
<?php include ('./includes/menu.html'); ?>
</td>

<td valign="top" class="content">
How can I tell the system not to load the last two lines unless they
are a System Admin or SME?
Use conditional execution, probably within the included file.
I read a chapter on Cookies/Sessions...but it wasn't that helpful for
this case.
Yes, it can be. You can look up the access level at login and
set in a session value. Later you can look at $_SESSION['access_level']
and allow or not allow certain actions. Session variables are
not stored on the browser but cookies are (and can be fiddled with).
Can I setcookie('user_group', '3') and use that somehow???


If you don't have a way to tell what user is logged in, work
on that first. Cookies are stored on the browser, and therefore
they are forgable. I recommend that you look at what user is
looked in, and check what access that user has *every* *single*
*page* where it matters. Don't forget that it's more important
to not let low-level users DO an update than it is to not let
low-level users see a menu item for an update.

Gordon L. Burditt

Mar 6 '06 #2

This discussion thread is closed

Replies have been disabled for this discussion.