How do I restrict a users access to an object?

views:

answers:

+1 Q:

How do I restrict a users access to an object?

Hi Sitepoint wizard people,

Say we have an admin application that has multiple users and various objects. What I'd like to do is control access within the object itself - that is, it will behave one way for one type of user, and another way for other users. For example...

Director Mike can override Reception user Sally's registration date. One would assume that Mike could set any date both in the past or in the future. Then we have Payroll user Steve who can also modify Sally's registration date, but only for dates in the past up until (for example) one year ago. To spice things up, then we have the HR Manager Mary who can also amend Sally's registration date, but only for dates from precisely 23rd June 2007 up until one month from now...

How can I program the access restrictions so that on the front end, the form control is restricted with a min and max date, and in the backend, the validator checks the entered date to make sure it falls between those dates? I'd obviously need to be able to tweak the min and max dates for each user type. Other objects might have different parameters - maximum amount on a discount field or days of the week for overtime, for example.

I've asked this question in different ways, but each time I get bogged down by the implementation. I'm currently developing it as a php/MySQL web-based application, but thoughts and comments from other platforms very welcome! This time I'm looking at first principles, so it doesn't matter what your background is, if you have any ideas, please let me know! What do you even call this type of access control...?

+1 A:

Depending of how you application is based, you could ask for credentials at the start of the application and depending on who is requiring access, you could load a different xml file containing different settings.

As for security issue, make sure that the different xml files can't be reached by the users.

Edit:
Since you are using MySQL you could do something like this.
Let's say you have a table of users that has those fields : UserId, UserName, RestrictionId.
And with a Restriction table that looks like : RestrictionId, FieldName, FieldCondition.

This way, in your php app, when a user is authenticated, you can go fetch the correct "Restrictions" on the field and apply them in your code. If it happens that you have multiple fields that require different rules then you can simply add them with the correct RestrictionId.

This DB design is far from perfect, I'm pretty sure you can do better

Frank 2010-02-23 13:06:47

Would you have any links to an example of how the xml file might be structured? I'd probably use a database, but the principles are the same. Thanks

boatingcow 2010-02-25 09:17:00

Added an exmample for the DB.

Frank 2010-02-25 13:38:57

Thanks for your edit - I'd feel more comfortable if I could see this type of thing in action somewhere - do you know of any scripts, frameworks, applications that already do this so that I could check it out?

boatingcow 2010-02-25 13:44:11

Nope. I'm sorry. But I don't believe it would be too hard to put in place.

Frank 2010-02-25 13:50:01

Since, you are already using MySql db. You can maintain the UserRole Master table details in DB itself. Load the user role data based on login, then you can easily validate the changes made by the user accordingly.

Suresh Kumar 2010-02-24 04:06:41

Thanks for your reply - do you have any pointers as to how the role data could be stored? I'm used to boolean type ALLOW/DENY in my db, so how could I store both ALLOW/DENY and something as different as "-1 year", "2007-06-23", "< £50" in my db?

boatingcow 2010-02-25 09:16:05

ansaurus

tags:

views:

answers:

How do I restrict a users access to an object?

related questions