How can I hide some content from some users with PHP?

Question

I have created an intranet for our company using PHP. The same menu appears on every page, and includes links to sensitive pages and documents (like Word files).

Currently only in-office employees have access to the site, but we'd like to open it up to some out-of-office contractors. The catch is that I'd have to restrict access for certain content.

I know how to password-protect site directories with Apache, but I'd rather hide the menu options themselves.

How would you approach this?

Clarification: This is in an environment where everyone is logged in to our Windows network, locally or via VPN, but currently nobody has to log in to see my intranet site. The ideal solution would not require them to do anything extra, if that's possible.

Answer 1

I would make a PHP function that generates the menu items in your sidebar or where-ever these links are being shown, and just populate the menu differently depending on whether a user is logged-in as an employee or not. You will also need to password-protect the individual directories you want to restrict access to of course but you already know that.

A better approach would be to use a framework like CakePHP or a platform like Drupal that already has user and role functionality built-in that you can take advantage of.

Answer 2

I would add a lightweight user authentication system using CodeIgniter.

Then, just make a check to see if the user is authenticated before displaying the menu or allowing access to any of the protected content.

Answer 3

That depends on how your current employees are authenticated. We discussed this at our company for allowing certain partners to gain access to the employee portal. We authenticate against a database managed by our service dispatch software, so one solution was to add a checkbox labeled "Partner" that would tell the authentication script to authenticate against a different database.

Without more information, it's difficult to describe a solution that would work well for you.

Answer 4

If users are logging in, then you can use their login details to restrict access. You might want to look into the idea of Access Control Lists.

If your users are logging in using Apache, then you can access their user name from $_SERVER['PHP_AUTH_USER']. So you might want to do something like this:

$username = $_SERVER['PHP_AUTH_USER'];
$user_id = lookup_user_id($username); // a function you write that looks up their user id in your database of users

Then you can look up their access level(s) similarly -- they might have a user-status, like "Guest" or "Super-user" or "Administrator", or you might want to go so far as to have a matrix of resources and users, specifying for each user and resource whether that user can access the resource.

Otherwise, a framework like CakePHP will give you this kind of thing for (almost) free.

Answer 5

I think I may require users to log in (once a day?) and send them an encrypted cookie to maintain that session.

It doesn't appear to be possible (and maybe it shouldn't be, for security reasons) make their network login do double-duty for this site.

Answer 6

Perhaps you could check $_SERVER['REMOTE_ADDR'] against your internal IP range?