tags:

views:

183

answers:

6

I have created an intranet for our company using PHP. The same menu appears on every page, and includes links to sensitive pages and documents (like Word files).

Currently only in-office employees have access to the site, but we'd like to open it up to some out-of-office contractors. The catch is that I'd have to restrict access for certain content.

I know how to password-protect site directories with Apache, but I'd rather hide the menu options themselves.

How would you approach this?

Clarification: This is in an environment where everyone is logged in to our Windows network, locally or via VPN, but currently nobody has to log in to see my intranet site. The ideal solution would not require them to do anything extra, if that's possible.

+1  A: 

I would make a PHP function that generates the menu items in your sidebar or where-ever these links are being shown, and just populate the menu differently depending on whether a user is logged-in as an employee or not. You will also need to password-protect the individual directories you want to restrict access to of course but you already know that.

A better approach would be to use a framework like CakePHP or a platform like Drupal that already has user and role functionality built-in that you can take advantage of.

alxp
A: 

I would add a lightweight user authentication system using CodeIgniter.

Then, just make a check to see if the user is authenticated before displaying the menu or allowing access to any of the protected content.

Robert Venables
Installing a framework for basic authentication doesn't sound really lightweight.
I.devries
I agree - I don't want to add a framework after the fact, though I may look into CodeIgniter next time I'm going to start something from scratch.
Nathan Long
A: 

That depends on how your current employees are authenticated. We discussed this at our company for allowing certain partners to gain access to the employee portal. We authenticate against a database managed by our service dispatch software, so one solution was to add a checkbox labeled "Partner" that would tell the authentication script to authenticate against a different database.

Without more information, it's difficult to describe a solution that would work well for you.

David Brown
+3  A: 

If users are logging in, then you can use their login details to restrict access. You might want to look into the idea of Access Control Lists.

If your users are logging in using Apache, then you can access their user name from $_SERVER['PHP_AUTH_USER']. So you might want to do something like this:

$username = $_SERVER['PHP_AUTH_USER'];
$user_id = lookup_user_id($username); // a function you write that looks up their user id in your database of users

Then you can look up their access level(s) similarly -- they might have a user-status, like "Guest" or "Super-user" or "Administrator", or you might want to go so far as to have a matrix of resources and users, specifying for each user and resource whether that user can access the resource.

Otherwise, a framework like CakePHP will give you this kind of thing for (almost) free.

Ben
A: 

I think I may require users to log in (once a day?) and send them an encrypted cookie to maintain that session.

It doesn't appear to be possible (and maybe it shouldn't be, for security reasons) make their network login do double-duty for this site.

Nathan Long
A: 

Perhaps you could check $_SERVER['REMOTE_ADDR'] against your internal IP range?

meouw
That's doable, but IP addresses can be spoofed trivially. I wouldn't recommend this if security is of any real concern at all.
Phantom Watson
I'm not concerned about IP address spoofing for now, but would people on a VPN have IP addresses that can be distinguished from those in-building?
Nathan Long
I'm not a networking expert, but as I understand it VPN connections are given a local IP address perhaps from a particular range.
meouw