5

I have a php site which has multiple php scripts. I need to provide users from another site limited access into my system. I want to restrict what pages these ppl can access.

I am doing this in the following manner:

// $_SESSION['systemid'] is set with a value of say, '1'
$permissionArray = $objACCESS->getPermissions($_SESSION['systemid']);

// getPermissions returns an array like the following (for that systemid):
// 0 => {'systemid' => '1', 'permission_type' => 'createcontent' }
// 1 => {'systemid' => '1', 'permission_type' => 'invitecontacts' }

// the following contain a list of script names that should be 
// restricted if permission is not allowed
$createcontent = array('createcontent.php');
$managecontent = array('managecontent.php');
$invitecontacts = array('invitecontacts.php');

$page_name=basename($_SERVER["SCRIPT_FILENAME"]);

if(is_array($permissionarray))
{
    $haspermissions = false;
    foreach($permissionarray as $permissions)
    {
        if(in_array($page_name,${"$permissions[permission_type]"}))
        {
            $haspermissions  = true;
            break;
        }
    }
}

if($haspermissions==false)
{
    // - do not have permissions
    echo "<meta http-equiv=\"refresh\" content=\"0;url=".$site_url."404.php\">";
    die;
}

...
// rest of the code
...

Q1: Is there a better way of restricting user access?

Q2: If not, is there a way of making this method more efficient / optimal?

Wim Coenen
  • 66,094
  • 13
  • 157
  • 251
siliconpi
  • 8,105
  • 18
  • 69
  • 107
  • +1 good clear question. Note however, looks similar to: http://stackoverflow.com/questions/1392428/restricting-access-to-a-site-using-ip-address – Smandoli Apr 02 '11 at 18:05
  • "I need to provide users from another site limited access" this is not clear? What do you mean under "another site"? +1 anyways! – Wh1T3h4Ck5 Apr 02 '11 at 18:11
  • thank you for your comment smandoli - but i'm looking to restrict this "external system" user from wandering about on my site - and that restriction is based on which system he's from, not his ip address / geography – siliconpi Apr 02 '11 at 18:12
  • thanks Wh1T3h4Ck5 - i'm running a site, but i need to provide 'restricted' access to members of another site which will come directly to my site. I have another mechanism to have them directly login (without passwords) into my site (using api keys), so that's not a problem. – siliconpi Apr 02 '11 at 18:14
  • @Smandoli: Looks similar but in fact, it doesn't :) – Wh1T3h4Ck5 Apr 02 '11 at 18:14
  • So you can check if they are logged into another site but you want to restrict some content of your web (for those people)? Right? – Wh1T3h4Ck5 Apr 02 '11 at 18:16

1 Answers1

0

The underlying authentication mechanism here doesn't make sense to me. How is $_SESSION['systemid'] set? What is a "system"?

Anyway, I'm going to assume you've got this part of the problem figured out. Accordingly, I'd edit what you put above as follows:

Firstly, adjust getPermissions to return something like:

$perms = array(
    'createcontact'  => 1,
    'invitecontacts' => 1
);

This array would only be populated with the permissions associated with that "system".

Then, check if the current "system" has the required permission for a page as follows:

$cur_page_perm_key = basename($_SERVER['SCRIPT_FILENAME'], '.php');
$has_permission = isset($perms[$cur_page_perm_key]);
if(!$has_permission) {
    // No permission? Redirect to an unauthorized page
    header('HTTP/1.0 401 Not Authorized');
    header('Status: 401 Not Authorized');
    header('Location: /unauthorized.php');
    exit;
}

The simple "isset" check will be a lot faster than looping, particularly if the number of permissions / pages grows.

Hopefully this helps.

Skone
  • 745
  • 4
  • 13