Chapter 13. Authorization and Sessions
You have two big tasks left. Well, one and a half, as some of this work you’ve already done:
Two levels of authentication: one to get to the main application, and then admin-level authentication to get to a page like show_users.php and delete_user.php.
Some basic navigation—and that navigation should change based on a user’s login and the groups to which they belong.
You’ve already got blanket authentication on that first item. That’s handled through authorize.php. But now it’s time to go further: authorize.php needs to be improved. It should take in a group (or, better, a list of groups) and only allow access if the user is in the passed in groups.
And on the second item, you’ve also got some work done. You’ve got menus that changed based on whether a user is logged in or not. Again, though, there are some needed improvements: if a user is in certain groups, they should see an option to administrate users, and get a link to show_users.php (in addition to the standard link to show_user.php).
And then…there’s a problem with cookies. It’s not a huge problem, but there are some very real concerns over a high-end application using cookies and only cookies for authentication. So there’s that to consider.
Time’s a wasting. You’ve got problems to fix.
Modeling Groups in Your Database
First things first. Before you can look up the groups to which a user belongs, you’ve got to have some groups in your database. That, of course, means you need a table to store ...
Get PHP & MySQL: The Missing Manual now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.