How to work with PHP authorization levels?

Asked

Viewed 457 times

3

I’m putting together a school bulletin system to train my skills in php.

And I’m struggling in one part. Here’s the thing: I have 3 types of users: teacher, admin and student. The teacher can put note and change the note, but this note is only changed if the admin approves. The student in turn can only see your note and request change. Already the admin can create new users, approve note change and other N things.

I have created 3 classes so far, the mother class is usuario, and the daughters are teacher and admin, missing from the students. But as I work these access levels with php?

php mysql pdo

2 answers

3

Hello,

You can create multiple user types through your database, such as a field called user_type.

These types take values depending on the user, for example:

  • user_type = 0 (Student)
  • use_type = 1 (Teacher)
  • use_type = 2 (Admin)

Then in your PHP code you can save the login type in the user login.

This way when creating for example a note you can check which user is trying to view, for example:

if ($tipo_utilizador == 0) { /* ALUNO - APENAS VÊ */ }

And so on and so forth:

if ($tipo_utilizador == 1) { /* PROFESSOR - FORM PARA INSERIR */ }
if ($tipo_utilizador == 2) { /* ADMIN - FORM PARA INSERIR, EDITAR, APROVAR */ }

Cumps,

2

Well, I tried to do something different than what I do, I did all the authorization based on token:

<?php

class ACL // classe para controle de acesso
{
    // retorna um token baseado no tipo do usuário, usando base64
    public static function generateToken($type)
    {
        return base64_encode('YOUR_APP_KEY'.$type);
    }

    // verifica se token recebido é de algum tipo
    public static function validToken($active, $type)
    {
        return base64_decode($active) === 'YOUR_APP_KEY'.$type;
    } 

    // em ambos coloquei também a key da aplicação para ter mais segurança
}


// array de usuários com o token de cada um
$users = [
    'aluno'         => ACL::generateToken('aluno'),
    'professor'     => ACL::generateToken('professor'),
    'administrador' => ACL::generateToken('administrador'),
];


// se o meu formulário de acesso não foi submetido eu irei exibir ele
if(count($_POST) <= 0) :

?>

<form method='post'>
    <input type='radio' name='type' value='aluno'> Aluno
    <input type='radio' name='type' value='professor'> Professor
    <input type='radio' name='type' value='administrador'> Administrador
    <input type='submit' value='Access'>
</form>

<?php
// caso o formulário de acesso tenha sido submetido
else :
    $type = $_POST['type']; // salvo o tipo de usuário

    // verifico o token do usuário com o tipo que eu já tinha definido antes, assim identifico qual usuário é
    if(ACL::validToken($users[$type], 'aluno'))
        echo 'Acessou como aluno';
    else if(ACL::validToken($users[$type], 'professor'))
        echo 'Acessou como professor';
    else if(ACL::validToken($users[$type], 'administrador'))
        echo 'Acessou como administrador';

endif;
?>

To do this on your system, you must record or token or the type of user in the registration of the same in the database, at the time of the login you will retrieve this token and save in session (if you want to apply an encryption on this token would look even better), and in your route file you vary this check.

Browser other questions tagged php mysql pdo

You are not signed in. Login or sign up in order to post.