Authorization on the site and rights, how to do it?

O

Orbb2016-06-10 13:10:29

User identification

Orbb, 2016-06-10 13:10:29

Good afternoon! I've been learning PHP not so long ago, I try to write good and maintainable code. Now I am developing a small CRM, the main parts of it are ready, now I have moved on to complicating the code and reworking, since my code is far from ideal. I'm self-taught, now it's a problem to get a job as a junior, I don't have more experienced mentors, so I'm here for you
Task : authorization module, login checks, access rights. Those. user1 should not receive information from user2.
What is? Simple authorization using a login-password link, when the page is refreshed, a check is made to see if the session ID matches the login. If there is no session or it does not match, it throws it on the login page. Records have a site key, login has a binding to a key.
The problem arose when I was able to get information from site2 using the same Ajax under the site1 login. It is clear that the managers of the online stores I work with will not be able to do this, but this does not give me peace of mind.
Question : how to determine the rights of users and prevent user1 from getting information from user2. What to bind to, what checks to do, introduce variables, how to move away from hardcode. Now there are 3 users and everything is hardcoded in the session, like
if ($user1 == 'user1'){
$site = 'site.ru'};

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

O

Orbb, 2016-06-11
@humiliation

So, for those who are interested, I solved it this way:
the user has access rights in the table (in this case, the site or sites).
this key is placed in the session variable during login, then LIKE :site records are retrieved from the database, where :site is the same key.
Access to other sites is denied through checking during checkout -
isset($_POST['hidden']) && $permissions == 'root' && $_POST['hidden'] == 1. Post is needed to hide orders in archive or hide them out of sight. Without checking for access by post, it was possible to extract all hidden and not hidden records.
Zelim Beltoev advised to make a check during the recordings, I made it a little easier.
Having abandoned the method of choosing a site by post for everyone except root, I immediately solved the problem of user1 access to user2's records. Therefore, according to his scheme, a simple check was made when the page was updated. Well, all of a sudden.
Thanks to all.

M

Michael, 2016-06-10
@Madfisht3

$_SESSION["user"] will only be available to the one user that this session is for. In another session, other values of $_SESSION.
During authorization $_SESSION["user"] = username. There you can also write down the rights received from the database during authorization. $_SESSION is available only on the server side, in the client side it is possible to get it only with the permission of the server side.
User1 will receive information from user2 if during authorization user1 entered login and password, the server script compared the md5 hash of the password entered with the password hash of the corresponding user in the database, then the authorization was successful. You write the necessary data to the session variable and use it on the server side, the client does not get access to these variables. If access groups are needed, then you add a field with the group id or name (as convenient) to the database and, upon successful authorization, write to the user's session group.
Study the standard authorization mechanism on sites and such questions will not bother you.
Something like this, if I understand correctly.