How to work with authorization levels with PHP? [closed]

3

I am putting together a school report system to train my skills in php.

And I'm having a hard time. It is the following: I have 3 types of users: teacher, admin and student. The teacher can put note and change the note, but this note is only changed if the admin approves. The student in turn can only see your grade and request change. Already the admin can create new users, approve change of note and other N things.

I've created 3 classes so far, the parent class is usuario , and the daughters are teacher and admin, missing the students. But how do I work these access levels with php?

    
asked by anonymous 02.01.2017 / 16:01

2 answers

3

Hello,

You can create several types of users through your database, such as a field called user_type.

These types assume values depending on the user, for example:

  • user_type = 0 (Student)
  • user_type = 1 (Teacher)
  • user_type = 2 (Admin)

Then in your PHP code you can save the user_type you logged in to User Login.

In this way, when you are creating a note for example, you can check which user you are trying to view, for example:

if ($tipo_utilizador == 0) { /* ALUNO - APENAS VÊ */ }

And so on:

if ($tipo_utilizador == 1) { /* PROFESSOR - FORM PARA INSERIR */ }
if ($tipo_utilizador == 2) { /* ADMIN - FORM PARA INSERIR, EDITAR, APROVAR */ }

Cumps,

    
02.01.2017 / 16:17
1

Well, I've tried to do something other than what I do, I've done all token-based authorization:

<?php

class ACL // classe para controle de acesso
{
    // retorna um token baseado no tipo do usuário, usando base64
    public static function generateToken($type)
    {
        return base64_encode('YOUR_APP_KEY'.$type);
    }

    // verifica se token recebido é de algum tipo
    public static function validToken($active, $type)
    {
        return base64_decode($active) === 'YOUR_APP_KEY'.$type;
    } 

    // em ambos coloquei também a key da aplicação para ter mais segurança
}


// array de usuários com o token de cada um
$users = [
    'aluno'         => ACL::generateToken('aluno'),
    'professor'     => ACL::generateToken('professor'),
    'administrador' => ACL::generateToken('administrador'),
];


// se o meu formulário de acesso não foi submetido eu irei exibir ele
if(count($_POST) <= 0) :

?>

<form method='post'>
    <input type='radio' name='type' value='aluno'> Aluno
    <input type='radio' name='type' value='professor'> Professor
    <input type='radio' name='type' value='administrador'> Administrador
    <input type='submit' value='Access'>
</form>

<?php
// caso o formulário de acesso tenha sido submetido
else :
    $type = $_POST['type']; // salvo o tipo de usuário

    // verifico o token do usuário com o tipo que eu já tinha definido antes, assim identifico qual usuário é
    if(ACL::validToken($users[$type], 'aluno'))
        echo 'Acessou como aluno';
    else if(ACL::validToken($users[$type], 'professor'))
        echo 'Acessou como professor';
    else if(ACL::validToken($users[$type], 'administrador'))
        echo 'Acessou como administrador';

endif;
?>

In order to do this on your system, you must either record the token or the type of user in the record of the same in the database, at login you will retrieve this token and save it in session (if you want to apply encryption to that token it would look even better), and in your route file you change this check.

    
02.01.2017 / 16:37