User Verification

Navigation
1

I have a program that has 5 níveis de autorização , Administrador , Gerente , Operador , Usuário , and Convidado .   But for each level it gives a different access to the system.

verification sketch: 

<?
include("../sai_clas/sai_conecta.php");
?>

    <? if($_SESSION("cb_acess_usua") == 0) {
        Chama os dados validos para o administrador!
    }
    ?>

In the case of the above code, sai_conecta.php is what keeps my connection to the Bank. Then the verification is done to determine if the user access code is equal to 0 (that in the case would be the administrator), where it is sends all the data that is allowed to it.

Note: I do not know if cod. above is right, just an outline!

My question is, how to do this check, so I can call the data according to the authorization level!

I call this check through a main menu, that when the user selects the 'it will open only the data that is allowed to it!'

Example of a part of menu: 

<div class="menuitem" onmouseover="over(2)" onmouseout="out(2)">
    <a href="../sai_prin/menu_com_abas_dist">
    <font face="arial" >Distribuição</a>
</div>
    
asked by anonymous 26.05.2014 / 16:25

2 answers

1

A more efficient way would be to determine the check within the selection menu.

Example: 

<div class="menuitem" onmouseover="over(2)" onmouseout="out(2)">
<?
    if($_SESSION['SS_cb_aces_usua']<2)
    {
    echo'<a href="../sai_prin/menu_com_abas_dist.php">Distribuição</a>';
    }
?>
</div>

As you determined in the code, clicking on the distribution would call up a separate menu. In the above cod it does a check showing the data only for those who have got authorization from 0 to 2 (I do not know if it would be from 0 to 5 the number that determines each one.)

    
26.05.2014 / 18:04
1

You may be creating a access control list , the permissions that the user has based on their profile within the system. A library that provides a framework for this is Zend_Acl .

ACL is made up of three basic functions, they are:

  • Profile ( Role )
  • Features ( Resource )
  • Permissions
    • )

    Profile

    The following code defines three base profiles - guest , membro and admin - from which other profiles can inherit. Then a profile identified by someuser is established and inherits the other three profiles. The order in which these roles appear in the $parents array is important.

    When necessary, Zend_Acl searches for access rules defined not only for the queried profile ( someuser ), but also for profiles from which the consulted profile inherits ( guest membro and admin ): 

    $acl = new Zend_Acl();

$acl->addRole(new Zend_Acl_Role('guest'))
    ->addRole(new Zend_Acl_Role('member'))
    ->addRole(new Zend_Acl_Role('admin'));

$parents = array('guest', 'member', 'admin');
$acl->addRole(new Zend_Acl_Role('someUser'), $parents);

$acl->add(new Zend_Acl_Resource('someResource'));

$acl->deny('guest', 'someResource');
$acl->allow('member', 'someResource');

echo $acl->isAllowed('someUser', 'someResource') ? 'allowed' : 'denied';

    Create the Access Control List

    A access control list ( ACL ) can represent any set of physical objects or virtual ones you want. For demonstration purposes, however, we'll create a Basic Content Management System ( CMS ), the ACL, which maintains multiple layers of groups in a wide variety of areas. To create a new object ACL , we will instantiate ACL without parameters: 

    $acl = new Zend_Acl();

    CMS will almost always require a permissions hierarchy to determine the authoring capabilities of your users. There may be a Guest group to allow limited access to demos, a Staff group for most CMS users who perform most day-to-day operations, a group of Editor for publishers, reviewing content archiving and deletion, and finally a Administrador group whose tasks may include all of the other groups, as well as maintaining sensitive information, user management, backup and export.

    This set of permissions can be represented in a profile record , allowing each group to inherit privileges from the pai group, as well as providing distinct privileges for only its unique group. Permissions can be expressed as follows:

    Forthisexample,Zend_Acl_Roleisused,butanyobjectthatimplementsZend_Acl_Role_Interfaceisacceptable.Thesegroupscanbeaddedtotheregistrationprofileasfollows:

    $acl=newZend_Acl();//AdicionagruposparaoperfilderegistrousandoZend_Acl_Role//Oguestnãoherdaoscontrolesdeacesso$roleGuest=newZend_Acl_Role('guest');$acl->addRole($roleGuest);//Staffherdaoguest$acl->addRole(newZend_Acl_Role('staff'),$roleGuest);/*Alternativamente,oacimapodeserescrito:$acl->addRole(newZend_Acl_Role('staff'),'guest');*///EditordeherdadeStaff$acl->addRole(newZend_Acl_Role('editor'),'staff');//Administradornãoherdaoscontrolesdeacesso$acl->addRole(newZend_Acl_Role('administrator'));

    NowthattheACLcontainstherelevantprofiles,rulescanbeestablishedthatdefinehowresourcescanbeaccessedbyprofiles.Nospecificresourceshavebeendefinedforthisexample,whichissimplifiedtoillustratethattherulesapplytoallresources.Zend_Aclprovidesanimplementationwhererulesonlyneedtobeassignedfromthegeneraltothespecific,,minimizingthenumberofrulesneeded,becausefeaturesandfunctionsinheritrulesaredefinedovertheirancestors.

    Consequently,wecandefineareasonablycomplexsetofruleswithaminimalamountofcode.Toapplythebasepermissionsasdefinedabove:

    $acl=newZend_Acl();$roleGuest=newZend_Acl_Role('guest');$acl->addRole($roleGuest);$acl->addRole(newZend_Acl_Role('staff'),$roleGuest);$acl->addRole(newZend_Acl_Role('editor'),'staff');$acl->addRole(newZend_Acl_Role('administrator'));//Somenteguestspodemvisualizaroconteúdo$acl->allow($roleGuest,null,'view');/*Alternativamente,oacimapodeserescrito:$acl->allow('guest',null,'view');//*///Staffherdaoprivilégiodever/viewdeguest,mastambémprecisadeprivilégios//adicionais$acl->allow('staff',null,array('edit','submit','revise'));//Editorherdaosprivilégios"visualizar, editar, enviar", e "revisar" de
// staff, mas também precisa de privilégios adicionais
$acl->allow('editor', null, array('publish', 'archive', 'delete'));

// Administrador não herda nada, mas é permitido todos os privilégios
$acl->allow('administrator');

    Consult an ACL

    We now have a flexible ACL that can be used to determine if requesters are allowed to perform functions throughout the web application. Querying is quite simple, using the isAllowed() method: 

    echo $acl->isAllowed('guest', null, 'view') ?
     "allowed" : "denied";
// permitido

echo $acl->isAllowed('staff', null, 'publish') ?
     "allowed" : "denied";
// negado

echo $acl->isAllowed('staff', null, 'revise') ?
     "allowed" : "denied";
// permitido

echo $acl->isAllowed('editor', null, 'view') ?
     "allowed" : "denied";
// permitido por causa da herança de guest

echo $acl->isAllowed('editor', null, 'update') ?
     "allowed" : "denied";
// negado, porque não há nenhuma regra para permitir "update"

echo $acl->isAllowed('administrator', null, 'view') ?
     "allowed" : "denied";
// permitido porque para administrador é permitido todos os privilégios

echo $acl->isAllowed('administrator') ?
     "allowed" : "denied";
// permitido porque para administrador é permitido todos os privilégios

echo $acl->isAllowed('administrator', null, 'update') ?
     "allowed" : "denied";
// permitido porque para administrador é permitido todos os privilégios

    Further reading on subject matter:

    26.05.2014 / 17:57
    AsyncTask aborted during execution does not call any of the post-doInBackground () methods Simple authentication example with level without hibernate and spring