English
English
Security is a critical concern when developing websites or applications. One important aspect is how to properly authorize users so that only those with the correct permissions can access or perform specific actions. Role-based access control (RBAC) is a common approach. This article will demonstrate how to implement RBAC using PHP.
Before implementing authorization, it is essential to understand two key concepts: roles and permissions.
A role represents the identity a user assumes within the system. Each role has certain permissions that allow it to perform specific operations or access particular resources.
Permissions define the allowed actions or resources for a role. They can be predefined by the system or customized.
A system can have multiple roles, each with multiple permissions. Users can have one or more roles, and the combination of roles and permissions determines their access rights.
To implement RBAC, roles and permissions information must be stored in a database. Typically, two tables are created: one for roles and one for permissions. Below are SQL statements to create these tables:
Create roles table:
CREATE TABLE roles (
id INT AUTO_INCREMENT PRIMARY KEY,
name VARCHAR(255) NOT NULL
);Create permissions table:
CREATE TABLE permissions (
id INT AUTO_INCREMENT PRIMARY KEY,
name VARCHAR(255) NOT NULL
);The roles table stores role names in the 'name' field, and the permissions table stores permission names similarly.
In practice, roles and permissions are created first, then assigned to users.
Example of inserting roles:
INSERT INTO roles (name) VALUES ('admin');
INSERT INTO roles (name) VALUES ('user');Example of inserting permissions:
INSERT INTO permissions (name) VALUES ('create');
INSERT INTO permissions (name) VALUES ('read');
INSERT INTO permissions (name) VALUES ('update');
INSERT INTO permissions (name) VALUES ('delete');A users table is created to store user information along with their assigned role ID:
Create users table:
CREATE TABLE users (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(255) NOT NULL,
password VARCHAR(255) NOT NULL,
role_id INT NOT NULL
);Example of inserting users:
INSERT INTO users (username, password, role_id) VALUES ('admin', 'admin_password', 1);
INSERT INTO users (username, password, role_id) VALUES ('user', 'user_password', 2);PHP sessions can store a user’s login status and role information. After successful login, save the user's role ID in the session. Then, check the role ID to verify if the user has the required permissions.
Here is an example PHP code:
// Start the session
session_start();
<p>// Check if logged in<br>
if (!isset($_SESSION['user_id'])) {<br>
echo "Not logged in";<br>
exit;<br>
}</p>
<p>// Get user role<br>
$role_id = $_SESSION['role_id'];</p>
<p>if ($role_id == 1) {<br>
echo "Admin user with all permissions";<br>
} elseif ($role_id == 2) {<br>
echo "User with limited permissions";<br>
} else {<br>
echo "Unknown role";<br>
exit;<br>
}</p>
<p>// Check permission<br>
$permission = $_GET['permission'];</p>
<p>if ($role_id == 1 || ($role_id == 2 && in_array($permission, ['read', 'update']))) {<br>
echo "Has {$permission} permission";<br>
} else {<br>
echo "No {$permission} permission";<br>
exit;<br>
}This code verifies login status, then checks the user’s role and permission accordingly. The logic can be customized based on your requirements.
Role-based access control is an effective way to manage user permissions. By storing roles and permissions in a database and implementing authorization checks in PHP, you can create a secure and reliable access control system. Hopefully, this guide helps you understand and apply RBAC with PHP.
