English
English
In web applications, user permission control is a key feature to ensure system security. It prevents unauthorized access while ensuring that legitimate users get the permissions they need. In this article, we will walk you through how to implement user permission control in PHP with specific code examples.
Before implementing the permission control system, we first need to design a database to store user information and permission data. Typically, you'll create the following tables:
1. User Table: Stores basic user information and login credentials.
2. Role Table: Defines the user roles and their associated permissions.
3. Permission Table: Lists all available permissions in the system.
4. Role-Permission Relationship Table: Establishes a many-to-many relationship between roles and permissions.
CREATE TABLE users ( id INT(11) AUTO_INCREMENT PRIMARY KEY, username VARCHAR(50) NOT NULL, password VARCHAR(255) NOT NULL, role_id INT(11) NOT NULL ); CREATE TABLE roles ( id INT(11) AUTO_INCREMENT PRIMARY KEY, name VARCHAR(50) NOT NULL ); CREATE TABLE permissions ( id INT(11) AUTO_INCREMENT PRIMARY KEY, name VARCHAR(50) NOT NULL, resource VARCHAR(50) NOT NULL ); CREATE TABLE role_permissions ( id INT(11) AUTO_INCREMENT PRIMARY KEY, role_id INT(11) NOT NULL, permission_id INT(11) NOT NULL );
Before implementing permission control, we need to set up a login function. Users will authenticate with their username and password, and the system will check their credentials against the database.
session_start();
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$username = $_POST['username'];
$password = $_POST['password'];
// Connect to the database and query user information
$conn = new mysqli('localhost', 'username', 'password', 'database');
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = $conn->query($query);
if ($result->num_rows == 1) {
$row = $result->fetch_assoc();
$_SESSION['user_id'] = $row['id'];
$_SESSION['username'] = $row['username'];
$_SESSION['role_id'] = $row['role_id'];
header('Location: dashboard.php');
exit;
} else {
$error = "Invalid username or password";
}
}
if (isset($_SESSION['user_id'])) {
header('Location: dashboard.php');
exit;
}
Once the user is logged in, we need to verify their permissions based on their role, ensuring they only access resources they are authorized to view. A permission check function can be used to restrict access to unauthorized pages.
function checkPermission($resource) {
// Check if the user is logged in
if (!isset($_SESSION['user_id'])) {
header('Location: login.php');
exit;
}
// Query the user's role permissions
$conn = new mysqli('localhost', 'username', 'password', 'database');
$query = "SELECT permissions.name
FROM (roles
INNER JOIN role_permissions ON roles.id = role_permissions.role_id)
INNER JOIN permissions ON role_permissions.permission_id = permissions.id
WHERE roles.id = {$_SESSION['role_id']}
AND permissions.resource = '$resource'";
$result = $conn->query($query);
if ($result->num_rows == 0) {
header('Location: unauthorized.php');
exit;
}
}
checkPermission('dashboard.php');
This article provides a basic implementation of PHP user permission control, including database design, user login verification, and permission validation. Based on your needs, you can further optimize this system to suit different web application scenarios. Permission control not only enhances system security but also improves user experience, making it an essential skill for every PHP developer.
