User Permissions - Question

[Evilaussie]

Hey all,

I kept to my promise fairly well, here i am posting about user permissions! Anyways, onto the question. The way i would like to have user permissions is, on my users database, i create a new row called permissions in my table members which holds everything. Then, on my website, i have a page called display_users which you can delete/edit the users.

Now, onto the actual question. When all the users display down the page, when i click on the 'edit' button for say user 10, it goes to a new page and it update only that user in the table. I gathet thats confusin eh? :| Another example:

------- ----------- ------------
User | Permissions | delete/edit
------- ------------ --------------

then below those headers all the members are listed. Then when i click on say Bobby who is the tength line in the member table, when i click edit (Or delete), it selects him from the table so when i put in the all the new information, and run the query it Updates only him, or deletes him. (Whatever i select)

Could anyone please explain to me how this would be done? Then i'd just do if statements to check the user permissions throughout the website.

Yah, big explination, but ya know, been trying for ever, still to get it. :p
Thanks
-Kantoris

[Anigma]

The edit link would need to contain the userid that is associated with Bobby's account store in some user table.

Ex.

Code:

http://site.com/dir/editUser.php?uid=1983

So when you click on that link, it passes Bobby's userid to editUser.php as a GET variable which can be retrieved in your site with something like:

Code:

$userid = $_GET['uid']

You could then run a query to retrieve any data associated with Bobby's account, including his permissions.

Ex.

Code:

SELECT permissions FROM users WHERE userid=$userid

where $userid contains the value from the GET.

Not quite sure if this was what you were asking for, but I hope this helps.

[bfsog]

You have to remember that having database activity that runs if a get parameter is dangerous. Spiders will visit those pages, so on the actual delete/edit page you need a form that has submit of POST type.

[Evilaussie]

Yep, fair enough.

From my original thinking, i've changed the way permissions are set. Instead of setting up all the permissions once they've joined, everytime a user registers there automatically set to members. From there, i've added a auth.php and admin_auth.php page to check wether firstly; There Members, then to see if they have the correct permissions to view the AdminCP pages.

From there, i just enter the users ID, since using the members login name didn't seem to work. The code was something like:

Code:

$qry = mysql_query("SELECT login, firstname, permissions FROM members WHERE login=$user") or die(mysql_error());

but by using the members name, the SQL query didn't seem to work. Therefore, i just enter the users ID. (Yah, **** way of doing it, if you want i'll try and get the whole code and we can try to figure it out.)

Then to change the permissions, i enter the users ID and the wanted permissions into a form, foward it to a new page, recieve the inputs, check them; If all correct, i insert the new permissions to the specified user.

Thought i'd just post about the way i've done it up to now.

PS. What is it with me writing fairly detailed posts..... :P

[bfsog]

Well, using numbers (id=5 rather than id=bob) is better practice in my opinion.

I take it these permissions you speak of are going to be 1 of , say 3. If so why you could make them an ENUM and use a drop down box or similar.

[Evilaussie]

Yeah, pretty much the following:

1 - Admin
2 - (Some random permission i'll come up with)
3 - Member

With the way you suggested, care to please explain?

[bfsog]

Well in your database table you would have an ENUM column (basically means it's value can only be 1 of n where n is the number of possible values).

Your form would produce a drop down box with the 3 permission settings making user error impossible (for setting permissions).