Last Updated:

Managing user rights in PHP

This article describes how to manage visitors' access rights to pages and site features. By assigning access rights, we can flexibly regulate the capabilities of visitors. You can see a real example of using such a system in the demo version of the professional catalog of CompAdmin companies on the > website. There are many options for dividing access rights, you can use which one you like more. This is just an example.

The principle is taken from CHMOD, where the rights consist of numbers from zero to seven, each of which means the ability to read, write or execute a file (directory). In our case, the rights will be to view, edit and delete information.

0 - nothing can be
done 1 - delete
allowed 2 - editing
allowed 3 - editing and deleting
allowed 4 - view
5 allowed - view and delete
allowed 6 - view and edit
7 allowed - all

allowed Our access rights will consist of a series of numbers from zero to seven, where each number means access rights to the page and its functions.

Information, which number from the series corresponds to which page, we will write in the table of access rights. Let's say we have a control panel consisting of 3 pages: news.php, tovars.php and contacts.php. Let's create an access rights table: Suppose you have a user with privileges 754. Let's analyze its privileges:

7 is the first number in the user's access rights, it corresponds to the News page from the access rights table. The number 7 means that everything is allowed, hence the user can view the news, edit and delete them.

5 is the second number in the user's access rights, it corresponds to the Products page from the access rights table. The number 5 means that viewing and deleting is allowed, therefore, the user can view and delete products, he cannot edit them.

4 is the third number in the user's access rights, it corresponds to the Contact Information page from the access rights table. The number 4 means that only viewing is allowed, so the user can only view his contacts, and he cannot edit them.

But this is all :) theory. It is still not entirely clear how to implement such a system in your site. What should I do?

$access[1] = "News";
$access[2] = "Products";
$access[3] = "Contact Information";


1. Add the following information to a separate file, such as dostup.php:

Access rights table Access rights of an unauthorized user (guest)
If you specify "444", it means that only viewing is allowed, 000 - nothing is allowed, 777 - everything is possible. Any options are possible. Here I specify three digits, since there are three values above in the access rights table. If there were 34 pages, there would be so many numbers in the guest's rights. Access rights check function

$access[1] = "News";
$access[2] = "Products";
$access[3] = "Contact Information";
$dostup_quest = "444";
function user_access($num)
global $user_access; // Contains the user's permissions

// Default permissions

$priv_read = array(4,5,6,7); // Values ​​that allow viewing
$priv_write = array(2,3,6,7); // Values ​​that allow editing
$priv_del = array(1,3,5,7); // Values ​​that allow deletion

$priv_lengh = strlen($user_access); // Determine the length of the variable with permissions

$priv_num = ($num>$priv_lengh or $num==0) ? 0 : substr($priv_lengh, $num-1, 1);
// The value of access rights to this page is determined. If in a variable
$user_access is less than digits,
than in $num (passed to the function), zero is returned.

// Check the rights to view, edit, delete, and if the result
positive, write to array
if(in_array($priv_num, $priv_read))$priv["read"]=1;
if(in_array($priv_num, $priv_write))$priv["write"]=1;
if(in_array($priv_num, $priv_del))$priv["del"]=1;

return $priv; // Return an array with permissions

2. On the page check the access rights to it

Connect dostup.php Write to user rights
When verifying authorization, read user rights to variable. If the user is unauthorized, then assign guest rights: It is assumed that before that there was an authorization check and the authorization status ($auth['status']) and user access rights ($auth['dostup']) are recorded in the array, which are stored in the Check user's access rights database

to this page

So, the user user (remember, he has 754 rights) visited the tovars.php page.

To find out his rights, call the user_priv() function and write the result of its execution in a variable: Well, actually, all :), you can sum up. In the table of access rights, enter all the pages on which these rights need to be restricted. Specify users in the database their rights in the form of a series of numbers (for example, "7524452444746653214004000457"). On closed pages, check the access rights to them. If the user does not have rights, an error will pop up.

This article described the system of separation of access rights separately from the authorization system. In practice, for the level of security, they must be tightly bound, remember this.

Krisko Alexander

require "dostup.php";
if($auth['status']==1) $user_dostup = $auth['dostup'];
else $user_dostup = $dostup_quest;
$this_access = user_priv(2); // Arguments pass the number of this page from the table
access rights

Now we check if he can view the page:

if(!$this_dostup['read']){echo "No rights to view!"; exit;}
// exits
from the script, if there are no rights

Now we check if he can edit products:

if(!$this_dostup['write']){$er = "No rights to edit!";}
Writes an error message to a variable if there is no permission
Here's the edit code

Now we check if it can delete products:

if(!$this_dostup['del']){$er = "No permission to delete!";}
// Writes
error message to variable if no rights

Here's the delete code