Sample

A Better Login System - Tuts+ Code Tutorial

1 of 33

Tutorials

http://code.tutsplus.com/tutorials/a-better-login-system--net-3461

Courses

Premium

Jobs

Blog

Advertisement

Code

Categories

Software & Tools

Series

By Andrew Steenbuck, 26 Mar 2009
Tweet

0

Like

0

23

Net.tuts+ has published several great tutorials on user login systems.
Most tutorials only deal with authenticating the user, which allows for two levels of security: logged in and not logged in. For many sites, a finer degree of control is needed to control where users can go and what they can do. Creating an access control list (ACL) system will give you the flexibility for granular permissions.

Introduction

23/02/2014 21:26

A Better Login System - Tuts+ Code Tutorial

2 of 33

http://code.tutsplus.com/tutorials/a-better-login-system--net-3461

Imagine you are running a great tutorial site that lets users learn about a wide variety of web development techniques. In addition to your normal readers, you have some premium subscription members, as well contributing authors and administrators.

Your problem
You want to restrict users' to only specific pages that their particular account allows access to.

The solution
Implementing an access control list will allow you a great deal of control over what users can and cannot access on your site.
If you view the demo, available with the downloadable source code, you will be greeted with an index page that tests the ACL for each user. You can select different links at the bottom to view the ACL for the different users. If you click on the 'Admin Screen' link near the top, you can view a sample of the admin interface that allows you to manage the users, roles, and permissions. NOTE: The admin system will perform a database restore every 30 minutes to make sure everything stays on the up and up.
The download files also implement the ACL security on the admin site, so if user number one doesn't have the 'access admin' permission, you won't be able to access the admin site.
This system will enable you to create different groups of users (i.e. guests,

23/02/2014 21:26

A Better Login System - Tuts+ Code Tutorial

3 of 33

http://code.tutsplus.com/tutorials/a-better-login-system--net-3461

premium members, contributors, and admins). We will be able to set unique permissions for each group, as well as for individual users. Let's get started by setting up our MySQL database.

Step 1: Create the Database
Our ACL will be stored in a relational database using six tables (including the table for users). You should already have a database set up in your host environment. We will create the following table structure:

The code to create the database is available in the source files
(install.sql), and there is also another file (sampleData.sql) that will create
4 sample users, along with several roles and permissions for you to test with. Simply open the files with you favorite text editor, and copy/paste the code into the SQL panel in phpMyAdmin.

Step 2: Database Include
We need to create an include file so that we may connect to our database. Create a file called assets/php/database.php and add the following code to it (replace the variable values with the information appropriate for your hosting situation):
01
02
03
04
05
06
07
08
09
10
11
12
13
14

On the first line of the code, we call session_start(); we will not actually use the session variables but you will need it as part of the user login system. Then, we call ob_start() to create an output buffer. Typically, when PHP generates the page, it is sent to the browser as it is generating.
By using ob_start(), the page and headers aren't sent to the browser until they've loaded completely, or until we call ob_end_flush(). By buffering the page, we are able to redirect using PHP at any point on the page, instead of just at the top. After the headers are sent, our only redirect option is with JavaScript. An enterprising hacker could easily turn
JavaScript off, and then see our unsecured page in all it's glory. This one line allows us to deny the user access at any point in the page if needed.
Lines 4-8 set up our variables. $hasDB is a boolean used to determine if we are connected. $server, $user, $pass, and $db are the connection arguments for the server. Line 9 connects to the server, while line 10 determines if the connection was successful. If it was, we select the database to use; if it wasn't, we display an error message using die().

Step 3: Create the ACL Class
This step is fairly long, as we are creating the ACL class that will form the basis of our system. I apologize in advance for the length of this step.

23/02/2014 21:26

A Better Login System - Tuts+ Code Tutorial

5 of 33

http://code.tutsplus.com/tutorials/a-better-login-system--net-3461

Our ACL system will be object-oriented, so let's start creating the class file. We start by adding the class definition, variable definitions, and the constructor to the file /assets/php/class.acl.php:
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22

above with some code to manage the users. We will use the querystring variable $action to determine which

23/02/2014 21:26

A Better Login System - Tuts+ Code Tutorial

12 of 33

http://code.tutsplus.com/tutorials/a-better-login-system--net-3461

of the user interfaces we should display. There are four possible values that we will address: If it is null, we display a list of the current users. If it is set to 'user', we display the form for a single user. If it is set to 'roles', we display the form to assign a user. If it is set to 'perms', we display the form to give the user permissions.

List Users
Add this code inside the div with the id 'page':
01
02
03
04
05
06
07
08
09
10

Select a User to Manage:

The concept here is pretty simple. We build a SQL query, run it and loop through the results. For each user, we generate a link that will enable us to edit that particular user.

Edit Individual User
Now, add this code directly under the previous code block:
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

Managing :
... Some form to edit user info ...
Roles for user:
(

When we edit a user, we need to load the ACL for that user. This will enable us to see which roles and permissions they have. We start that by

23/02/2014 21:26

A Better Login System - Tuts+ Code Tutorial

13 of 33

http://code.tutsplus.com/tutorials/a-better-login-system--net-3461

creating a new ACL object, and passing in the $userID from the querystring (this way we load that user's ACL, instead of the logged in user). After that is where your normal edit user form would go. Typical things would be text fields to edit username, password, etc. Below that we list the roles the user is assigned to, and also provide a link so we can assign the user to other roles. Lines 10-16 load all the roles that the user is assigned to, and prints them out as list items using foreach(). Then we list out the user's permissions in a similar fashion. We only print out the permissions that the user has, not ones that are set to false.

Assign Roles
Our assign roles form will end up looking like this:

23/02/2014 21:26

A Better Login System - Tuts+ Code Tutorial

14 of 33

http://code.tutsplus.com/tutorials/a-better-login-system--net-3461

Add this code right below the previous code block:
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

Manage User Roles: ()

MemberNot Member