How to handle user rights

My office uses an in-house CMS that my team and I have been steadily developing for the past few years. Currently, I have three levels of access, Editor, Developer, and Admin.

  • Editors can edit the staff directory and the calendar of events.
  • Developers can do that and also get to the CMS stuff.
  • Admins can do both of those, and also add/remove users, as well as a few other admin-like things.

While these three levels work, as the site and the CMS grow, I’m finding the need for greater control of access. For example, the CMS houses the back-ends for 4-5 web tools (basic forms that you check a few options on, click submit, and get some results), and the best people to update those tools is the people they belong to.

I’m trying to figure out how to grant access to specific pages without having a load of IF statements at the top of each page that have to constantly be edited, so I’m hoping some people here who have more experience than me can give me some tips or ideas.

One idea I have is to modify my users table to add some page IDs. Since every page in the CMS had an entry (and an ID) in the database, I could use that page ID to decide who has access. Maybe when you click on a user, in their profile is a list of all possible pages, and you tick the ones they have access to? I could check this on the page request event. Or is there a better way?

In case anyone is interested, I went ahead and implemented this, and it works really well.

I created a new table in our db to hold page IDs and user IDs:
[userpages]
pageid, int
userid, int

Then I made a few new pages in the CMS to manage these new permissions. When a user signs into the CMS, I pull a list of allowed page IDs out of the database and assign them to a session variable. Whenever a page is accessed, I check the page ID against the list, and if I find a match, I load the content. If not, I load a “no access” include.

Now I can assign individual users to specific pages, which is exactly what I was after.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.