Assigning Permissions based on user type in PHP MYSQL Application

Question

I want to create user roles and permissions (Super Admin, Accountant, User) in my Php Mysql CRUD Application. I am wondering how to allow create, read, update and delete permissions to these users, for example, will it be done in create.php or should I create separate create.php files for each user.

Only the Super Admin will have all permissions. For accountant, it will be read (view) and update. And for normal user, it will be read only.

How can I achieve this?

Answer 1

Most commonly this is done with groups and Access Control Lists (ACLs).

You implement a "group" attribute of a user entity, and then define the group with a set of privileges. When the user logs in, load their privileges by looking up their group and then lookup the privileges assigned to that group.

In your create.php, check the privileges that have been loaded for that user, and if they don't have create privilege, return an informative error message.

Googling for "PHP ACL for CRUD application" I found a number of tutorials showing how to implement this in different PHP frameworks. One example:

https://book.cakephp.org/2/en/tutorials-and-examples/simple-acl-controlled-application/simple-acl-controlled-application.html

By using groups and ACLs, this makes it easier to define new group types in the future, or change the group membership of a given user, or change the privileges assigned to the groups.