Easy to Modify Login Script with Hierarchical User Permissions and XML Account File

Wildhoney · 01-06-2008, 04:54 PM

This login script allows you to add and remove users easily by editing the XML file accounts.xml. Out of the box, the script supports 4 user account types. These are as follows:

Registered User
Moderator
Administrator
Super Administrator

You may easily add new user accounts by creating a new file in the levels folder. Each access level has a separate class and file, and should always implement the TalkPHP_Level_Interface interface.

Configuration

By default there are 4 user accounts of all 4 user permissions. The index.php file is set-up to login to the first account: User1 with the password as password. Logging in is easily done via the login function:

PHP Code:

  $pLogin->login('User1', 'password');

All these accounts may be edited, and new ones added via the accounts.xml file in the TalkPHP_Login directory.

Adding Accounts

If you open up accounts.xml in a plain text editor such as Notepad or Vi, you will see how easy it is to add and remove user accounts. A basic user segment is formatted like so:

Code:

<account>
	<username>User1</username>
	<password>password</password>
	<level>User</level>
</account>

The username and password nodes should be fairly self-explanatory, whilst the level is also self-explanatory, there is a set way to do them. The 4 levels you may enter here are as follows:

User
Moderator
Administrator
Super Administrator

The username and password are case-sensitive, whereas the user levels are not. It's best to stick to the case-sensitivity as described above, however, merely for standard reasons.

If you enter an incorrect user level name then that account will not be added, and casually ignored without throwing any errors. If an account is not being added then ensure you have specified a correct user level. As the user levels are all dynamic, these levels are named after the class name as outlined below.

Adding User Levels

In order to add a new user level you will need to have a little experience in PHP. Let's add a Gremlin account who will have both Moderator and User permissions, but no more.

Create a new file in TalkPHP_Login/levels called levels_gremlin.php. If you copy and paste the details from one of the other files in there then we can easily edit just a few items and have done with it.

The items you need to modify are as follows:

PHP Code:

  /* Used as the account level name: */

$this->m_szLevelName = 'Cheeky Gremlin';

 
/* Permissions which this user has: */

return TALKPHP_LOGIN_GREMLIN | TALKPHP_LOGIN_USER | TALKPHP_LOGIN_MODERATOR;

The class name itself also needs to be changed to: TalkPHP_Level_Gremlin.

Those are the only changes we need to make so save the file! As you can see we have used a constant called TALKPHP_LOGIN_GREMLIN which we have not yet defined. To add the constant open the file TalkPHP_Login/access.class.php and at the top where the defines are, add a new line like so:

PHP Code:

  define('TALKPHP_LOGIN_GREMLIN', 1 << 5);

You don't necessarily need to know what these bitwise operators do exactly, but to have a little inkling, they basically set the permissions. The basic rule to adding them is keep the 1 as is, and just increment the second digit by 1 from the define above it. Therefore for every new account after the one above will be:

PHP Code:

  define('TALKPHP_LOGIN_GREMLIN_2', 1 << 6);

define('TALKPHP_LOGIN_GREMLIN_3', 1 << 7);

define('TALKPHP_LOGIN_GREMLIN_4', 1 << 8);

Once you have done all that we are ready to go! Our new user level has been added, and none of the other accounts have been affected. All we have to do test it is modify our accounts.xml file to set a user to the Gremlin level, like so:

Code:

<account>
	<username>User1</username>
	<password>password</password>
	<level>Gremlin</level>
</account>

The Gremlin level's name is taken directly from the class itself that we created in TalkPHP_Login/levels:

PHP Code:

  class TalkPHP_Level_Gremlin implements TalkPHP_Level_Interface

{

 
}

Security

As far as I can see, there are no security holes in the system. However, one potential security hole is the accounts.xml file being in a readable format. Out of the box the file is protected from outside access via a .htaccess file in the TalkPHP_Login directory.

If the aforementioned .htaccess file is removed, or your web-server is not Apache and therefore doesn't support .htaccess files, then the accounts.xml file is open for anybody to download. The best way to check is try and access the file yourself.

If the file is accessible then you will need to contact your host for a way in which you can protect the file. They'll be a way.

External Libraries

There is only one requisite really, although technically there are 2, if you have PHP 5 then you will also have SimpleXML. Ensure SimpleXML is enabled, and that you're running PHP 5. PHP recently announced it is discontinuing its support for PHP 4 and so all hosts should now support PHP 5, either as the primary PHP interpreter, or at least available through a .htaccess modification. Contact your host for further assistance.

Download Script

The script may be downloaded over at TalkPHP.com in the following thread.

Marty Rogers · 01-07-2008, 03:47 AM

That sounds neat, thanks a bundle.

Daniel · 01-07-2008, 09:12 AM

Wouldn't it be better to hash the password via PHP before placing into the .xml file - There are ways to stop it being visible, but it's still a vulnerability.

Dan

Joe · 01-07-2008, 09:44 AM

Quote:

Originally Posted by Danltn

Wouldn't it be better to hash the password via PHP before placing into the .xml file - There are ways to stop it being visible, but it's still a vulnerability.

Dan

Definitely. ^^
Vulnerabilities in user systems is of major significance.

Also, this is in the wrong forum. It should be on code.

Just a heads up.

Joe

True_Snake · 01-07-2008, 01:58 PM

Thread moved to "CODE"

!

True_Snake

Wildhoney · 01-08-2008, 01:46 PM

Quote:

Originally Posted by Danltn

Wouldn't it be better to hash the password via PHP before placing into the .xml file - There are ways to stop it being visible, but it's still a vulnerability.

Dan

Quite true it would. Well spotted. I'm not too sure how I overlooked that.

j.channon · 01-24-2008, 05:45 AM

How would I go about doing this for securing pages. If for example you had an admin area and once validated on the index.php you they click a link to another page in the folder is there something in the header that to make sure they are logged in. Would you need to store the username/password in a session? I have tried adding a new page in and after logging in I go to the page that has
if($pLogin->isLoggedIn()) but it always returns false. I assume you have to log in on every page with the stored session?

Thanks for your help - a PHP newbie!

Shane · 01-24-2008, 08:05 AM

I like this script alot! Shall probably use it sometime.

01-06-2008, 04:54 PM	#1 (permalink)
Wildhoney NamePros Member Join Date: Sep 2006 Posts: 74 0.00 NP$ (Donate)	Easy to Modify Login Script with Hierarchical User Permissions and XML Account File This login script allows you to add and remove users easily by editing the XML file accounts.xml. Out of the box, the script supports 4 user account types. These are as follows: Registered User Moderator Administrator Super Administrator You may easily add new user accounts by creating a new file in the levels folder. Each access level has a separate class and file, and should always implement the TalkPHP_Level_Interface interface. Configuration By default there are 4 user accounts of all 4 user permissions. The index.php file is set-up to login to the first account: User1 with the password as password. Logging in is easily done via the login function: PHP Code: `$pLogin->login('User1', 'password');` All these accounts may be edited, and new ones added via the accounts.xml file in the TalkPHP_Login directory. Adding Accounts If you open up accounts.xml in a plain text editor such as Notepad or Vi, you will see how easy it is to add and remove user accounts. A basic user segment is formatted like so: Code: <account> <username>User1</username> <password>password</password> <level>User</level> </account> The username and password nodes should be fairly self-explanatory, whilst the level is also self-explanatory, there is a set way to do them. The 4 levels you may enter here are as follows: User Moderator Administrator Super Administrator The username and password are case-sensitive, whereas the user levels are not. It's best to stick to the case-sensitivity as described above, however, merely for standard reasons. If you enter an incorrect user level name then that account will not be added, and casually ignored without throwing any errors. If an account is not being added then ensure you have specified a correct user level. As the user levels are all dynamic, these levels are named after the class name as outlined below. Adding User Levels In order to add a new user level you will need to have a little experience in PHP. Let's add a Gremlin account who will have both Moderator and User permissions, but no more. Create a new file in TalkPHP_Login/levels called levels_gremlin.php. If you copy and paste the details from one of the other files in there then we can easily edit just a few items and have done with it. The items you need to modify are as follows: PHP Code: `/* Used as the account level name: / $this->m_szLevelName = 'Cheeky Gremlin'; / Permissions which this user has: / return TALKPHP_LOGIN_GREMLIN \| TALKPHP_LOGIN_USER \| TALKPHP_LOGIN_MODERATOR;` The class name itself also needs to be changed to: TalkPHP_Level_Gremlin. Those are the only changes we need to make so save the file! As you can see we have used a constant called TALKPHP_LOGIN_GREMLIN* which we have not yet defined. To add the constant open the file TalkPHP_Login/access.class.php and at the top where the defines are, add a new line like so: PHP Code: `define('TALKPHP_LOGIN_GREMLIN', 1 << 5);` You don't necessarily need to know what these bitwise operators do exactly, but to have a little inkling, they basically set the permissions. The basic rule to adding them is keep the 1 as is, and just increment the second digit by 1 from the define above it. Therefore for every new account after the one above will be: PHP Code: `define('TALKPHP_LOGIN_GREMLIN_2', 1 << 6); define('TALKPHP_LOGIN_GREMLIN_3', 1 << 7); define('TALKPHP_LOGIN_GREMLIN_4', 1 << 8);` Once you have done all that we are ready to go! Our new user level has been added, and none of the other accounts have been affected. All we have to do test it is modify our accounts.xml file to set a user to the Gremlin level, like so: Code: <account> <username>User1</username> <password>password</password> <level>Gremlin</level> </account> The Gremlin level's name is taken directly from the class itself that we created in TalkPHP_Login/levels: PHP Code: `class TalkPHP_Level_Gremlin implements TalkPHP_Level_Interface { }` Security As far as I can see, there are no security holes in the system. However, one potential security hole is the accounts.xml file being in a readable format. Out of the box the file is protected from outside access via a .htaccess file in the TalkPHP_Login directory. If the aforementioned .htaccess file is removed, or your web-server is not Apache and therefore doesn't support .htaccess files, then the accounts.xml file is open for anybody to download. The best way to check is try and access the file yourself. If the file is accessible then you will need to contact your host for a way in which you can protect the file. They'll be a way. External Libraries There is only one requisite really, although technically there are 2, if you have PHP 5 then you will also have SimpleXML. Ensure SimpleXML is enabled, and that you're running PHP 5. PHP recently announced it is discontinuing its support for PHP 4 and so all hosts should now support PHP 5, either as the primary PHP interpreter, or at least available through a .htaccess modification. Contact your host for further assistance. Download Script The script may be downloaded over at TalkPHP.com in the following thread. __________________ TalkPHP.com - The Friendly PHP Community Watch Weeds Online - Watch Reaper Online

01-07-2008, 09:12 AM	#3 (permalink)
Daniel Danltn.com Join Date: May 2007 Location: Danltn.com / Nottingham, UK Posts: 1,201 13.51 NP$ (Donate)	Wouldn't it be better to hash the password via PHP before placing into the .xml file - There are ways to stop it being visible, but it's still a vulnerability. Dan __________________ *VERY CHEAP ADVANCED* BULK DOMAIN-STATISTICS LOOKUP** Danltn's Blog - Daniel Neville's Site Spoof your links! Submit your blog NOW! Putting bloggers on the map!

01-07-2008, 01:58 PM	#5 (permalink)
True_Snake In-House Graphic Designer Join Date: Aug 2004 Location: Toronto, Canada Posts: 4,306 37,186.96 NP$ (Donate)	Thread moved to "CODE" ! True_Snake __________________ Logos:PM ME! OVECHKIN.INFO! Rising Star!

01-24-2008, 08:05 AM	#8 (permalink)
Shane NamePros Regular Join Date: Aug 2007 Location: West Sussex - England Posts: 858 10.00 NP$ (Donate)	I like this script alot! Shall probably use it sometime. __________________ Get your handbook to success today! We show you how a recession benefits you! Like interviews? We have them by the van full! Be kind to Mellow Masher!!

01-07-2008, 03:47 AM	#2 (permalink)
Marty Rogers Account Closed Join Date: Apr 2006 Location: England, UK Posts: 494 2.00 NP$ (Donate)	That sounds neat, thanks a bundle.

01-24-2008, 05:45 AM	#7 (permalink)
j.channon First Time Poster! Join Date: Jan 2008 Posts: 1 0.00 NP$ (Donate)	How would I go about doing this for securing pages. If for example you had an admin area and once validated on the index.php you they click a link to another page in the folder is there something in the header that to make sure they are logged in. Would you need to store the username/password in a session? I have tried adding a new page in and after logging in I go to the page that has if($pLogin->isLoggedIn()) but it always returns false. I assume you have to log in on every page with the stored session? Thanks for your help - a PHP newbie!

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)