Beginner Admin Panel

[AcidicOne]

So in keeping with attempting to do this project on my own, i wanted to present the idea before i attempted to impliment, no point in trying to code it if its a bad idea to begin with.

So using the basic framework from the tutorials, the login calls if_admin==1 then load admin.php. Now as it stands i belive there is 2 ways of achieving a completly seperate options between the users and admins.and Thinking down the road, I am pushed more to the latter of the two options.Now to give some information on the excisting site, it uses a footer/header as well as the smarty engine to display everything.

Option 1.
To use admin.php from login to launch a custom header to display a custom admin Navigation menu.
example:
login.pgp = is_admin=1,load admin.php
admin.php calls for adminheader.php, which will in turn load adminmenu.php instead of the generic menu.php that normal users will recieve.


Option 2.
Adding variables to the menu.php itself to allow for a rank system,where it would check a rank entry in the db to specify which options it would enable.Am not sure on the coding part, but will attempt to explain how i belive it would work.


Login.php calls for index.php, which will load header.php,footer.php,menu.php to display all aspects of the main page.
Using a similiar function that the old login.php would have used the is_admin=1 then load admin.php I am assuming i can do something like this, granted am sure the code will be wrong but am sure you'll get the basic idea.

Code: [Select]

<table style="border-collapse:collapse" border="1" width="100px">
<tr bgcolor="grey"><th colspan="2">Navigation</th></tr>
<tr><td colspan="2"><font size="2">&nbsp;<a href="explore.php?area=1">Forest</a></font></td></tr>
<tr><td colspan="2"><font size="2">&nbsp;<a href="explore.php?area=2">Woods</a></font></td></tr>
<tr><td colspan="2"><font size="2">&nbsp;<a href="uprofile.php">Profile</a></font></td></tr>
<tr><td colspan="2"><font size="2">&nbsp;<a href="weapon-shop.php">Weapon Shop</a></font></td></tr>
<tr><td colspan="2"><font size="2">&nbsp;<a href="armor-shop.php">Armor Shop</a></font></td></tr>
<tr><td colspan="2"><font size="2">&nbsp;<a href="item-shop.php">Item Shop</a></font></td></tr>
<tr><td colspan="2"><font size="2">&nbsp;<a href="inventory.php">Inventory</a></font></td></tr>
<tr><td colspan="2"><font size="2">&nbsp;<a href="equipment.php">Equipment</a></font></td></tr>
<tr><td colspan="2"><font size="2">&nbsp;<a href="bank.php">Bank</a></font></td></tr>
<tr><td colspan="2"><font size="2">&nbsp;<a href="healer.php">Healer</a></font></td></tr>
<tr><td colspan="2"><font size="2">&nbsp;<a href="logout.php">Logout</a></font></td></tr>
<tr bgcolor="grey"><th colspan="2">Site</th></tr>
<tr>
<td><font size="2">&nbsp;<a href="index.php">Home</a></font></td>
<td><font size="2">&nbsp;<a href="support.php">Support</a></font></td>
</tr>
<tr>
<td><font size="2">&nbsp;<a href="rules.php">Rules</a></font></td>
<td><font size="2">&nbsp;<a href="tos.php">TOS</a></font></td>
</tr>
<tr>
<td><font size="2">&nbsp;<a href="faq.php">FAQ</a></font></td>
<td><font size="2">&nbsp;<a href="staff.php">Staff</a></font></td>
</tr>
<tr bgcolor="grey"><th colspan="2">Admin Panel</th></tr>
<?php query_sql check rank =1 then display >
<td><font size="2">&nbsp;<a href="forum-edit.php">Forum Moderation</a></font></td>
<td><font size="2">&nbsp;<a href="supportadmin.php">Support</a></font></td>
<?php query_sql check rank =2 then display > 
<td><font size="2">&nbsp;<a href="useradmin.php">User Admin</a></font></td>
<td><font size="2">&nbsp;<a href="supportadmin.php">Support</a></font></td> 
<td><font size="2">&nbsp;<a href="forum-edit.php">Forum Moderation</a></font></td>
<?php query_sql check rank =3 then display >
<td><font size="2">&nbsp;<a href="useradmin.php">User Admin</a></font></td>
<td><font size="2">&nbsp;<a href="supportadmin.php">Support</a></font></td> 
<td><font size="2">&nbsp;<a href="forum-edit.php">Forum Moderation</a></font></td>
<td><font size="2">&nbsp;<a href="item-edit.php">Item Edit</a></font></td>
<td><font size="2">&nbsp;<a href="monster-edit.php">Creature Edit</a></font></td>
?>
Now like i said am sure the code itself aside from the actual menu design is incorrect,it was intended to give a basic demonstration of the idea put forth. Now I prefer the latter idea if possibly only because this would make it easy in the long run ti impliment game moderators/support etc later down the road, and still only allowing them access to certain aspects of the game itself,Without having to create header,menu files for each rank.Taken from lukes example of drying states/db query's this eliminates more the need to call more files.

Also this method seems more secure security wise to me, which is why I am putting it before every to see if this method would be the most secure way of attempting this.

[Scion]

Hmm i guess what your calling rank is more traditionally called a role....role bassed authorisation has a long and illustrious career, and if your planning to have more that 2 roles is almost certainly the way i would do it....

Improtant things to think about are that you will need to check that the user has the correct role on any protected page its not enough to just hide the link to that page....ie check that a user has the Moderator role before displaying the ban account page, if they dont then log the access attempt and redirect them to an access denied page, with warning that the attempt has been logged . If you dont you can guarantee that sooner or later someone who shouldnt have access will stumble upon the ban account page and then there will be trouble.

depending on how fine grained you go you can then stipulate which pages a user has access to by giving them the appropriate roles. Typically in a role bassed system users are assigned multiple roles indicating what actions they are alowe to perform.

An alternative approach is to write your game administration as a seperate application with its own url and seperate (or shared) logins....there is nothing to say that the admin must be directly available on the game itself or that the game DB cannot be accessed by several applications at once.

[AcidicOne]

Awesome reply, and yes with some thinking I do believe I will go with the separate system for the more important pages.