PDA

View Full Version : [Solved] Rights system



nicobarten
19 Aug 2009, 11:36 PM
I made a login system for my Extjs application. The php files which are called through Ajax requests handles the sessions. The only thing for now which is stored in the sessions is a unique random created code (hash) which is also to be found after succesful login in the database, so the php page can get the user_id from the database using that hash.

Now i'm trying to make a rights system (is that the correct word?) using groeps in the database like Administrator, Manager, etc. So when they login, or open a panel or tab, it must check whether the user is allowed to view or edit the page.

Now i thought: It can't be stored in a javascript value (to which group a user belongs), because that should be editable with programs like Firebug. So, everytime it has to check what kind of access the user has to a page, it should request a login.php page which returns it.

So then i have 2 options:

1) At the login, set the access rights in the session for the user, so the php file only have to access the session when it is needed and return the stuff.

2) At each needed check, request the login.php file, which gets the user_id by using the hash which is stored in the session. After that using that user_id, it get's the rights (policies?) for that user and returns it to extjs.

So, a long story short: Is it safe to store the 'rights' for a user in the session? Could a 'hacker' be able to view, or more importantly, edit the session so it can edit the rights given to him?

Lukman
20 Aug 2009, 1:32 AM
Authentication = check user identity
Authorization = check if the identity is authorized to do stuff

There are many ways to do it. One way:

- upon authenticating the user, create a hash value and send to the user browser as a cookie or something. On the server side, associate the hash value with the user identity (user_id) and probably the IP address, and store in the database.

- make every request require to send the hash value along, and the server side is to find the user_id associated with the hash value. Optionally check if the request IP matches with the stored IP. force re-login if they don't match.

- finally check if the user_id is authorized to process the request

nicobarten
20 Aug 2009, 4:21 AM
So at every 'action' i should make a request?

For the moment i'm trying for every action an AJAX request, which gets the authorization from the session, which a user can click on a button or not.

Now i have this problem. When the button parameter comes by (button of a window) based on the users access i want the button enabled or disabled. Like this:


buttons: [
{
text : 'Opslaan',
id:'perBtnSave',
disabled: function() {
// Get with Ajax request access rights
// return true or false
},
handler : function()
{
objPersonel.action('save');
}
},

The problem is that Ajax is asynchronous, so when i return 'true' in the success callback, it's already too late!

Is there also a way to let it run synchronous?

Lukman
20 Aug 2009, 4:33 AM
That is very simple. Disable it first, and only enable it after the callback.

nicobarten
20 Aug 2009, 5:23 AM
Yes, that works...

However i tried to set the Ext.Ajax - stuff in a function, so i wouldn't have to put a code block for every action taken which has authorization check.

nicobarten
20 Aug 2009, 11:54 PM
Now my last question (i think):

Is it really possible to have a good security system?

Example:

Let's say i have a 'Save'-button on a form. For certain users, i don't want them to be able to click that button (so disabling it). So when the panel loads, i check with an AJAX request if the user has the rights (still secure because it's PHP), and if not, disable the button.

The problem now is, that the user if he has a program like Firebug, can still enable the button if he finds the id in the source.

So again, is it really possible to have a good security system?

deccard
21 Aug 2009, 12:03 AM
Its definetly possible. I build all of my Extjs forms dynamically from server configs - basically I check the users rights and only build into the form and show him what hes got access to. Theres not much point having a disabled button on the screen if the user should never be able to press it - so just don't build it into the form for that user.

Take a look at this
http://extjs.com/forum/showthread.php?t=25551&highlight=metaform
it allows you to build a form from a config supplied by your server - this should allow you to build a form configured for the users access rights and only show him what he needs to see.

nicobarten
21 Aug 2009, 12:30 AM
Hmmm that would be too difficult for my application now (it's gotten quite big already).

deccard
21 Aug 2009, 12:45 AM
Well a quick fix would be to check the access rights before you save the record on the php side - the user would then have to impersonate his userid as well as activate the button in firebug to perform the 'illegal save' - assuming youre passing a hashed userid then this would be difficult to do - it would also hightlight that a user was trying to 'hack the system' as he was trying to perform an operation he was no authorised to do.

nicobarten
21 Aug 2009, 12:58 AM
Hm that makes sense.

Now for every little thing (like button disabled/enabled) i send a request to the login.php to see if he has the rights... but i think i set the authorization rights for the user after the login in an object in javascript, so i can use that for the little things.

So if the user has knowledge of javascript (high unlikely, but still...) i only do for editing actions (INSERT/UPDATE in db) a check in the login.php if he has really access.

So even if the user changes the values of the javascript authorization object, he'll still get a failure when editing the values.

Thanks deccard