allow specific users to have access to specific admin pages in php/mysql

Question

I have a table (admin_users) as shown below in which there are list of 5 users. All of these 5 users in the table have access to every admin pages. In total, there are 5 admin pages and 5 admin users .

Let us suppose the name of 5 admin pages are: admin1.php , admin2.php , admin3.php , admin4.php and admin5.php

admin_users

ID  user_name  user_pass open 
1   John        sxhsds   false
2   Nicholas    eruerie  false 
3   James       zsdfdf   false 
4   Richard     adsdsf   false
5   Robert      rfgjrg   false

The following php code allows user to login:

if (isset($_POST['user_name'], $_POST['user_pass']) && $_POST['user_login'] == 1) {

    $username = $_POST['user_name'];
    $password = $_POST['user_pass'];

    $stmt = $connect->prepare("SELECT user_pass FROM admin_users WHERE user_name=?");
    $stmt->bind_param('s', $username);
    $stmt->execute();
    $result = $stmt->get_result();
    $user_from_db = $result->fetch_object();

    if ($user_from_db && password_verify($password, $user_from_db->user_pass)) {
        $_SESSION['webpageadmin'] = true;
        $_SESSION['webpageadmin_user'] = $_POST['user_name'];
    } else {
        echo "Invalid username and password.";  
    }
} 

What I want to achieve is I want specific users to have access to specific admin pages. For example:

admin1.php John and Nicholas
admin2.php James and Richard
admin3.php all users
admin4.php Robert, Nicholas, James and John
admin5.php Robert

What I have tried:

I am thinking to add one more column (admin_pages) in the admin_users table as shown below:

ID  user_name  user_pass  open         admin_pages
1   John        sxhsds   false   admin1.php, admin3, admin4.php
2   Nicholas    eruerie  false   admin1.php, admin3.php, admin4.php
3   James       zsdfdf   false   admin2.php, admin3.php, admin4.php
4   Richard     adsdsf   false   admin2.php, admin3.php
5   Robert      rfgjrg   false   admin3.php, admin4.php, admin5.php

I am wondering what changes I need to make in the php code above so that it looks for the user (who tries to login) with their admin_pages in the admin_users table above.

Answer 1

Option 1: If you can allow yourself more tables, in my opinion, the cleanest and easiest Add one tables for rights:

ID  access
1   God-like        
3   Admin1
4   Admin2     
5   Admin3      

Then you can either add one column to the user table and stringify the access ids and split them into an array on log-in.

ID  user_name  user_pass  open   access
1   John        sxhsds   false   1, 2, 3
2   Nicholas    eruerie  false   3,5
3   James       zsdfdf   false   1,4,5
4   Richard     adsdsf   false   3,5
5   Robert      rfgjrg   false   1,4,5

or use an additional table

UserId  access_id
1       1
1       2
1       3

PHP Side, on login you'd store in the session/cookie the access ids. On each page requiring specific access you'd only have to check in the session/cookie if the user has the required access right.

Option 2: If you only can afford a column and want to add pagenames. You'll still have to store the page the user can access somewhere (session/cookie) on login

To get the current page : basename($_SERVER['PHP_SELF']); 

You'll have to confront the page to the stored pagenames. Good luck on your project;)