Sunday, July 10, 2011

implementing custom menu based security for websites - 1

It happens a lot many times that we do not want to show the entire menu's to a visitor but a cutom one, based on various authorization level. Like we do not want to show administrative pages to a new visitor. Vice versa, we will not like to show important statistics to a visitor other than our sponsors. Most of the time such things are implemented using seprate pages for different kinds of visitors. It looks a lot of work and also untidy. More Code is not being Reused and ultimately, if we want to change one page, we need to edit all copies of that page. This becomes a tedious task in larger websites. So begining today,i will post a tutorial series on how to overcome this difficulty and implement a fool proof secure Role Based Menu Systems, where each user is shown the menu designated for him/ her.

The Basic idea works as follows :
we categorise users based on certain groups / categories or roles .These Groups can range from different administrators like HR admin, marketting head to website head etc. In general create as many classes as you like for your users. In my case, i had to make 8-9 classes like super admin ( yes, he is super to all ), then 6 different classes for students on basis of majors they are pursuing. ( Here computer science, electronics, biotech etc etc ), general admin for showing stats and some domain related admins like HR.
Then we build generic pages  and feed their details in our database like url of page, its title, it's parent menu etc.
Next, we link each page to a particular group. An example will make it better to understand. eg, we have some page which shows statistics for a particular class of users ( say electronics users in my case ). Then people interested in it will be HR admins, general admins, electronics sponsors and others. So instead of building seprate pages for each, we make a single page and share among all.
Lastly, we add users to our groups, so the next time he/ she logs in, only relevent pages are shown as links.

Let us discuss the logical overview today from database and website prespectives.
First of all, we will need some table in database where we can keep an account of all pages we have in our website. This table ought to have name for menu that will be shown to the user ( like HOME , ABOUT US, etc ) , parent under which it will be shown ( like we can show logout under settings etc) , a url for this page, and other things which you consider important ( like tooltip ,and css classes in mine case , maybe you can also add some description for that page ).
Next we need a table for our groups. Name and special identification are a must. You may add more things here like skin or theme for a particular set of users, description of group etc etc.
This is an important table now. we need to link our menu's and group's togeather. Basically, this table will contain primary key of menu's or you can url's in case they are primary one. secondly , we need groupid. Third important feature we can add here is if permission. What section a particular user is able to see or whether he/she has the right to post a comment on that page or maybe whether he / she can edit or not etc etc. The possibilities are endless. In large apps, you can make a seprate table for permissions or rules and link them with this table. For small apps, making a class at front end / website / data layer and linking various possibilies will do. Other things you can add here is the skin, in case you want to show a custom skin for this page to your users etc.
The last two table are straightforward. One table is for users where you store user's data like name, username , password. I will not detail on contents of this table as it varies wildly from application to application. The last table will be a link table between users and groups to indicate which user belongs to which group. In my case, userid and groupid here will do.

This completes our tables. I will show pics of my implementation of tables  and webpages a little later.
Please comment in case of doubts or questions.