Published: Wednesday, September 06, 2000
Logins and Permissions, Part 2
By Peter McMahon
Read Part 1
In Part 1 we looked at the basic security solution. In this part we'll
examine generating a menu based upon the role of the logged in individual!
The Menu
The menu will be dynamically generated according to the permissions of the user who logged in which are stored in the session variable, . For example, if the user logs in as an administrator, options will be displayed allowing him to add or edit logins, for example. If they log in as a customer, they will have the option to place an order. The script uses an IF statement to check what permissions you have from the session variable and then display the appropriate menu items. Here's the code:
<UL>
<%
If Session.Contents("status") = "Administrator" Then
%>
<LI><A HREF="admin/logins.asp">Administer Logins</A><BR>
<LI><A HREF="admin/orders.asp">View Orders</A><BR>
<%
ElseIf Session.Contents("status") = "Customer" Then
%>
<LI><A HREF="customer/order.asp">Place an order</A><BR>
<LI><A HREF="customer/viewbag.asp">View Shopping Bag</A><BR>
<%
End If
%>
</UL>
|
I recommend storing all the files for a particular type of user in different directories to help with site management so you can immediately see who has rights to what files.
More Advanced Menus
Above I have hard coded the permissions into the ASP file to demonstrate the concept of dynamically generating the menus according to what class the user was that logged in. This is not very practical from a code reuse point of view and may also lead to frustration if lots of different classes of users are required. It is therefore much more sensible to put the menu items in a table in the database. To do so, create a new table and call it MenuItems. Give it the following columns: Status, URL, and Descriptoin. The below table snapshot shows how these columns represent various menu options for the various roles.
MenuItems Table |
|---|
Status | URL | Description |
|---|
|
Customer | Customer/search.asp | Search Our Database |
| Customer | Customer/order.asp | Place an order |
| Customer | Customer/viewbag.asp | View Shopping Bag |
| Administrator | Admin/search.asp | Search Product Database |
Replace the current menu code with this code:
<UL>
<%
Dim objConn, objRS
Set objConn = Server.CreateObject(“ADODB.Connection”)
objConn.Open "DSN=LoginTest;"
Set objRS = objConn.Execute("SELECT * FROM MenuItems WHERE Status = ‘" & _
Session.Contents("status") & "’")
While Not objRS.EOF
%>
<LI><A HREF=”<%=objRS(“URL”)%>”><%=objRS(“Description”)%></A><BR>
<%
objRS.MoveNext
Wend
objRS.Close
Set objRS = Nothing
objConn.Close
Set objConn = Nothing
%>
</UL>
|
This code simply opens a database connection, puts all the menu items for the user class that you are currently logged in as into a recordset and displays them in a bulleted list. You could take this even
further by doing away with user classes all together and assigning each user their own menu. Default items could be added when you add or remove a user depending on a “preset” option that you choose.
You could then go in and change the user’s menu individually.
In Part 3 we'll look at securing each page so that sneaky users can't
slip by our login screen and get access to pages that they have no business seeing!
Read Part 3
