Re: Question about user management...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mar 11, 2008, at 12:20 AM, Mike wrote:

Wait, what?

You are defining user role ids as MD5 hashes of UUIDs created from random numbers that change on every request?

Am I missing something or is this completely insane advice?

I'm probably wrong on this, but I think the point is that it doesn't matter the actual value of the constants. As long as you're using that constant (which has a unique value on each request)... well, wait. Maybe I don't understand either. Ha!

I do understand the security aspect though. It's like a password that changes quite frequently - it would be, for all intensive purposes, impossible to guess.

Oh, I have an idea! Let's say your users are defined this way in the database:

user_level: ADMIN, GENERAL_USER, LEVEL_ONE_USER, etc...

Then run your comparison, e.g.:

if (defined ($user['user_level'])) { ... }

Maybe Tedd or Dan need to slap some sense into me, but that's one way I *think* you could implement it. =/

~Philip


On Mar 10, 2008, at 1:07 PM, tedd wrote:

At 3:14 PM -0400 3/10/08, Daniel Brown wrote:
On Mon, Mar 10, 2008 at 3:08 PM, Jason Pruim <japruim@xxxxxxxxxx> wrote:

What I was thinking about doing was a combination of the company name (Which I set right now) and then a access level such as "50" for the
"Owner" of the program, "40" for the "Managers" and "30" for the
"user" of the program. also leaving me room to add other levels if
required..

  I generally do the same basic thing for permission levels, but a
reverse of what you're attempting to do.

  The superuser (AKA root, administrator, God, whatever) has GID 0,
just like on a *NIX system.  This is because it's the highest level
you can reach, and 0 is the lowest real number you can use. Thus, you
can add a virtually-infinite number of lesser users, as opposed to
being limited to 50, as in your case.

Yeah, but then if you try to add a super-superuser you have to go negative. :-)

Why not just define the users with define CONSTANT statement and use that? Then the different types of users can be anything you want and you can change the value easily if there's a problem.

Really, all the value really has to be is unique -- you could use unique() for that, such as:

define("ADMIN", md5(uniqid(rand(), true)););
define("GENERAL_USER", md5(uniqid(rand(), true)););
define("LEVEL_ONE__USER", md5(uniqid(rand(), true)););
define("LEVEL_TWO__USER", md5(uniqid(rand(), true)););
define("WHATEVER__USER", md5(uniqid(rand(), true)););

and so on. That would work and you'll never have to be concerned about it nor worry about someone guessing it, if that becomes a problem.

Am I right?

Cheers,

tedd

PS: Oh, I just received the following email and thought I would pass it on:

HELLO,
MY NAME IS AGNES IN SEARCH OF A MAN WHO UNDERSTANDS THE MEANING OF LOVE AS TRUST AND FAITH IN EACH OTHER RATHER THAN ONE WHO SEES LOVE AS THE ONLY WAY OF FUN BUT A MATURED MAN WITH NICE VISION OF WHAT THE WORLD IS ALL ABOUT SO PLEASE REPLY ME WITH THIS BOX IF YOU ARE INTERESTED IN ME.

Anyone want a woman who yells all the time?

--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


"Personally, most of my web applications do not have to factor 13.7 billion years of space drift in to the calculations, so PHP's rand function has been great for me..." ~S. Johnson


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux