A requirement for specific authorisation can easily be added to any page by the inclusion of a relevant authentication script:
|Permitted Roles||Include Script|
|SysAdmin, Admin, Staff||/include/staff_auth.inc|
|SysAdmin, Admin, Staff, Students||/include/staff_student_auth.inc|
|SysAdmin, Admin, Invigilators||/include/invigilator_auth.inc|
On all pages secured using staff_auth.inc there are additional automatic checks made if the current user is staff:
|$_GET['module']||Checks the user is a member of the module.|
|$_REQUEST['paperID']||Check user owns the paper or is on a module that the paper is on.|
|$_REQUEST['q_id']||Checks the user owns the question or is on a module that the question is on.|
|$_REQUEST['refID']||Checks the user can access reference material.|
The way that this works is that if a page has staff_auth.inc included and has paperID is set on the URL then the authentication routine will automatically check if the current user is allow access. This saves performing a lot of specific checks within each script.
If the security checks fail the function
display_notice_and_exit() will be called which will display a suitable message to the user and stop the script immediately. It will also record a record of the attempted access in denied_log table.