Securing Pages

A requirement for specific authorisation can easily be added to any page by the inclusion of a relevant authentication script:

Permitted RolesInclude Script
SysAdmin/include/sysadmin_auth.inc
SysAdmin, Admin/include/admin_auth.inc
SysAdmin, Admin, Staff/include/staff_auth.inc
SysAdmin, Admin, Staff, Students/include/staff_student_auth.inc
SysAdmin, Admin, Invigilators/include/invigilator_auth.inc

Automatic Checks

On all pages secured using staff_auth.inc there are additional automatic checks made if the current user is staff:

$_GET['module']Checks the user is a member of the module.
$_REQUEST['paperID']Check user owns the paper or is on a module that the paper is on.
$_REQUEST['q_id']Checks the user owns the question or is on a module that the question is on.
$_REQUEST['refID']Checks the user can access reference material.

The way that this works is that if a page has staff_auth.inc included and has paperID is set on the URL then the authentication routine will automatically check if the current user is allow access. This saves performing a lot of specific checks within each script.

If the security checks fail the function display_notice_and_exit() will be called which will display a suitable message to the user and stop the script immediately. It will also record a record of the attempted access in denied_log table.