Securing Pages
- Neill Magill
Owned by Neill Magill
Oct 25, 2022
1 min read
Loading data...
A requirement for specific authorisation can easily be added to any page by the inclusion of a relevant authentication script:
| Permitted Roles | Include Script |
|---|---|
| SysAdmin | /include/sysadmin_auth.inc |
| SysAdmin, Admin | /include/admin_auth.inc |
| SysAdmin, Admin, Staff | /include/staff_auth.inc |
| SysAdmin, Admin, Staff, Students | /include/staff_student_auth.inc |
| SysAdmin, Admin, Invigilators | /include/invigilator_auth.inc |
Automatic Checks
On all pages secured using staff_auth.inc there are additional automatic checks made if the current user is staff:
| $_GET['module'] | Checks the user is a member of the module. |
| $_REQUEST['paperID'] | Check user owns the paper or is on a module that the paper is on. |
| $_REQUEST['q_id'] | Checks the user owns the question or is on a module that the question is on. |
| $_REQUEST['refID'] | Checks the user can access reference material. |
The way that this works is that if a page has staff_auth.inc included and has paperID is set on the URL then the authentication routine will automatically check if the current user is allow access. This saves performing a lot of specific checks within each script.
If the security checks fail the function display_notice_and_exit() will be called which will display a suitable message to the user and stop the script immediately. It will also record a record of the attempted access in denied_log table.