Access Control & Permissions

Authorization goes beyond simple login. Your application needs to enforce which users can perform which actions. Role‑based access control (RBAC) assigns permissions to roles, and users belong to one or more roles.

Designing a role model

Create tables for roles, permissions and a pivot table linking roles to permissions. Users reference a role:

-- roles
id INT PRIMARY KEY
name VARCHAR(50)

-- permissions
id INT PRIMARY KEY
name VARCHAR(50)

-- role_permission
role_id INT
permission_id INT
            

Checking permissions in code

Expose a helper function that verifies if the current user has a particular permission before executing sensitive logic:

<?php
declare(strict_types=1);

function hasPermission(PDO $pdo, int $userId, string $permission): bool {
    $sql = 'SELECT COUNT(*) FROM users u
            JOIN role_permission rp ON u.role_id = rp.role_id
            JOIN permissions p ON rp.permission_id = p.id
            WHERE u.id = :user_id AND p.name = :perm';
    $stmt = $pdo->prepare($sql);
    $stmt->execute(['user_id' => $userId, 'perm' => $permission]);
    return $stmt->fetchColumn() > 0;
}
?>
            

Use this function throughout your controllers to gate access. Deny by default and be explicit about which actions require which permission.

The Php OG: Hand-Coded PHP8 Solutions The Php OG Hand-Coded PHP8 Solutions

Hand‑coded Communities & CMS Solutions built on PHP Core Integrity.