Last modified: 6/7/2002 8:41AM (GMT-6)
phpSecurityAdmin is a PHP application that was designed to be implemented in custom Content Management Systems (CMS). The ease of use allows the CMS programmer to concentrate on creating a quality application without having to waste a lot of time on the security access side of the system.
This application can be used for restricting access to web pages based on user names and passwords. The system will allow the client to:
* It is best not to store the database connection details in the config file. To achieve a higher level of security, set up the SQL_* variables to be passed by the web server. [I use SetEnvIf Host domain\.com SQL_x=value inside the virtual host directives of apache.]
This system was developed using the apache 1.3.20 web server, mysql 3.23.40 database server, and PHP-4.1.1 compiled as a DSO module all running on a linux server. For best results, you should have at least the above setup. You will need to have session support, and trans-sid enabled as well.
At this point in development, I do not plan on supporting CGI versions of PHP, other web servers, or other platforms. This is just because I don't have the time nor the resources to do so. If you would like to contribute the development of this project, email me at email@example.com
To use the phpSecurityAdmin package, you will need to decide what pages you would like to restrict access to. At the top of each of these pages (which will need to parse PHP code), add the line:
<? require "/path/to/phpSecurityAdmin/_restrict.php"; ?>
Once you have the pages you want to restrict, you will need to add in the location of each page into the database. To do this, you will need to log in to the system by browsing to http://www.domain.com/path/to/phpSecurityAdmin/index.php with a web browser. The default password for the user "admin" is "secure" (you will want to change this before going live).
Once you are logged in, go to the "Site Structure" section and add in each of the pages you are restricting access to. The "Page Name" is something to identify each page to you, the admin. This can be any string that you want. The "Location" is the path that is requested to reach the page. For instance, if your page is accessed by http://www.domain.com/page.php, you would enter /page.php. If it was http://www.domain.com/folder/page.php, you would enter /folder/page.php.
You will now need to give access to these pages to users. The "admin" user does not have access to all restricted pages by default. To grant access to pages:
To create a user, simply go to the "Users" section and click "Create New User." Fill out the presented form, and click submit. By default, a user is active when created.
You can change the contact details of a user at any time by editing that user and selecting "Edit contact details."
You can change the user's login name, password, or where they are allowed to log into the system from by selecting "Edit connections" from the edit user page. The "Allowed Connections" field works the same way as the one in the "Configuration" section. This allows the admin not only to restrict where connections can be initiated for the system, but also further restrict where each user can connect from.
As of version 2.0, all user rights are handled through the use of the system-defined profiles.
Think of profiles as being similar to groups. You can easily give groups of users the same (or similar) access rights by creating profiles. All you need to do is create a profile by giving it a name to identify it and selecting which pages to allow access to.
You can then apply these profiles to users either during creation or by editing their access rights. During editing, applying a profile is as simple as choosing the name from the drop-down list and submitting the form.
This section is a list of all the pages that the system sees as being restricted. In order for these to work that way, you do have to add the line of code mentioned in the GETTING STARTED section to the top of the restricted page.
Adding pages to the database is also necessary to do in order to successfully restrict access to them. To do this, simply click on the "Add Page" link above the table listing all the existing pages. The GETTING STARTED section of this document gives you instructions about the form.
The fields in this section are quite self-explanatory with the exception of "Allowed Connections." To only allow connections from certain computers, see the examples below:
To allow only from one address, enter the IP (only works with static IPs).
To allow from all machines with an address that starts with a sequence:
You can also use multiple entries by separating with a comma:
192.168.1.161, 192.168.2., 10.10.220.
The last example allows connections from only machine 161 from the 192.168.1.* network, and all computers of the 192.168.2.* and 10.10.220.* networks.
NOTE: Even though the functionality changed for "Profiles", it is still called the same. Now when you edit a profile, all users that have that profile defined will have the changes applied to them. This makes it easy to grant/deny access to large groups of users. Individual users no longer have user rights applied to them. Instead, they inherit the rights of the group (or profile) that they are a member of.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. (Found in the LICENSE file.)
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA