TWiki> ISG Web>CourseAccounts>CourseWebpage>PHPOnCourseWebsites>RestrictingWebAccessToCourse (2010-10-13, TerryVaskor) EditAttach

Restricting Web Access to Current Students and Staff

The following code makes use of ClassListPerlModule to facilitate access restrictions. To determine the userid to pass to either of these functions, you should also RequireUseridsForSecureWebAccess.

There are two functions that can help: check_permissions to allow customized handling depending on whether or not permission to access the page is granted, or ensure_permissions to abort immediately with a canned message if the user does not have permission to see the page. 

<?php function check_permissions($user, $allowed = array()) {
      # Use this function if you want to handle success and failure
      # yourself gracefully.

      $prog='/u/isg/bin/get_classlist_info';

      $type=exec("$prog userid $user type");

      return in_array($type, $allowed);
      }

      function ensure_permissions($user, $allowed = array()) {
         # Abort abruptly with a terse message if the user should not view this
         # page.
         # Otherwise, continue loading the page.

         if (!check_permissions($user, $allowed)) {
            echo "<p>You ($user) do not have permission to view this page.</p>";
            exit(5);
            }
            }
         ?>

These two functions could be placed in a separate file named something like permissions.php so it can be included in multiple other pages. See AssignmentSolutionPHPScript and WebSubmissionFeedback for sample applications of this.

Note that there should be no whitespace outside of the php tag, so this can be used on pages that will feed documents of various types (such as PDF) if access is granted.

Why not use a valid-user list in .htaccess?

This could be done via .htaccess instead by specifying a list of users instead of just valid-users. For example, instead of 

require valid-user
the statement would be 
require user $user1 $user2 ...

There are a few primary reasons not to do this:

  • Any forbidden users will simply be asked repeatedly to reauthenticate instead of being given a more helpful "access denied" message
  • Maintenance of the user list is more difficult
  • The user list applies only to web sites, whereas once information is in .coursestaff and .exceptionlist files the information can be used elsewhere too.
Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2010-10-13 - TerryVaskor
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback