Securing a web application is crucial to protecting data and ensuring users have appropriate access to system features. PHPMaker offers a powerful security framework, including Static User Level Security, to help developers manage permissions at the table level.

Understanding Static User Level Security

User Level Security in PHPMaker enables administrators to grant different permissions to users based on predefined levels. These permissions include actions such as Add/Copy, List/Search/View, Delete, and Edit at the table level.

Types of User Level Security

1. Static User Levels – User levels and their associated permissions are defined within the project and remain unchanged after script generation.
2. Dynamic User Levels – User levels and permissions are stored in database tables, allowing modifications even after script generation.

This tutorial focuses on Static User Level Security, using the employees and orders tables in the demo database as an example.

Steps to Set Up Static User Level Security

Step 1: Open PHPMaker

Launch PHPMaker and connect to the demo database.

Step 2: Set Up User Levels

Navigate to the Security tab and configure login settings:

• Administrator Login: Enables a hard-coded Administrator account with full access.
• Users Table: Defines the security table and assigns user levels using designated fields.

Click the Advanced button, then select User Levels. Define levels such as:

• Anonymous (-2) – Guests without login credentials.
• Administrator (-1) – Full access, including modification of user IDs and levels.
• Default (0) – Basic user permissions for registered users.

You can add custom levels with specific permissions for different tables/views. PHPMaker automatically sets the Edit Tag as a SELECT dropdown containing these levels.

Note: From PHPMaker v2021 onwards, the User Level Field can be of varchar type, allowing multiple user levels per user if enabled.

Step 3: Generate Scripts

Go to the Generate tab and click Generate to compile the necessary scripts.

Step 4: Assign User Levels and Test Permissions

• Log in as Administrator and open the employees table.
• Assign a User Level (e.g., “Sales”) to an employee.
• Log out and log in as the assigned user.
• Based on the defined permissions, users with “Sales” level will have view and add access to the orders table but will not be able to edit or delete records.

Key Considerations for User Level Security

• Permissions are stored in userlevelsettings.php – Regenerate this file after making changes.
• Permissions are cached in session variables – Users must log out and back in for changes to take effect.
• Users cannot modify their own user levels – Only Administrators can manage user levels.
• User ID Security vs. User Level Security – User Level Security applies to tables, whereas User ID Security provides record-level access control.

Conclusion

Implementing Static User Level Security in PHPMaker ensures robust, table-level access control. By following these steps, developers can secure applications effectively while maintaining a structured user access hierarchy.

For additional security enhancements, consider User ID Security for record-level restrictions or Dynamic User Level Security for more flexible permission management.

Also See

• Advanced Security – User ID Security
• Advanced Security – Dynamic User Level Security