The User management section is a vital function on the website. Administrative users, which include all mentors and a few select students, can edit a user. The modifiable options include contact information and privileges.
The privilege system is based on a 'Can/Can't' concept. An administrative user can assign a user certain permissions while not giving them permissions to other features. Every privilege may be changed by a click of a radio button as seen on the right.
On the top of every feature's page, a security check takes place. This check involves querying the database and seeing if the current user has permission to access the page that is loading. An example can be seen here:
if (!haspermission(root) && !haspermission(is_mentor)) { die('You are not authorized'); }
Within this conditional check, we would put in page deny functions. A built-in function like die(); would stop the page from loading. haspermission($param1); would return true if the current user has access to the $param1 attribute. If you notice, you'll see that haspermission(); has a ! prefix in front of it. This symbolizes a NOT structure. So this conditional statement is saying "If user does not have root permission and does not have mentor permissions." The website considers any student administrator a 'root administrator.' a root administrator has unrestricted access to the entire site.
Additionally, user profile values may be modified as well. This is to correct errors such as home addresses, email addresses and lost passwords.
|