where/how to put a class to control what a user can do (privileges)?

Question

I am using a class that performs the right query based on $_POST['action'].. Example:

class data {     //>pseudocode
 __constructor(){
   if ($_POST['action']=='insert')
      mysql_query("INSERT ..");
   else if ($_POST['action']=='edit') 
      mysql_query("UPDATE ..");
 }
}

Now of course I would like to prevent an user doing something that he can't do.. for example editing a post of someone else, or something more complicated like he can edit his post only if they are not yet published. Once the post is published he can't edit anymore (or maybe something based on time)

How would you add this checks in my class data? I once heard about Zend_ACL is that something that can work for this case?

Edit: I would avoid using database for storing privileges

Edit2: I would like to do this: every users got a "level", level = 1 means you are admin, level = 2 means you are an editor, level 3 = means you are a simple user.

So at each level corrisponds some privileges. Now Where should i put these information ?

ty

Answer 1

you have to set flag in your table, and then check for that flags ..and according to that u can develop access layers

mainly your tables must have these fields

post_id(PK) | post_by(user_id of the post owner) |is_published(ENUM (Y,N))

now check followings at the editing of that post

• first that current logged is user id and post_by id is same or not

  • if yes then check that is_published is set to Y or N
    • if N then dont allow to edit
    • if Y then allow to edit

Answer 2

Your pseudocode looks too simple for me. Doing everything in the constructor? Or how to translate it?

IMO first you need to define your needs. Which tasks are permitted and which are not? When you have the outline you have the solution too.