I have created an intranet for our company using PHP. The same menu appears on every page, and includes links to sensitive pages and documents (like Word files).
我使用PHP为我们公司创建了一个内部网。每个页面上都会显示相同的菜单,其中包含指向敏感页面和文档(如Word文件)的链接。
Currently only in-office employees have access to the site, but we'd like to open it up to some out-of-office contractors. The catch is that I'd have to restrict access for certain content.
目前只有在职员工才能访问该网站,但我们希望将其开放给一些外地承包商。问题是,我必须限制某些内容的访问权限。
I know how to password-protect site directories with Apache, but I'd rather hide the menu options themselves.
我知道如何使用Apache密码保护站点目录,但我宁愿隐藏菜单选项本身。
How would you approach this?
你会怎么做?
Clarification: This is in an environment where everyone is logged in to our Windows network, locally or via VPN, but currently nobody has to log in to see my intranet site. The ideal solution would not require them to do anything extra, if that's possible.
澄清:这是在每个人都在本地或通过VPN登录我们的Windows网络的环境中,但目前没有人必须登录才能看到我的内部网站点。如果可能的话,理想的解决方案不要求他们做任何额外的事情。
6 个解决方案
#1
If users are logging in, then you can use their login details to restrict access. You might want to look into the idea of Access Control Lists.
如果用户正在登录,则可以使用其登录详细信息来限制访问。您可能希望了解访问控制列表的概念。
If your users are logging in using Apache, then you can access their user name from $_SERVER['PHP_AUTH_USER']. So you might want to do something like this:
如果您的用户使用Apache登录,那么您可以从$ _SERVER ['PHP_AUTH_USER']访问他们的用户名。所以你可能想做这样的事情:
$username = $_SERVER['PHP_AUTH_USER'];
$user_id = lookup_user_id($username); // a function you write that looks up their user id in your database of users
Then you can look up their access level(s) similarly -- they might have a user-status, like "Guest" or "Super-user" or "Administrator", or you might want to go so far as to have a matrix of resources and users, specifying for each user and resource whether that user can access the resource.
然后你可以类似地查找他们的访问级别 - 他们可能有用户状态,如“访客”或“超级用户”或“管理员”,或者你可能想要有一个矩阵资源和用户,为每个用户和资源指定该用户是否可以访问该资源。
Otherwise, a framework like CakePHP will give you this kind of thing for (almost) free.
否则,像CakePHP这样的框架会给你这种(几乎)免费的东西。
#2
I would make a PHP function that generates the menu items in your sidebar or where-ever these links are being shown, and just populate the menu differently depending on whether a user is logged-in as an employee or not. You will also need to password-protect the individual directories you want to restrict access to of course but you already know that.
我会创建一个PHP函数,用于生成侧边栏中的菜单项或显示这些链接的位置,并根据用户是否以员工身份登录来填充菜单。您还需要密码保护您想要限制访问的各个目录,但您已经知道了。
A better approach would be to use a framework like CakePHP or a platform like Drupal that already has user and role functionality built-in that you can take advantage of.
更好的方法是使用像CakePHP这样的框架或像Drupal这样的平台,它已经内置了可以利用的用户和角色功能。
#3
I would add a lightweight user authentication system using CodeIgniter.
我会使用CodeIgniter添加一个轻量级用户身份验证系统。
Then, just make a check to see if the user is authenticated before displaying the menu or allowing access to any of the protected content.
然后,在显示菜单或允许访问任何受保护内容之前,只需检查用户是否已通过身份验证。
#4
That depends on how your current employees are authenticated. We discussed this at our company for allowing certain partners to gain access to the employee portal. We authenticate against a database managed by our service dispatch software, so one solution was to add a checkbox labeled "Partner" that would tell the authentication script to authenticate against a different database.
这取决于您当前员工的身份验证方式。我们在公司讨论了这个问题,允许某些合作伙伴访问员工门户网站。我们针对由我们的服务调度软件管理的数据库进行身份验证,因此一种解决方案是添加一个标记为“Partner”的复选框,该复选框将告知身份验证脚本针对不同的数据库进行身份验证。
Without more information, it's difficult to describe a solution that would work well for you.
如果没有更多信息,很难描述一个适合您的解决方案。
#5
I think I may require users to log in (once a day?) and send them an encrypted cookie to maintain that session.
我想我可能会要求用户登录(每天一次?)并向他们发送加密的cookie来维护该会话。
It doesn't appear to be possible (and maybe it shouldn't be, for security reasons) make their network login do double-duty for this site.
它似乎不可能(并且出于安全原因可能不应该使他们的网络登录对此站点执行双重任务)。
#6
Perhaps you could check $_SERVER['REMOTE_ADDR'] against your internal IP range?
也许您可以针对内部IP范围检查$ _SERVER ['REMOTE_ADDR']吗?
#1
If users are logging in, then you can use their login details to restrict access. You might want to look into the idea of Access Control Lists.
如果用户正在登录,则可以使用其登录详细信息来限制访问。您可能希望了解访问控制列表的概念。
If your users are logging in using Apache, then you can access their user name from $_SERVER['PHP_AUTH_USER']. So you might want to do something like this:
如果您的用户使用Apache登录,那么您可以从$ _SERVER ['PHP_AUTH_USER']访问他们的用户名。所以你可能想做这样的事情:
$username = $_SERVER['PHP_AUTH_USER'];
$user_id = lookup_user_id($username); // a function you write that looks up their user id in your database of users
Then you can look up their access level(s) similarly -- they might have a user-status, like "Guest" or "Super-user" or "Administrator", or you might want to go so far as to have a matrix of resources and users, specifying for each user and resource whether that user can access the resource.
然后你可以类似地查找他们的访问级别 - 他们可能有用户状态,如“访客”或“超级用户”或“管理员”,或者你可能想要有一个矩阵资源和用户,为每个用户和资源指定该用户是否可以访问该资源。
Otherwise, a framework like CakePHP will give you this kind of thing for (almost) free.
否则,像CakePHP这样的框架会给你这种(几乎)免费的东西。
#2
I would make a PHP function that generates the menu items in your sidebar or where-ever these links are being shown, and just populate the menu differently depending on whether a user is logged-in as an employee or not. You will also need to password-protect the individual directories you want to restrict access to of course but you already know that.
我会创建一个PHP函数,用于生成侧边栏中的菜单项或显示这些链接的位置,并根据用户是否以员工身份登录来填充菜单。您还需要密码保护您想要限制访问的各个目录,但您已经知道了。
A better approach would be to use a framework like CakePHP or a platform like Drupal that already has user and role functionality built-in that you can take advantage of.
更好的方法是使用像CakePHP这样的框架或像Drupal这样的平台,它已经内置了可以利用的用户和角色功能。
#3
I would add a lightweight user authentication system using CodeIgniter.
我会使用CodeIgniter添加一个轻量级用户身份验证系统。
Then, just make a check to see if the user is authenticated before displaying the menu or allowing access to any of the protected content.
然后,在显示菜单或允许访问任何受保护内容之前,只需检查用户是否已通过身份验证。
#4
That depends on how your current employees are authenticated. We discussed this at our company for allowing certain partners to gain access to the employee portal. We authenticate against a database managed by our service dispatch software, so one solution was to add a checkbox labeled "Partner" that would tell the authentication script to authenticate against a different database.
这取决于您当前员工的身份验证方式。我们在公司讨论了这个问题,允许某些合作伙伴访问员工门户网站。我们针对由我们的服务调度软件管理的数据库进行身份验证,因此一种解决方案是添加一个标记为“Partner”的复选框,该复选框将告知身份验证脚本针对不同的数据库进行身份验证。
Without more information, it's difficult to describe a solution that would work well for you.
如果没有更多信息,很难描述一个适合您的解决方案。
#5
I think I may require users to log in (once a day?) and send them an encrypted cookie to maintain that session.
我想我可能会要求用户登录(每天一次?)并向他们发送加密的cookie来维护该会话。
It doesn't appear to be possible (and maybe it shouldn't be, for security reasons) make their network login do double-duty for this site.
它似乎不可能(并且出于安全原因可能不应该使他们的网络登录对此站点执行双重任务)。
#6
Perhaps you could check $_SERVER['REMOTE_ADDR'] against your internal IP range?
也许您可以针对内部IP范围检查$ _SERVER ['REMOTE_ADDR']吗?