I am developing a social web application in php/mysql, I would like to hear your advice about what would be a better way to implement security. I am planning something like this:-
At the presentation level, I restricting the user to see only those items/content he is eligible to see with the rights he is eligible
&
at the database level, whenever my data is read/ written or updated I verify that the person has rights to such interactions with that part of data.
So for each action there is 2 layers of security one at the view level & another at the database level.
Would double checking be much overhead ?
ofcourse this handles only with the internal security issues ..
Who knows about the current user?
If the business layer does not know who the current user is, it cannot do any access control. Rather the presentation must ask the authorization component each time whether a specific user is allowed to perform a particular action. This is O.K. if the presentation layer basically executes some well defined use cases.
If the business layer does know who the current user is, it might ask the authorization component itself on calls that reach from the presentation layer into the business layer. However, this introduces a lot of redundant checks. This is O.K. if the presentation layer does a lot of nifty things with entity objects of the business layer or when security is critical.