So I’m working on a community website/forum in PHP and I’m thinking that depending on how popular it gets I should (eventually) have a few moderators, to do things like delete spam posts, ban users, ban by IP, etc.
This could be done by granting the moderators access to the database, but that’s probably unsecure and downright wrong.
Should then I associate a clearance field to every user and then in the server, determining if the user has more than a given clearance, showing a “moderation tab” or section with all the options they should have or something like that?
I just want an idea of how this things work in a real life environment (I’m not talking about how Facebook or Twitter does this, but just how it works in a normal forum). Thanks!
The primary paradigm I’ve seen is having a
rolefield for each user in the database and then having therolebe things likenone,moderatororadmin. If it’smoderatororadmin, then unlock some of the protected functions they are allowed to run and give them access to management user interfaces.For instance, you may have the function to
delete userscheck if the session requesting use of the function is associated with auserthat has amoderatororadminrole or else disallow it. The key, I would say, is using sessions that require theuserto login to create, using the user_id in the session to look up thatuserin the database, and then checking theroleto see if they have permission before executing a function.