By replacing basic authentication with your own authentication scheme you have the makings of good solid authentication. Authentication simply lets users into your application when they log in. They authenticate in some manner that confirms to your system that they are who they say they are.

But now, it’s time to add the ability to give access only to certain pages, based on more specific criteria. At its simplest, you do have some level of authorization through  in that you only authorize users who are authenticated.

Typically authorization goes a lot further than that. It’s more detailed you can control access based on, say, group membership.

At this point you have the users, you have the groups, and you have the connection between the two. You need to enhance to work these groups into your authorization scheme

authorize.php Needs a Function

At the moment. authorize.php runs automatically when it’s required by a script. The code in outnorize.oho isn’t in a function it’s just dropped into the body of the PHP file

That’s worked fine up until now. But now, you need a means by which you can pass in a group, or a list of groups, to authonze.php and then eutnorue.ono has to run through those groups and see whether there’s a connection with the current user.

That situation-a block of code that should take in a piece of information with which to work-screams “function.” There are some other options, but they’re less easy to understand and maintain. (If you’re curious about those options )

Create that new function in Eventually, it should take an array of groups that allow access. For now, you can set a default value for the parameter the function takes and use that default value to keep the current functionality: allowing access to any authorized user.

Jump back into and add an explicit call to this function. You don’t need to pass in any group names. should be open to any logged-in user

Take a moment to test this script. Because the default functionality should be just what you already have, verify that you can’t access without first logging in. Enter the URL into your browser, and you should see your sign-in page, as shown in Figure 14-

Take in a List of Groups

It’s time to get to the point of all this work. Start by sending a list of groups-through a PHP array-to authorize_user. You can do this in both of which should require the Administrators group for access.

Using an array is about the simplest means in PHP of getting a list to a function. Currently, in you’re getting either nothing or a list of allowed group names. So you can start to do some work with those groups.

First, though, if the parameter passed to authorize_user is either an empty list or NULL, you should have the function bailout. There’s no need to do any database searching in those two cases.

When you use return, you’re instructing PHP to give control back to the calling script. It lets the script run, which means letting the user see the page he requested.