PHP Permissions Tutorial 2026 — Jinsi ya Kutengeneza Mfumo wa Permissions kwa PHP PDO na MySQL
Jifunze kutengeneza PHP Permissions System kwa kutumia PHP PDO na MySQL. Mfumo wa ku-control access za users kulingana na roles na permissions.
PHP Permissions System ni Nini?
PHP Permissions System ni mfumo unaomruhusu admin kuamua user anaweza kuona au kufanya nini ndani ya system.
Mfano:
Accountant anaweza kuona expenses na reports
Admin anaweza manage users
Staff anaweza kuona attendance
Super Admin ana access zote
Kwa tutorials zaidi:
https://faulink.com
STEP 1 — Roles Table
CREATE TABLE roles (
id INT AUTO_INCREMENT PRIMARY KEY,
role_name VARCHAR(100) NOT NULL UNIQUE,
description TEXT,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
STEP 2 — Permissions Table
CREATE TABLE permissions (
id INT AUTO_INCREMENT PRIMARY KEY,
permission_key VARCHAR(150) NOT NULL UNIQUE,
permission_name VARCHAR(150) NOT NULL,
module_name VARCHAR(100) NOT NULL,
description TEXT,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
STEP 3 — Role Permissions Table
CREATE TABLE role_permissions (
id INT AUTO_INCREMENT PRIMARY KEY,
role_id INT NOT NULL,
permission_id INT NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
UNIQUE KEY role_permission_unique (role_id, permission_id),
FOREIGN KEY (role_id)
REFERENCES roles(id)
ON DELETE CASCADE,
FOREIGN KEY (permission_id)
REFERENCES permissions(id)
ON DELETE CASCADE
);
STEP 4 — Users Table
CREATE TABLE users (
id INT AUTO_INCREMENT PRIMARY KEY,
full_name VARCHAR(150),
username VARCHAR(100) NOT NULL UNIQUE,
password VARCHAR(255) NOT NULL,
role_id INT,
status ENUM('active','inactive') DEFAULT 'active',
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (role_id)
REFERENCES roles(id)
ON DELETE SET NULL
);
STEP 5 — Insert Default Roles
INSERT INTO roles (role_name, description) VALUES
('Super Admin', 'Ana access zote'),
('Admin', 'Ana manage system'),
('Accountant', 'Ana finance access'),
('Manager', 'Ana reports access'),
('Staff', 'Ana access za kawaida');
STEP 6 — Insert Default Permissions
INSERT INTO permissions
(permission_key, permission_name, module_name, description)
VALUES
('dashboard_view', 'View Dashboard', 'Dashboard', 'Kuona dashboard'),
('users_manage', 'Manage Users', 'System', 'Kuongeza na kusimamia users'),
('permissions_manage', 'Manage Permissions', 'System', 'Kusimamia permissions'),
('sales_manage', 'Manage Sales', 'Sales', 'Kusimamia mauzo'),
('purchases_manage', 'Manage Purchases', 'Purchases', 'Kusimamia ununuzi'),
('expenses_manage', 'Manage Expenses', 'Finance', 'Kusimamia gharama'),
('payments_manage', 'Manage Payments', 'Finance', 'Kusimamia malipo'),
('reports_view', 'View Reports', 'Reports', 'Kuona ripoti');
STEP 7 — Database Connection
config.php
<?php
if (session_status() === PHP_SESSION_NONE) {
session_start();
}
$host = "localhost";
$dbname = "permissions_system";
$user = "root";
$pass = "";
try {
$pdo = new PDO(
"mysql:host=$host;dbname=$dbname;charset=utf8mb4",
$user,
$pass,
[
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
]
);
} catch (PDOException $e) {
die("Database Connection Failed");
}
function clean($data) {
return htmlspecialchars(trim($data), ENT_QUOTES, 'UTF-8');
}
?>
STEP 8 — Login Session
Baada ya login successful, hifadhi taarifa muhimu kwenye session.
$_SESSION['user_id'] = $user['id'];
$_SESSION['full_name'] = $user['full_name'];
$_SESSION['username'] = $user['username'];
$_SESSION['role'] = $user['role_name'];
STEP 9 — Check Login Function
function isLoggedIn() {
return isset($_SESSION['user_id']);
}
function requireLogin() {
if (!isLoggedIn()) {
header("Location: index.php");
exit;
}
}
STEP 10 — hasPermission Function
function hasPermission($permission_key) {
global $pdo;
if (!isLoggedIn()) {
return false;
}
if (strtolower($_SESSION['role'] ?? '') === 'super admin') {
return true;
}
$stmt = $pdo->prepare("
SELECT COUNT(*) AS total
FROM users u
INNER JOIN role_permissions rp
ON rp.role_id = u.role_id
INNER JOIN permissions p
ON p.id = rp.permission_id
WHERE u.id = ?
AND u.status = 'active'
AND p.permission_key = ?
");
$stmt->execute([
$_SESSION['user_id'],
$permission_key
]);
$result = $stmt->fetch();
return ($result['total'] ?? 0) > 0;
}
STEP 11 — requirePermission Function
function requirePermission($permission_key) {
if (!hasPermission($permission_key)) {
die("Access Denied");
}
}
STEP 12 — Protect Pages
Kwenye page ya users:
require_once 'config.php';
requireLogin();
requirePermission('users_manage');
Kwenye page ya expenses:
require_once 'config.php';
requireLogin();
requirePermission('expenses_manage');
Kwenye page ya reports:
require_once 'config.php';
requireLogin();
requirePermission('reports_view');
STEP 13 — Show Menu kwa Permission
<?php if (hasPermission('users_manage')): ?>
<a href="users.php">Users</a>
<?php endif; ?>
<?php if (hasPermission('expenses_manage')): ?>
<a href="expenses.php">Expenses</a>
<?php endif; ?>
<?php if (hasPermission('reports_view')): ?>
<a href="reports.php">Reports</a>
<?php endif; ?>
STEP 14 — Save Permissions for Role
if (isset($_POST['save_permissions'])) {
$role_id = (int)$_POST['role_id'];
$permissions = $_POST['permissions'] ?? [];
$pdo->beginTransaction();
$stmt = $pdo->prepare("
DELETE FROM role_permissions
WHERE role_id = ?
");
$stmt->execute([$role_id]);
if (!empty($permissions)) {
$insert = $pdo->prepare("
INSERT INTO role_permissions
(role_id, permission_id)
VALUES (?, ?)
");
foreach ($permissions as $permission_id) {
$insert->execute([
$role_id,
(int)$permission_id
]);
}
}
$pdo->commit();
echo "Permissions saved successfully.";
}
STEP 15 — Permissions Form
<form method="POST">
<select name="role_id" required>
<option value="">Select Role</option>
<?php foreach ($roles as $role): ?>
<option value="<?= $role['id']; ?>">
<?= clean($role['role_name']); ?>
</option>
<?php endforeach; ?>
</select>
<?php foreach ($permissions as $permission): ?>
<label>
<input type="checkbox"
name="permissions[]"
value="<?= $permission['id']; ?>">
<?= clean($permission['permission_name']); ?>
</label>
<br>
<?php endforeach; ?>
<button type="submit" name="save_permissions">
Save Permissions
</button>
</form>
STEP 16 — CSRF Protection
if (empty($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
Kwenye form:
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token']; ?>">
Validate:
if (
empty($_POST['csrf_token']) ||
!hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])
) {
die("Invalid security token.");
}
STEP 17 — Super Admin Protection
if (strtolower($roleInfo['role_name']) === 'super admin') {
die("Super Admin permissions cannot be changed.");
}
STEP 18 — Security Best Practices
Tumia PDO prepared statements
Hash passwords kwa password_hash()
Validate user inputs
Tumia CSRF tokens kwenye forms
Usiruhusu user asiye na permission kuingia page
Ficha menu ambazo user hana ruhusa
Usibadilishe permissions za Super Admin kirahisi
Features za PHP Permissions System
User roles
Dynamic permissions
Secure login
Protected pages
Dynamic sidebar menu
Role based access control
Super Admin access
CSRF protection
PDO prepared statements
Professional admin control
Mfumo Huu Unaweza Kutumika Wapi?
Admin Panel
School Management System
Accounting System
Farm Management System
Hospital System
POS System
Payroll System
Inventory System
Hotel Management System
Benefits za PHP Permissions System
Better Security
User anaona na kutumia modules alizopewa tu.
Easy Control
Admin anaweza kubadilisha access za roles bila kubadilisha code.
Professional System
Mfumo unaonekana wa kisasa na una security nzuri.
Scalability
Unaweza kuongeza permissions mpya muda wowote.
Hitimisho
PHP Permissions System ni sehemu muhimu kwenye mfumo wowote wenye users wengi.
Kwa kutumia PHP PDO, MySQL, roles na permissions, unaweza kutengeneza system salama, professional na rahisi kusimamia.
Kwa tutorials zaidi tembelea:
🚀 Unahitaji mfumo au website ya biashara?
Chagua huduma hapa chini kisha mteja bofya moja kwa moja kwenda kwenye ukurasa wa huduma au kuwasiliana nasi kwa WhatsApp.