Role-Based Access Control (RBAC) inatumika kudhibiti ni nani anaweza kufanya nini ndani ya web application.
Faida:
Security: Hakikisha watumiaji hawawezi kufanya actions zisizo ruhusiwa.
Organization: Admin, editor, na user wanaweza kuwa na access tofauti.
Scalability: Rahisi kuongeza roles mpya bila kubadilisha code nyingi.
โ๏ธ 2. Database Setup
Tengeneza table ya users na role:
CREATE TABLE users (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(50) NOT NULL UNIQUE,
email VARCHAR(100) NOT NULL UNIQUE,
password VARCHAR(255) NOT NULL,
role ENUM('admin','editor','user') DEFAULT 'user',
is_verified TINYINT(1) DEFAULT 0,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
๐ก Maelezo:
role inathibitisha access level.
Unaweza kuongeza roles kama moderator au manager.
๐งฉ 3. Assign Role wakati wa Registration
$role = 'user'; // default role
$stmt = $pdo->prepare("INSERT INTO users (username,email,password,role) VALUES (:username,:email,:password,:role)");
$stmt->execute([
'username' => $username,
'email' => $email,
'password' => password_hash($password, PASSWORD_DEFAULT),
'role' => $role
]);
Admin role inaweza kutozwa manual au kwa admin panel.
๐ 4. Checking Role baada ya Login
session_start();
$stmt = $pdo->prepare("SELECT * FROM users WHERE email=:email");
$stmt->execute(['email'=>$email]);
$user = $stmt->fetch(PDO::FETCH_ASSOC);
if($user && password_verify($password, $user['password'])){
if($user['is_verified'] == 0){
$error = "โ Please verify your email first!";
} else {
session_regenerate_id(true);
$_SESSION['user_id'] = $user['id'];
$_SESSION['username'] = $user['username'];
$_SESSION['role'] = $user['role'];
header("Location: dashboard.php");
exit;
}
}
๐ก Maelezo:
$_SESSION['role'] inahifadhi role ya user.
Hii inatumika ku-check access kwenye pages mbalimbali.
๐ 5. Restricting Access kwa Pages
<?php
session_start();
// Kagua role
if(!isset($_SESSION['user_id'])){
header("Location: login.php");
exit;
}
// Hii page ni kwa admin pekee
if($_SESSION['role'] !== 'admin'){
die("โ Access denied. Admins only.");
}
?>
<h2>Welcome Admin!</h2>
<p>Only users with admin role can see this page.</p>
Unaweza pia ku-define function helper:
function checkRole($requiredRole){
if(!isset($_SESSION['role']) || $_SESSION['role'] !== $requiredRole){
die("โ Access denied.");
}
}
Kisha page yoyote inaweza kutumia: checkRole('editor');
๐ง 6. Vidokezo vya Usalama
Always store role in session baada ya login.
Check role on every restricted page.
Never trust client-side role checks (e.g., JavaScript).
Combine with email verification & secure sessions.
Audit admin actions kwa security zaidi.
โ
7. Hitimisho
RBAC inarahisisha management ya user permissions.
Kila page inaweza kuwa na restrictions kulingana na role.
Best practices: server-side checks, secure sessions, and minimal permissions per role.
๐ Tembelea:
๐ https://www.faulink.com/
Kwa mafunzo zaidi ya PHP, user authentication, na security.