Thread

MOHAMMAD AZIZ

Full Stack Developer

Feb 23, 2019

How to distinguish admin users from normal users?

Almost every platform that has been created they have the need of users with more than one "type".

One which are actual users with normal privileges. The USERS.
And the ones who have special privileges. The ADMINS.

Admin users have special privileges that only they should have and not anyone else. Otherwise, if one user can manipulate data of another without there consent then the platform is a mess.

I found it always challenging to design a single database with solves the need of both users.

Should I have a type of the user stored in my database?
Should the first user who has registered on the platform would be the "admin user"?

I want to come to a collaborative conclusion about what is a better approach and why?

Responses(2)

Marco Alka

Software Engineer, Technical Consultant & Mentor

Feb 24, 2019

For one of my webserver platforms, SHPS, I designed authorization to be key-bound. You can define keys, check if a user has a key, and based on that let them perform actions. Users can be part of groups, and keys can be assigned to groups, too. Basically a lot like how AD etc. works. I don't know if there's a name for it, but I call it key-based authorization, and it's very fine-grained, so you can have "normal" users, "admins", and everything in between.

Serdar Sanri

Sr. Frontend Developer

Feb 24, 2019

I would love to hear more about it. Is it different than what I described below?

Serdar Sanri I am not quite sure if the basic concept is entirely the same. Let me elaborate:

For SQL, you may have several tables: users, groups, user_group_map, permission_keys, permission_map.

If a user is logged on and a script requests to know if the user has permission, the app has to

Poll the user's groups from the user_group_map table
Poll the permissions for all groups and the user themself from the permission_map table, where they actually have the key assigned
Check if the DB returned any result; if yes, the user has permission

It may be possible to create a single query to do this.

For NoSQL, I'd store user permissions and groups on the user and then just fetch all permissions and permissions on the groups, then filter for the required permission key.

I would not go with a single property on the front end like 'type' i would keep the role based permissions in the backend. Like admins will have different permissions and normal users different. You also may create a relation table like groups to combine permissions and assign users to groups. Then for each action check if asking user have permission to do so and either reject or approve request. Otherwise anything on front-end can be compromised easily.

Having first or last user being admin user wouldn't make a big difference if you cover your bases good. It is mostly considered as bad practice if your sql queries are prone to injection. For instance you get username and password from a form and have them in your query like this without cleaning and validating.

select * from users where username='.$_GET("username").' And password='.$_GET("password")

Now if i send ' or 1=1 ' in your form, it will be

select * from users where username='' or 1=1 '' And password='' or 1=1 which will return the first user.

The problem is not about having the first user as admin user but having enough controls to not this happen at all.

Search Hashnode

How to distinguish admin users from normal users?

Responses(2)

Recent threads