phpSecurityAdmin 11/23/2001 8:14AM GMT+6:00

phpSecurityAdmin is a PHP application for restricting acces to web pages based
on usernames and passwords. The system will allow the client to:
* Manage user accounts and access rights
* Add, edit, or delete users
* Change access and connection rights
* Control basic system parameters such as username and password lengths and
  where connections are allowed to be made from
* Create and manage "user profiles" in order to allow an efficient method of
  creating multiple users with similar access rights

INSTALLATION
============
1. Uncompress the package into the directory where you want the package to be
   located on your server.
2. Create a database where you want all the information for users and profiles
   to be stored.
3. Populate the default settings for the package into the database. The file
   called "phpSecurityAdmin.default.sql" contains the sql queries you will need
   to do this.
4. Edit the include/_config.php file to fit your setup.

*  It is best not to store the database connection details in the config file.
   To acheive a higher level of security, set up the SQL_* variables to be
   passed by the web server. [I use "SetEnvIf Host domain\.com SQL_x=value"
   inside the virtual host directives of apache.]

REQUIREMENTS
============
This system was developed using the apache 1.3.20 web server, mysql 3.23.40
database server, and PHP-4.0.5 compiled as a DSO module all running on a linux
server. For best results, you should have at least the above setup. You will
need to have session support, and trans-sid enabled as well.

At this point in development, I do not plan on supporting CGI versions of PHP,
other web servers, or other platforms. This is just beacuse I don't have the
time nor the resources to do so. If you would like to contribute the the
development of this project, email me at justin@koivi.com

GETTING STARTED
===============
To use the phpSecurityAdmin package, you will need to decide what pages you
would like to restrict access to. At the top of each of these pages (which
will need to parse PHP code), add the line:
	<? require "/path/to/phpSecurityAdmin/_restrict.php"; ?>

Once you have the pages you want to restrict, you will need to add in the
location of each page into the database. To do this, you will need to log in to
the system by browsing to phpSecurityAdmin-x.x/index.php with a web browser.
The default password for the user "admin" is "secure" (you will want to change
this before going live).

Once you are logged in, go to the "Site Structure"
section and add in each of the pages you are restricting access to. The "Page
Name" is something to identify each page to you, the admin. This can be any
string that you want. The "Location" is the path that is requested to reach the
page. For instance, if your page is accessed by http://www.domain.com/page.php,
you would enter /page.php. If it was http://www.domain.com/folder/page.php, you
would enter /folder/page.php.

You will now need to give access to these pages to users. The "admin" user does
not have access to all restricted pages by default. To grant access to pages:
1. Go into the "Users" section and edit the user you wish to grant access to.
2. Click "Edit rights to pages."
3. Select the pages that this user should have access to and submit the form.

USERS
=====
To create a user, simply go to the "Users" section and click "Create New User."
Fill out the presented form, and click submit. By default, a user is active
when created.

EDIT CONTACT DETAILS
--------------------
You can change the contact details of a user at any time by editing that user
and selecting "Edit contact details."

EDIT CONNECTIONS
----------------
You can change the user's login name, password, or where they are allowed to
log into the system from by selecting "Edit connections" from the edit user
page. The "Allowed Connections" field works the same way as the one in the
"Configuration" section. This allows the admin not only to restrict where
connections can be initiated for the system, but also further restrict where
each user can connect from.

EDIT RIGHTS TO PAGES
--------------------
Each user has customized access rights within the system. On this page, you can
grant access to a restricted page by checking the box next to that page's name.
To deny access, simply uncheck the page. If you have edited a profile, or would
like to apply a different one to the user, simply choose the profile name from
the drop-down list and submit the form.

You can grant access to the administration system for a user by selecting the
box labeled "Admin Privileges." However, when you do this, that user will then
have access to change everyone's rights, passwords, login names, etc. (even for
the "admin" user!). Use this feature with caution.

PROFILES
========
Think of profiles as being similar to groups. You can easily give groups of
users the same (or similar) access rights by creating profiles. All you need to
do is create a profile by giving it a name to identify it and selecting which
pages to allow access to.

You can then apply these profiles to users either during creation or by editing
their access rights. During editing, applying a profile is as simple as
choosing the name from the drop-down list and submitting the form.

SITE STRUCTURE
==============
This section is a list of all the pages that the system sees as being
restricted. In order for these to work that way, you do have to add the line of
code mentioned in the GETTING STARTED section to the top of the restricted
page.

Adding pages to the database is also neccessary to do in order to successfully
restrict access to them. To do this, simply click on the "Add Page" link above
the table listing all the existing pages. The GETTING STARTED section of this
document gives you instructions about the form.

CONFIGURATION
=============
The fields in this section are quite self-explanitory with the exception of
"Allowed Connections." To only allow connections from certain computers, see
the examples below:

    To allow only from one address, enter the IP (only works with static IPs).
	192.168.1.201
   
    To allow from all machines with an address that starts with a sequence:
	192.168.1.
    or
	192.168.
   
    You can also use mulitple entries by separating with a comma:
	192.168.1.161, 192.168.2., 10.10.220.

The last example allows connections from only machine 161 from the 192.168.1.*
network, and all computers of the 192.168.2.* and 10.10.220.* networks.
