I think we can all agree that users are at once the boon and the bane of our applications. On the one hand, if it weren’t for users, we wouldn’t have security problems. On the other hand, if we didn’t have users, we wouldn’t need the application to begin with. So we can all agree with the fact that in most cases, users aren’t going away. This means that we have to factor them into our security mind-set. One good principal to adopt is:

The Principle of Least Privileges
Grant permissions to users only to the level needed

This is a basic programming principal and can be seen most readily in Unix security. When dealing with users and resources in Unix, users have to be explicitly granted access to resources. Permissions are granted in such a way as to give the user the least permission necessary to gain access to the resource. We can adopt this concept when building our applications by considering carefully the users who will need to access each page and feature.

Most modern PHP frameworks have the concepts or authentication and access control. In the Zend Framework, authentication is handled by Zend_Auth but access control, a separate issue, is handled with Zend_Acl

Whichever framework you use, good security practices suggest that you carefully consider the access restrictions you place on each page or feature. Whenever possible, limit access to the fewest number of users possible.

=C=