Authentication & Security

This document covers the authentication and authorization systems used throughout the Hotelaro hotel management platform, including user session management, role-based permissions, CSRF protection, and multi-tenant security isolation.

For information about the multi-tenant architecture patterns, see Multi-Tenant System. For database security and user data storage, see Database Schema.

Authentication Flow

The system implements a session-based authentication model with multi-tenant isolation using subdomain-based tenant identification.

User Authentication Process

The authentication system handles login through form submission with CSRF protection. The login form includes hidden CSRF tokens and validates user credentials against the database.

Session Management

User sessions store critical authentication and authorization data:

Session Variable	Purpose	Example Value
uid	User's unique identifier	Generated 20-digit number
user_type	User access level	1 (Admin), 2 (Staff), 3 (Super Admin)
role	Role ID for permissions	References rolesandpermission table
admin_uid	Tenant identifier	Extracted from subdomain

The session data is used throughout the application to enforce multi-tenant isolation and role-based access control.

Role-Based Permission System

The system implements granular permissions through the permissionvaluecheck() function, which validates user access to specific features and operations.

Permission Structure

Permissions are stored as JSON in the rolesandpermission.permissions column:

[
  {
    "value": "calendar",
    "type": "read"
  },
  {
    "value": "bookings",
    "type": "write"
  }
]

The permissionvaluecheck() function accepts two parameters: $permissionname (feature name) and $permissiontype (access level: read/write/delete).

CSRF Protection

Cross-Site Request Forgery protection is implemented through automatic token generation and validation in all forms.

CSRF Implementation Details

The form_open() helper automatically injects CSRF tokens into forms when CSRF protection is enabled:

Token name: Retrieved via $security->getCSRFTokenName()
Token value: Retrieved via $security->getCSRFHash()
Form validation: Automatic validation on POST requests
Token regeneration: New tokens generated after each request

Multi-Tenant Security

The system enforces tenant isolation through the admin_uid parameter, ensuring data separation between different hotel properties.

All database queries are automatically filtered by the admin_uid parameter:

getInfoByUid() helper function ensures tenant-scoped data retrieval
Database table naming follows hotel_booking_* convention
Session uid matches the tenant's admin_uid for access validation

Form Security & Validation

All forms implement multiple security layers including input sanitization, CSRF protection, and server-side validation.

Security Feature

Form Submission Security Flow

The form submission process includes automatic CSRF token refresh and uses Toastify.js for user feedback notifications.

User Types & Access Levels

The system defines three primary user types with different access privileges:

User Type	Level	Access Scope	Typical Role
Type 1	Super Admin	Global system access	System administrator
Type 2	Staff	Role-based permissions	Hotel staff, managers
Type 3	Admin	Full tenant access	Hotel owner, property manager

Access Control Logic

User types 1 and 3 bypass permission checks and have full access
User type 2 requires explicit permission validation via rolesandpermission table
Setup operations are always allowed regardless of user type
Permission checks are skipped for core system setup functions

Password Security

Password handling includes client-side visibility toggles and server-side validation:

Password fields include show/hide functionality via JavaScript
Confirmation password validation on registration forms
Secure transmission through HTTPS (recommended deployment)
Password reset functionality through email verification