You’ve already got the makings of a good authentication scheme. You’ve replaced basic authentication with your own authentication scheme. And that’s authentication: allowing a user in if she logs in. They authenticate in some manner that tells your system that the user really is who she says she is.

But now it’s time to add authorization: the ability to only give access to certain pages based on more specific criteria. At its simplest, you do have some level of authorization through authorize.php: you only authorize users who are authenticated. But usually authorization goes a lot further than that. It’s more granular; you can control access based on, say, group membership.

At this point, you’ve got the users. You’ve got the groups. You’ve got the connection between the two. So now authorize.php needs to be enhanced to work these groups into your authorization scheme.