Assuming you are providing an abstract service (something about contract documents), and not simply providing MySQL to them, then you should have a layer (PHP or otherwise) that abstracts their access to the database.

In that layer, you should do whichever of these you deem desirable:
* Validate that they are allowed to access the service. This would involve you handling user names/passwords with extra table(s), not using MySQL's GRANTs.
* Restrict access to selected database/tables/etc.
* Construct queries on their behalf.

As admin, you can see everything by two means:
* You can connect to MySQL (they cannot) and perform ad hoc SELECTs.
* The UI could have an option (password and/or IP protected) that lets you masquerade as any specific user, thereby allowing you to see exactly what they see (after getting past the protection layer).

Text documents should probably be stored in MEDIUMTEXT (allows up to 16MB). Non-text documents (eg, images) should be stored in MEDIUMBLOB. (Without the 'MEDIUM' prefix, you get a limit of 64KB.)