PDA

View Full Version : different user rights..


rattlsnak
08-24-2008, 01:34 AM
What I have is a loginpage where all members can sign in (at this point admins are considered members also, as they view all the same pages as the members). A few pages into that section, I have a submit form action that goes to a page where I only want admins to go. So if a 'regular' member clicks on the link (submit button), when that page loads, it will send them to a "user not authorized" page or such, but if an admin is logged in, the page will display.

like: if session level =1, its ok, but if session level = 2, not ok.

What I'm using now:

Login query:

$query="SELECT * FROM users WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($query);
$rowAccount=mysql_fetch_array($result);


if($rowAccount){
$_SESSION['id'] = $rowAccount['username'];
header("location:userhome.php");
exit;
}
else {
header("location:error.php");

}
/////////////////////////////////////////////
What I have on each page now:

session_start();
if (! isset($_SESSION['id'])){
header("location:login.php");
exit;
}

///////////////////////////////////////////

So I'm /assuming/ I need to make a different levels for different users.

I have setup a 'level' field in the database with numbers assigned in that field of 1 for admin rights, and number 2 for other members.

Right now all the members are assigned to the session'id', and at the top of all the member pages i run the 'check isset session'id' to validate those members so no one can bypass the login page.

If I make the initial session 'level' to a certain level, won't that keep the other member from accessing the normal member pages?

So, by that, I would think I need to restrict level 2 users from the admin pages.


you wrote this : (david)
>>when you perform the login you will query the db and check password and user name. At this stage you can get the access level and assign this to a session which you can carry throughout the application

Code:
$_SESSION['access'] = $row['access_level'];
$_SESSION['access'] will now be set with 1,2,3 etc

on every page just check this $_SESSION['access'] and either allow or disallow access depending on rights<<

SO at this point, I just need to write the code to deny usage to certain user levels

so, what I have is this:
session_start();
if (! isset($_SESSION['idl'])){
header("location:login.php");
exit;
}

And I need somthing along the lines of this:?

session_start();
if (! isset($_SESSION['level']==1)){
header("location:login.php");
exit;
}

But, if I do that, then don't i lose the username/id of who is logged in?

Thanks..

rattlsnak
08-24-2008, 02:55 AM
nevermind,. I got it, its kept in the Session array and the above last session id code works!

I had to write it out as I wasnt fully understanding Sessions.

Hopefully this can help other people:

Assume we have a users table, with 4 fields and entries of :
id:5
username: bob
password:smith
level:2

$query="SELECT * FROM users WHERE username='$myusername' and password='$mypassword'";

>>SELECT ALL FROM users WHERE username = Bob and password = Smith;<<

$result=mysql_query($query);

>>that assigns the variable/name 'result' to the entire row containing the 4 fields: id, username, password, and level.

$rowAccount=mysql_fetch_array($result);

>>This pulls that row or record from the database and assigns it a variable/name of 'rowAccount'.

So at this point $rowAccount = 5, Bob, Smith, 2<<

if($rowAccount){
$_SESSION['id'] = $rowAccount['username'];

>>if (5, Bob, Smith, 2)
assign the Session to a name of 'id' ,which equals the username of Bob, or Bob = Session 'id'.>>

So on your member pages when you run:

session_start();
if (! isset($_SESSION['id'])){
header("location:login.php");
exit;
}

You are basically saying, If this isn't Bob, send me to the login page.

I hope thats right!
Please correct me if Im wrong, but it took me writing it down to fully understand it.

And of course, in php, i know there are other ways to accomplish the same thing.

rattlsnak
08-24-2008, 04:21 AM
One issue left!

Once inside my member pages and now wanting to go to the admin pages, do I use an IF/ELSEIF, or what?

I tried it like this and with an ELSEIF and it doesnt work.

This is what i need it to do , just dont know how to write it!

if (! isset($_SESSION['level'])){
header("location:login.php"); <if not a member of any level, go to login page
}

elseif ( isset($_SESSION['level'])){
header("location:acessdenied.php"); <<if a member, but with no admin rights, go to this page
}

elseif (isset($_SESSION['level'] == 2)) <<<if a member, with admin rights, continue...
???

Basically, it has to go to three different pages depending on the user level. The basic users still have be validated and if not sent to the login page, and if validated as a member, sent to the member home page, and the admin has to be validated and allowed to view the page, BUT if he is a member he needs to go back to the member home page, which is AFTER, or still inside the member login page, and back not out to log in page.

Maybe I could combine statements, like:

if (! isset($_SESSION['id'] == 2, OR==3)){
header("location:login.php");
}

Sorry, if these are basic questions, but hey, that's how you learn, right? http://w3schools.invisionzone.com/style_emoticons/default/wink.gif

davidj
08-24-2008, 07:31 AM
hehe rattlsnak

this is like your blog!

you are learning very quickly. I'm impressed

//////////

use a switch to test session

change some_page.php to suit
remember you are testing for the case value in my example


switch($_SESSION['id']){

case '1': header("location:some_page.php"); break;
case '2': header("location:some_page.php"); break;
case '3': header("location:some_page.php"); break;
case '4': header("location:some_page.php"); break;

}

another option (or in addition) is to control the nav you have set. By hiding admin buttons that users don't need to see adds another level of security

rattlsnak
08-24-2008, 08:06 PM
LOL! Oh well,. As my friends say, "it's fun, but in a sadistic kind of way"!

Anyway, I think I am having an issue with the session 'id' level.

When I do this:

if (! isset($_SESSION['id'])){
header("location:login.php");
}
else if ($_SESSION['id'] == '2');
{echo "test?";
}

OR this:

if (! isset($_SESSION['id'])){
header("location:login.php");
}
else if (! $_SESSION['id'] == '2');
{echo "test?";
}

(i tried it with an elseif, an if and an else, same result)
Although it allows members to view the page, and directs non-members to the login page like it should, no matter who I am logged in as, a level 1, or 2 user, it still echos "test" to the page. SO i must have something wrong with the 'level' access, or im writing that statement wrong. I have setup a 'level' field in the database with numbers assigned in that field of 1 for admin rights, and number 2 for other members and am using this, as stated above,:

$rowAccount=mysql_fetch_array($result);
if($rowAccount){
$_SESSION['id'] = $rowAccount['level']; <<-- 'level', being the field in the db that has either a 1, or a 2 in it depending on the user.

I tried your script above using my own pages, but it just goes to http:// internal 500 error or blank and will not redirect.

I understand about hiding different features/links from different level users, but on this site, there are only a small number of total users, so I dont care if the see the link, I just dont want them to be able to get to it.

THANKS..!

davidj
08-24-2008, 08:52 PM
try this


if (! isset($_SESSION['id'])){

header("location:login.php");

}elseif ($_SESSION['id'] != '2'){

echo "test?";

}

rattlsnak
08-24-2008, 10:09 PM
No go.. Goes to a blank page display. I tried a couple of different ways also, like 2 '==' and without the !, inside () and a few more.

Thanks... This has to be either something simple, or something that cant be done the way im trying!

davidj
08-24-2008, 10:22 PM
have you echo'd the session to see if has been set

also im guessing your error handling is switched off (php) check this in your php.ini file and switch it on if its off. This may help diagnose

is the page just blank or is it a 500 or 404 ?

davidj
08-24-2008, 10:24 PM
post the code as you have it in your page

rattlsnak
08-24-2008, 10:35 PM
if (! isset($_SESSION['id'])){
header("location:login.php");
}
elseif ($_SESSION['id'] == '2'){
echo "test";
}


The above does work to OK, but I can't get the ! function to work by doing this:

else if (! $_SESSION['id'] == '2'){
echo "test?";
}

OR this:

else if ( $_SESSION['id'] != '2'){
echo "test?";
}


Do you need more code? I'm actually testing this live on the host, so I dont have access to the .ini files. It does becomes blank.

Thanks again!

(this has become a quest!)

davidj
08-24-2008, 10:55 PM
try this

have tested it and this works

change p1,p2 and p3 to the pages you want redirecting to


session_start();

$_SESSION['id'] = '1';

switch($_SESSION['id']){

case '1': $page = "location:p1.php"; break;
case '2': $page = "location:p2.php"; break;
case '3': $page = "location:p3.php"; break;

}

header($page);

rattlsnak
08-24-2008, 11:15 PM
ok, just tried that, while the code works per say, no matter who is logged in, it always go to case 1. Isnt that setting the session id to '1'? SO no matter who logs in, they become '1'? Thats the way its responding. If i change the session id to '2', then it goes to that redirect no matter who is logged in.

davidj
08-24-2008, 11:28 PM
that is test code

i am setting the session like this

$_SESSION['id'] = '2';


you will be setting the session by a database value so remove my session set line

davidj
08-24-2008, 11:29 PM
you are setting the session when logging in yes?

rattlsnak
08-24-2008, 11:38 PM
I think I follow you now. I have already set the sessions in the member login page to the 'id' = 'level' like this: $_SESSION['id'] = $rowAccount['level'];
So that should set my user level to 1, 2, or 3.

and have now run this in the page i want to restrict to admins only:

switch($_SESSION['id']){

case '1': $page = "location:adminhome.php"; break;
case '2': $page = "location:memberhome.php"; break;
case '3': $page = ("location:loginhome.php"); break;

}
header($page);

OK, that gives me a http 404 found not page.

rattlsnak
08-24-2008, 11:42 PM
If i understand that script, its basically saying, if a user level of '1' is logged in, go here, if a user level '2' is logged in go here, etc.. correct?

rattlsnak
08-25-2008, 12:41 AM
ok, this is exactly what I have, and it works pefectly:

<?php
session_start();
if (! isset($_SESSION['id'])){
header("location:login.php");
}
elseif ($_SESSION['id'] == '3')
{header ("location:memberhome.php");
}
?>

The more I thought about it, and thought about the way php works, I realized that I'm not trying to send user levels 1 or 2 away from these pages, only level 3 needs to be restricted, so the above code sends them back to the member home page and doesnt say anything about user levels 1, or 2, so they can view the page just fine. If was trying to send user level 2 somewhere else, I would simply put another ESLEIF to send him somewhere.
At first, I was thinking I had to ALLOW users 1, or 2 to view this page and trying to write the code for that, but thats basically already handled in the original set session, so I just need to restrict the levels I dont want.

Actually looking at and deciphering your Switch statement is what pointed me in the right direction.
In the future I hope to build sites that display different things based on user rights as you described above, but this is good enough for now with this project. I have another project in the work that I already have questions on, so I will start a new thread with that soon!

Thanks again!! 8)