[SOLVED] User Access level

[nitation]

Folks,

 

I have a working admin area. Few days back i decided to improve my development skill. I proposed an user access level whereby, a user with full rights can delete an ordinary user.

 

My question is, what do i include in my login script that will determine "FullUser" from an "OrdinaryUser".

 

Also, do i need to design different interface for different users?

[Bendude14]

add another field into your database to give your users different access levels then when they login check there access level. Then you can display delete buttons etc if there an admin and only ordinary buttons if they are not.

 

You could also redirect them to a different page all together depending on there rank.

 

You should validate the users rank when they are trying to delete files also.

[.josh]

Pretty much what bendude said (He posted while I was typing )

 

Make another column in your user account table called accesslevel or some such thing.  Simple int type is fine, since you will just be using 0,1,2...

 

In your script, you would have users login/navigate as usual.  But wherever you want to edit/delete something, you would just insert some condition code to show links or whatever, based on accesslevel.  For example if you have a script that list names, you could do something like this (assuming you're logged in):

 

// simple code example...

// check if need to delete something
if ($_GET['id']) {
   // force type casting to prevent foul play. All you really need to do when expecting an int
   $id = (int) $_GET['id']; 
   // make sure user has access level so reg users can't just append url and trigger
   if ($_SESSION['accesslevel'] == 1) {
      $sql = "delete from names where id = $id";
      $result = mysql_query($sql);
   } // end if accesslevel
} // end if get id
   
// get info from table and list...assumes there is an id associated with row
$sql = "select name, id from names";
$result = mysql_query($sql);
while ($list = mysql_fetch_assoc($result)) {
   // echo the name no matter what   
   echo "{$list['name']} ";
   // assuming 0 is reg member 1 is admin
   if ($_SESSION['accesslevel'] == 1) {
      // echo a delete link 
      echo "<a href='{$_SERVER['PHP_SELF']}?id={$list['id']}'>delete</a>";
   } // end if accesslevel
   echo "<br />";
} // end while

[nitation]

I have created a new field in my DB as useraccess. Also, this is how my login.php looks like;

 

<?php
session_start();

if (!isset ($_SESSION["adminid"]))

{
  header ("Location:main.php?login=missing");
}

include("connect.php");

if($_POST['log']){

$sqllog=mysql_query(" SELECT  * FROM  moagi_admin WHERE loginname='{$_POST['loginname']}' AND password='{$_POST['passwd']}' AND status=1 ");

if($sqllog){
$row=mysql_fetch_array($sqllog);
$rowid=$row["adminid"];
} 

$num=mysql_num_rows($sqllog);
if($num > 0){

$_SESSION["adminid"]=$row["adminid"];
   header ("Location: index.php");
}
else
{
  header ("Location: main.php?login=wrong");
}

}
?>

 

How do i validate/check the user access with the above code?

 

[.josh]

Well as far as displaying extra things like delete buttons, you don't really need to change your login.php at all.  Everybody logs in the same, unless you were wanting to like, redirect them to an entirely different page, based on their userlevel. 

[nitation]

@crayon

 

I understand your point. In my code, i should just declare which user level can perform which task and vice-versa. I will work on that surely