[SOLVED] Problem with permissions...???

[A JM]

My users login via credentilas stored in mysql they are not users on the server. I have files that I want them to be able to download as long as they are logged in. I use an Iframe on my main page to show the files in the directory that I want the users to be able to download from.

 

My problem seems to be stemming from my "groups" that I'm using or something isn't passing correctly to the Iframe - as long as you are logged in as a member of the "administrator" group the file download works but if you are in the "adjuster" group it doesn't??? The adjuster is allowed to login to the main page just not download a file from the IFrame.

 

This is my current routine I'm using to check user credentials on my main page along with the Iframe link:

 

<?php
//initialize the session
if (!isset($_SESSION)) {
  session_start();
}

// ** Logout the current user. **
$logoutAction = $_SERVER['PHP_SELF']."?doLogout=true";
if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){
  $logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){
  //to fully log out a visitor we need to clear the session varialbles
  $_SESSION['MM_Username'] = NULL;
  $_SESSION['MM_UserGroup'] = NULL;
  $_SESSION['PrevUrl'] = NULL;
  unset($_SESSION['MM_Username']);
  unset($_SESSION['MM_UserGroup']);
  unset($_SESSION['PrevUrl']);

  $logoutGoTo = "../index.html";
  if ($logoutGoTo) {
    header("Location: $logoutGoTo");
    exit;
  }
}
?>
<?php
if (!isset($_SESSION)) {
  session_start();
}
$MM_authorizedUsers = "administrator,adjuster";
$MM_donotCheckaccess = "false";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
  // For security, start by assuming the visitor is NOT authorized.
  $isValid = False;

  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
  // Therefore, we know that a user is NOT logged in if that Session variable is blank.
  if (!empty($UserName)) {
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
    // Parse the strings into arrays.
    $arrUsers = Explode(",", $strUsers);
    $arrGroups = Explode(",", $strGroups);
    if (in_array($UserName, $arrUsers)) {
      $isValid = true;
    }
    // Or, you may restrict access to only certain users based on their username.
    if (in_array($UserGroup, $arrGroups)) {
      $isValid = true;
    }
    if (($strUsers == "") && false) {
      $isValid = true;
    }
  }
  return $isValid;
}

$MM_restrictGoTo = "manage.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)
  $MM_referrer .= "?" . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
  header("Location: ". $MM_restrictGoTo);
  exit;
}
?>

 

 

The Iframe html from the main page:

 

<iframe src="adj_file_list.php?ID=<?php echo $colname_rstConfirm; ?>" name="filelist_frame" width="500" height="175" frameborder="0"></iframe>

 

 

This is the php from the IFrame page:

 

<?php
//initialize the session
if (!isset($_SESSION)) {
  session_start();
}

$recordID= $_SESSION['port_recordID']; //variable comes from detail page only used to carry claimnumber

$path = "../claims/" . $recordID . "/";

?>
<?php
$dir = dir($path);
while($file = $dir->read()) {
 if($file != '.' && $file != '..') {
echo "<form method='post' action="?><?php echo" ><a href= /pages/download.php?file=$file&recordid=$recordID> $file </a></form>";
}
}
?>

 

Any help would be appreciated on this.

 

Thanks.

 

A JM,

[A JM]

Sorry for the noise the problem was in download.php... duh!

 

A JM,