Edit User & confused account issues

[jarvis]

Hi All,

 

I hope someone can point out the obvious with this one.

 

I've a CMS which has 2 account types:

- Admin

- Basic

 

If you're logged in as an admin, you can edit a user and you've access to other parts of the CMS

If you're logged in as a basic user, you just get access to 1 page

 

My problem is, when I edit a user with basic access, as soon as I go into the edit user screen, the CMS removes all access as if you were logged in as the basic user.

 

There are 3 parts to the script

- header

- edit_user

- footer

 

Header contains

// This page begins the HTML header for the site.

// Start output buffering.
ob_start();

// Initialize a session.
session_start(); 

 

edit_user contains

<?php

// This page edits a users profile
// This page is accessed through view_users.php.

// Include the configuration file for error management and such.
require_once ('includes/config.inc.php'); 

// Set the page title and include the HTML header.
$page_title = 'Edit A Profile';
include ('includes/header.html');
  
// If no first_name variable exists, redirect the user.

if (!isset($_SESSION['name'])) {

// Start defining the URL.
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
// Check for a trailing slash.
if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
	$url = substr ($url, 0, -1); // Chop off the slash.
}
// Add the page.
$url .= '/index.php';

ob_end_clean(); // Delete the buffer.
header("Location: $url");
exit(); // Quit the script.

} else {
?>
<!-- box_top -->
<div id="box_top">
<img src="images/login_box_top.jpg">
</div>
<!-- /box_top -->

<!-- general -->
<div id="general">
<div id="general_scrollarea">
<?php

// Check for a valid user ID, through GET or POST
if ( (isset($_GET['id'])) && (is_numeric($_GET['id'])) ) { // Accessed through view_users.php
	$id = $_GET['id'];
} elseif ( (isset($_POST['id'])) && (is_numeric($_POST['id'])) ) { // Form has been submitted
	$id = $_POST['id'];
} else { // No valid ID, terminate the script here and inform user
	echo '<h1>Page Error</h1>
	<p class="error">This page has been accessed in error.</p><p><br /><br /></p>';
	require('includes/footer.html');
	exit();
}

require_once('../mysql_connect.php');// Connect to the db

// Check if the form has been submitted
if (isset($_POST['submitted']))
{

// Check for a name.
if (eregi ('^[[:alpha:]\.\' \-]{2,15}$', stripslashes(trim($_POST['name'])))) {
  $name = escape_data($_POST['name']);
} else {
  $name = FALSE;
  echo '<p>Please enter your name!</p>';
}

// Check for a position
if (!empty($_POST['position'])) {
	$position = escape_data($_POST['position']);
} else {
$position = FALSE;
echo '<p class="error">Please enter a position!</p>';
}  

// Check for a company
if (!empty($_POST['company'])) {
	$company = escape_data($_POST['company']);
} else {
$company = FALSE;
echo '<p class="error">Please enter a company!</p>';
}

// Check for a address
if (!empty($_POST['address'])) {
	$address = escape_data($_POST['address']);
} else {
$address = FALSE;
echo '<p class="error">Please enter an address!</p>';
} 

// Check for a postcode
if (!empty($_POST['postcode'])) {
	$postcode = escape_data($_POST['postcode']);
} else {
$postcode = FALSE;
echo '<p class="error">Please enter a postcode!</p>';
} 

// Check for a country
if (!empty($_POST['country'])) {
	$country = escape_data($_POST['country']);
} else {
$country = FALSE;
echo '<p class="error">Please enter a country!</p>';
} 

// Check for a telephone
if (!empty($_POST['telephone'])) {
	$telephone = escape_data($_POST['telephone']);
} else {
$telephone = FALSE;
echo '<p class="error">Please enter a telephone!</p>';
}  

// Check for an email address.
if (eregi ('^[[:alnum:]][a-z0-9_\.\-]*@[a-z0-9\.\-]+\.[a-z]{2,4}$', stripslashes(trim($_POST['email'])))) {
  $email = escape_data($_POST['email']);
} else {
  $email = FALSE;
  echo '<p>Please enter a valid email address!</p>';
}

// Check for a design requirement
if (!empty($_POST['requirements'])) {
	$requirements = escape_data($_POST['requirements']);
} else {
$requirements = FALSE;
echo '<p class="error">Please enter your design requirements!</p>';
}  

// Check the account type 
if(isset($_POST['acc_type'])){
  $acc_type = $_POST['acc_type'];
} else {
  $acc_type = '0';
} 

// Check for a category.
if (isset($_POST['types']) && (is_array($_POST['types']))) {
$type = TRUE;
} else {
$type = FALSE;
echo '<p class="error">Please select at least one user category!</p>';
}

// Check for a collection type
if (!empty($_POST['collection'])) {
	$collection = escape_data($_POST['collection']);
} else {
$collection = FALSE;
echo '<p class="error">Please enter your collection type!</p>';
}

if ($type && $name && $email) {

	//  Test for unique user
	$query = "SELECT user_id FROM users WHERE email='$email'AND user_id != $id";	
	$result = mysql_query($query);
	if (mysql_num_rows($result) == 0) {

		// Make the query.			
		// Update the articles table.
		$query1 = "UPDATE users SET name='$name', position='$position', company='$company', address='$address', postcode='$postcode', country='$country', telephone='$telephone', email='$email', requirements='$requirements', acc_type='$acc_type', collection='$collection' WHERE user_id=$id";			
		#echo $query1;
		$result1 = mysql_query($query1);

		// Update the category_associations table.
		// Retrieve the old categories.
		$exist_types = unserialize(urldecode($_POST['exist_types']));

		if ($_POST['types'] != $exist_types) { // A category change was made.

			// Determine the new and old categories.
			$add = array_diff($_POST['types'], $exist_types);
			$delete = array_diff($exist_types, $_POST['types']);

			// Add new types, if needed.
			if (!empty($add)) {
				$query2 = 'INSERT INTO user_associations (user_id, category_id, approved) VALUES ';
				foreach ($add as $v) {
					$query2 .= "($id, $v, 'Y'), ";
				}
				$query2 = substr ($query2, 0, -2); // Chop off the last comma and space.
				$result2 = mysql_query ($query2); // Run the query.				
			} else { // No new types.
				$result2 = TRUE;
			}

			// Delete old types, if necessary.
			if (!empty($delete)) {
				$query3 = "DELETE FROM user_associations WHERE (user_id=$id) AND (category_id IN (". implode (',', $delete) . "))";
				$result3 = mysql_query($query3);
			} else { // No old types.
				$result3 = TRUE;
			}

		} else { // No category changes being made.
			$result2 = TRUE;
			$result3 = TRUE;
		}

		// Report on the success.
		if ($result1 && $result2 && $result3) {
			echo '<p class="confirm"><b>The user has been edited!</b></p>';
		} else {
			#echo '<p clas="error">Your submission could not be processed due to a system error. We apologize for any inconvenience.</p>';
			echo '<p class="confirm">The categories have been added!</p>';
			// Print queries and use the mysql_error() function (after each mysql_query() call) to debug.
		} 

	} else { // If one of the data tests failed.
		echo '<p class="error">That email address has been registered already</p>';		
	}			

}


} // End of submit conditional

// Display the form

// Retrieve the properties information
$query = "SELECT name, position, company, address, postcode, country, telephone, email, requirements, acc_type, collection, category_id FROM users LEFT JOIN user_associations USING (user_id) WHERE users.user_id=$id";

#echo $query;

$result = @mysql_query ($query); // Process the query

// Get all of the information for the first record.
$exist_types = array(); // Reset.
list($name, $position, $company, $address, $postcode, $country, $telephone, $email, $requirements, $acc_type, $collection, $exist_types[]) = mysql_fetch_array ($result, MYSQL_NUM);

// Get the other article_category_id values.
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {
$exist_types[] = $row[11];
}

?>

<form action="edit_user.php" method="post">
  <table width="500px" align="center">
        <tr>

          <td align="right"><img src="images/name.gif" /></td>
			<td><div class="myBoxLh"></div><input type="text" name="name" value="<?php echo $name; ?>" size="30" /><div class="myBoxRh"></div></td>
		</tr>		
		<tr>

          <td align="right"><img src="images/position.gif" /></td>
			<td><div class="myBoxLh"></div><input type="text" name="position" value="<?php echo $position; ?>" size="30" /><div class="myBoxRh"></div></td>
		</tr>
		<tr>

          <td align="right"><img src="images/company.gif" /></td>
			<td><div class="myBoxLh"></div><input type="text" name="company" value="<?php echo $company; ?>" size="30" /><div class="myBoxRh"></div></td>
		</tr>
		<tr>

          <td align="right"><img src="images/address.gif" /></td>
			<td><div class="myBoxLhLarge"></div><textarea name="address" cols="13" rows="2" value="<?php echo $address; ?>"><?php echo $address; ?></textarea><div class="myBoxRhLarge"></div></td>
		</tr>
		<tr>

          <td align="right"><img src="images/postcode.gif" /></td>
			<td><div class="myBoxLh"></div><input type="text" name="postcode" value="<?php echo $postcode; ?>" size="30" /><div class="myBoxRh"></div></td>
		</tr>	
		<tr>

          <td align="right"><img src="images/country.gif" /></td>
			<td><div class="myBoxLh"></div><input type="text" name="country" value="<?php echo $country; ?>" size="30" /><div class="myBoxRh"></div></td>
		</tr>
		<tr>

          <td align="right"><img src="images/telephone.gif" /></td>
			<td><div class="myBoxLh"></div><input type="text" name="telephone" value="<?php echo $telephone; ?>" size="30" /><div class="myBoxRh"></div></td>
		</tr>
		<tr>

          <td align="right"><img src="images/email.gif" /></td>
			<td><div class="myBoxLh"></div><input type="text" name="email" value="<?php echo $email; ?>" size="30" /><div class="myBoxRh"></div></td>
		</tr>
		<tr>

          <td align="right"><img src="images/design_requirements.gif" /></td>
			<td><div class="myBoxLhLarge"></div><textarea name="requirements" cols="13" rows="2" value="<?php echo $requirements; ?>"><?php echo $requirements; ?></textarea><div class="myBoxRhLarge"></div></td>
		</tr>


		<tr>	
          		<td align="right">collection:</td>
			<td>


<input name="collection" type="radio" <?php if($collection == 'print'){  echo 'checked="checked"'; } ?> value="print" />Print<br/>
<input name="collection" type="radio" <?php if($collection == 'licence'){  echo 'checked="checked"'; } ?> value="licence" />Licence


</td>			
		</tr>			

        	<tr>	
          		<td align="right">User Category/Categories:</td>
			<td>
			<select name="types[]" multiple="multiple" size="5">
			<?php // Create the pull-down menu information.
			#require_once ('../mysql_connect.php');
			$query = "SELECT * FROM categories ORDER BY category ASC";		
			$result = @mysql_query ($query);
			while ($row = mysql_fetch_array ($result, MYSQL_NUM)) {
				echo "<option value=\"$row[0]\"";
				// Make sticky, if necessary.
				if (in_array($row[0], $exist_types)) {
					echo ' selected="selected"';
				}
				echo ">$row[1]</option>\n";
			}
			 ?>
			</select>            
			</td>
		</tr>  	
		<tr>

          <td align="right">Account Type:</td>
			<td>
				<select name="acc_type">
					<option value="0" <?php if($acc_type == '0'){  echo 'selected="selected"'; }else{ echo ''; } ?>>Basic</option>
					<option value="1" <?php if($acc_type == '1'){  echo 'selected="selected"'; }else{ echo ''; } ?>>Admin</option>                     
				</select> 
			</td>
		</tr>	        			
		<tr>

          <td colspan="2" align="right">
<div align="center"><input type="image" src="images/submit.jpg" name="submit" value="Update" class="submit" /></div></td>
		</tr>
	</table>
    <?php echo '
<input type="hidden" name="submitted" value="TRUE" />
<input type="hidden" name="id" value="' . $id . '" />
<input type="hidden" name="exist_types" value="' . urlencode(serialize($exist_types)) . '" />';
?>

</form>
</div>
</div>
<!-- /general -->
<?php
mysql_close(); // Close the db connection

require('includes/footer.html');
//end of the check authorised user function
}
?>

 

Footer contains

<?php 

// Display links based upon the login status.
// Show LOGIN links if this is the LOGOUT page.
if (isset($_SESSION['user_id']) && ($_SESSION['acc_type']=="1") && (substr($_SERVER['PHP_SELF'], -10) != 'logout.php')) {
echo '	<a href="logout_admin.php">Logout</a> | <a href="change_password.php">Change Password</a> | <a href="add_category.php">Add A Category</a> | <a href="view_categories.php">Edit A Category</a> | <a href="view_users.php">Edit A User</a> | <a href="forgot_password.php">Reset User Passwords</a> | <a href="licence.php">Licence Categories</a> | <a href="print.php">Print Categories</a> | <a href="admin_register.php">Create Account</a> | <a href="export.php" target="_blank">Export users</a>
';
} elseif (isset($_SESSION['user_id']) && ($_SESSION['acc_type']=="0") && (substr($_SERVER['PHP_SELF'], -10) != 'logout.php')) {
echo 'basic rights only';
} else { //  Not logged in.
echo '	<a href="register.php">Register</a> | <a href="request.php">Request New Password</a> | <a href="login.php">Login</a>';
}
?>

</div>


</body>
</html>
<?php // Flush the buffered output.
ob_flush();
?>

 

Please help as this is driving me mad!

 

Thanks in advanced!

[jarvis]

Think I've sussed this one out, the session was acc_type and the edit user code also referenced acc_type so I just renamed the code to account_type and this left acc_type as the session name.

 

Seems to work!