Jump to content

CMS User permissions


Highland3r

Recommended Posts

Ok so i am currently having a bit of a problem with a script i have been using and upgrading,

 

at the moment i have the cms fully operational and requires username and password to login i have the mySQL set up with 10 options 1-10 1 - admin 2- editors and so on.

 

within the user setting i then choose a group the problem is that all groups allow total access and i can not understand the process required so that say option 2 should only have access to half the website.

 

Any ideas??

 

This is the code for the security.

 

<?php
////////////////////////////////////////////////////////////////////////////////////////
// Class: sentry
// Purpose: Control access to pages
///////////////////////////////////////////////////////////////////////////////////////
class sentry {

var $loggedin = false;	//	Boolean to store whether the user is logged in
var $userdata;			//  Array to contain user's data

function sentry(){
	session_start();
	header("Cache-control: private"); 
}

//======================================================================================
// Log out, destroy session
function logout(){
	unset($this->userdata);
	session_destroy();
	return true;
}

//======================================================================================
// Log in, and either redirect to goodRedirect or badRedirect depending on success
function checkLogin($user = '',$pass = '',$group = 10,$goodRedirect = '',$badRedirect = ''){

	// Include database and validation classes, and create objects
	require_once('DbConnector.php');
	require_once('Validator.php');
	$validate = new Validator();
	$loginConnector = new DbConnector();

	// If user is already logged in then check credentials
	if ($_SESSION['user'] && $_SESSION['pass']){

		// Validate session data
		if (!$validate->validateTextOnly($_SESSION['user'])){return false;}
		if (!$validate->validateTextOnly($_SESSION['pass'])){return false;}

		$getUser = $loginConnector->query("SELECT * FROM cmsusers WHERE user = '".$_SESSION['user']."' AND pass = '".$_SESSION['pass']."' AND thegroup <= ".$group.' AND enabled = 1');

		if ($loginConnector->getNumRows($getUser) > 0){
			// Existing user ok, continue
			if ($goodRedirect != '') { 
				header("Location: ".$goodRedirect."?".strip_tags(session_id())) ;
			}			
			return true;
		}else{
			// Existing user not ok, logout
			$this->logout();
			return false;
		}

	// User isn't logged in, check credentials
	}else{	
		// Validate input
		if (!$validate->validateTextOnly($user)){return false;}
		if (!$validate->validateTextOnly($pass)){return false;}

		// Look up user in DB
		$getUser = $loginConnector->query("SELECT * FROM cmsusers WHERE user = '$user' AND pass = MD5('$pass') AND thegroup <= $group AND enabled = 1");
		$this->userdata = $loginConnector->fetchArray($getUser);

		if ($loginConnector->getNumRows($getUser) > 0){
			// Login OK, store session details
			// Log in
			$_SESSION["user"] = $user;
			$_SESSION["pass"] = $this->userdata['pass'];
			$_SESSION["thegroup"] = $this->userdata['thegroup'];

			if ($goodRedirect) { 
				header("Location: ".$goodRedirect."?".strip_tags(session_id())) ;
			}
			return true;

		}else{
			// Login BAD
			unset($this->userdata);
			if ($badRedirect) { 
				header("Location: ".$badRedirect) ;
			}		
			return false;
		}
	}			
}
}	
?>

 

This is the sequrity on login page

 

<?php
require_once("../includes/Sentry.php");

$sentry = new Sentry();
if ($HTTP_POST_VARS['user'] != ''){
$sentry->checkLogin($HTTP_POST_VARS['user'],$HTTP_POST_VARS['pass'],4,'index.php','failed.php');
}

if ($HTTP_GET_VARS['action'] == 'logout'){
if ($sentry->logout()){
	echo '<center>You have been logged out</center><br>';
}
}
?>

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.