Highland3r Posted February 16, 2011 Share Posted February 16, 2011 Ok so i am currently having a bit of a problem with a script i have been using and upgrading, at the moment i have the cms fully operational and requires username and password to login i have the mySQL set up with 10 options 1-10 1 - admin 2- editors and so on. within the user setting i then choose a group the problem is that all groups allow total access and i can not understand the process required so that say option 2 should only have access to half the website. Any ideas?? This is the code for the security. <?php //////////////////////////////////////////////////////////////////////////////////////// // Class: sentry // Purpose: Control access to pages /////////////////////////////////////////////////////////////////////////////////////// class sentry { var $loggedin = false; // Boolean to store whether the user is logged in var $userdata; // Array to contain user's data function sentry(){ session_start(); header("Cache-control: private"); } //====================================================================================== // Log out, destroy session function logout(){ unset($this->userdata); session_destroy(); return true; } //====================================================================================== // Log in, and either redirect to goodRedirect or badRedirect depending on success function checkLogin($user = '',$pass = '',$group = 10,$goodRedirect = '',$badRedirect = ''){ // Include database and validation classes, and create objects require_once('DbConnector.php'); require_once('Validator.php'); $validate = new Validator(); $loginConnector = new DbConnector(); // If user is already logged in then check credentials if ($_SESSION['user'] && $_SESSION['pass']){ // Validate session data if (!$validate->validateTextOnly($_SESSION['user'])){return false;} if (!$validate->validateTextOnly($_SESSION['pass'])){return false;} $getUser = $loginConnector->query("SELECT * FROM cmsusers WHERE user = '".$_SESSION['user']."' AND pass = '".$_SESSION['pass']."' AND thegroup <= ".$group.' AND enabled = 1'); if ($loginConnector->getNumRows($getUser) > 0){ // Existing user ok, continue if ($goodRedirect != '') { header("Location: ".$goodRedirect."?".strip_tags(session_id())) ; } return true; }else{ // Existing user not ok, logout $this->logout(); return false; } // User isn't logged in, check credentials }else{ // Validate input if (!$validate->validateTextOnly($user)){return false;} if (!$validate->validateTextOnly($pass)){return false;} // Look up user in DB $getUser = $loginConnector->query("SELECT * FROM cmsusers WHERE user = '$user' AND pass = MD5('$pass') AND thegroup <= $group AND enabled = 1"); $this->userdata = $loginConnector->fetchArray($getUser); if ($loginConnector->getNumRows($getUser) > 0){ // Login OK, store session details // Log in $_SESSION["user"] = $user; $_SESSION["pass"] = $this->userdata['pass']; $_SESSION["thegroup"] = $this->userdata['thegroup']; if ($goodRedirect) { header("Location: ".$goodRedirect."?".strip_tags(session_id())) ; } return true; }else{ // Login BAD unset($this->userdata); if ($badRedirect) { header("Location: ".$badRedirect) ; } return false; } } } } ?> This is the sequrity on login page <?php require_once("../includes/Sentry.php"); $sentry = new Sentry(); if ($HTTP_POST_VARS['user'] != ''){ $sentry->checkLogin($HTTP_POST_VARS['user'],$HTTP_POST_VARS['pass'],4,'index.php','failed.php'); } if ($HTTP_GET_VARS['action'] == 'logout'){ if ($sentry->logout()){ echo '<center>You have been logged out</center><br>'; } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/227912-cms-user-permissions/ Share on other sites More sharing options...
Highland3r Posted February 20, 2011 Author Share Posted February 20, 2011 nobody able to help ? Quote Link to comment https://forums.phpfreaks.com/topic/227912-cms-user-permissions/#findComment-1177355 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.