CMS User permissions

[Highland3r]

Ok so i am currently having a bit of a problem with a script i have been using and upgrading,

 

at the moment i have the cms fully operational and requires username and password to login i have the mySQL set up with 10 options 1-10 1 - admin 2- editors and so on.

 

within the user setting i then choose a group the problem is that all groups allow total access and i can not understand the process required so that say option 2 should only have access to half the website.

 

Any ideas??

 

This is the code for the security.

 

<?php
////////////////////////////////////////////////////////////////////////////////////////
// Class: sentry
// Purpose: Control access to pages
///////////////////////////////////////////////////////////////////////////////////////
class sentry {

var $loggedin = false;	//	Boolean to store whether the user is logged in
var $userdata;			//  Array to contain user's data

function sentry(){
	session_start();
	header("Cache-control: private"); 
}

//======================================================================================
// Log out, destroy session
function logout(){
	unset($this->userdata);
	session_destroy();
	return true;
}

//======================================================================================
// Log in, and either redirect to goodRedirect or badRedirect depending on success
function checkLogin($user = '',$pass = '',$group = 10,$goodRedirect = '',$badRedirect = ''){

	// Include database and validation classes, and create objects
	require_once('DbConnector.php');
	require_once('Validator.php');
	$validate = new Validator();
	$loginConnector = new DbConnector();

	// If user is already logged in then check credentials
	if ($_SESSION['user'] && $_SESSION['pass']){

		// Validate session data
		if (!$validate->validateTextOnly($_SESSION['user'])){return false;}
		if (!$validate->validateTextOnly($_SESSION['pass'])){return false;}

		$getUser = $loginConnector->query("SELECT * FROM cmsusers WHERE user = '".$_SESSION['user']."' AND pass = '".$_SESSION['pass']."' AND thegroup <= ".$group.' AND enabled = 1');

		if ($loginConnector->getNumRows($getUser) > 0){
			// Existing user ok, continue
			if ($goodRedirect != '') { 
				header("Location: ".$goodRedirect."?".strip_tags(session_id())) ;
			}			
			return true;
		}else{
			// Existing user not ok, logout
			$this->logout();
			return false;
		}

	// User isn't logged in, check credentials
	}else{	
		// Validate input
		if (!$validate->validateTextOnly($user)){return false;}
		if (!$validate->validateTextOnly($pass)){return false;}

		// Look up user in DB
		$getUser = $loginConnector->query("SELECT * FROM cmsusers WHERE user = '$user' AND pass = MD5('$pass') AND thegroup <= $group AND enabled = 1");
		$this->userdata = $loginConnector->fetchArray($getUser);

		if ($loginConnector->getNumRows($getUser) > 0){
			// Login OK, store session details
			// Log in
			$_SESSION["user"] = $user;
			$_SESSION["pass"] = $this->userdata['pass'];
			$_SESSION["thegroup"] = $this->userdata['thegroup'];

			if ($goodRedirect) { 
				header("Location: ".$goodRedirect."?".strip_tags(session_id())) ;
			}
			return true;

		}else{
			// Login BAD
			unset($this->userdata);
			if ($badRedirect) { 
				header("Location: ".$badRedirect) ;
			}		
			return false;
		}
	}			
}
}	
?>

 

This is the sequrity on login page

 

<?php
require_once("../includes/Sentry.php");

$sentry = new Sentry();
if ($HTTP_POST_VARS['user'] != ''){
$sentry->checkLogin($HTTP_POST_VARS['user'],$HTTP_POST_VARS['pass'],4,'index.php','failed.php');
}

if ($HTTP_GET_VARS['action'] == 'logout'){
if ($sentry->logout()){
	echo '<center>You have been logged out</center><br>';
}
}
?>

[Highland3r]

nobody able to help ?