hiding a menu option based on user role. Not WP

[laflair13]

I have searched for this but all I can find is an answer if the site is wordpress. I am trying to convert my site to MySQLi

I have 2 roles of users. Admin and SuperAdmin. In my database I have them as roles 1 & 2. I want to hide a menu item based on the role of the user.

LoginForm (On the top)

<?php
  session_start();
  include "includes/class.users.php";
  if(isset($_POST['login'])) {
    $email = $_POST['email'];
    $password = $_POST['password'];
    $users->login($email, $password);
  }
?>

Form Itself

<form method="POST" action="" name="login">
    <div id="wrappermiddle">
    <h2>Login</h2>
                <div id="username_input"> 
                <div id="username_inputleft"></div>
                    <div id="username_inputmiddle">
                    <input name="email" type="text" id="myusername" placeholder="Email Address">
                    <img id="url_user" src="./images/mailicon.png" alt="">      
                    </div><!--ends username_inputmiddle-->
                    <div id="username_inputright"></div>                   
                </div><!--ends username_input-->
                
               <div id="password_input">
                <div id="password_inputleft"></div>
                    <div id="password_inputmiddle">       
                    <input name="password" type="password" id="mypassword" placeholder="Password">
                    <img id="url_password" src="./images/passicon.png" alt="">        
                    </div><!--ends password_inputmiddle-->
                 <div id="password_inputright"></div>
                </div><!--ends password_input-->
    
            <div id="submit"> 
            <input type="image" src="./images/submit.png" name="login" value="Login">      
           </form>

class.users.php

<?php
  include "class.database.php";
  class Users extends Database {
    public function login($email, $password) {
      $stmt = $this->mysqli->prepare("SELECT email, password FROM members WHERE email = ? AND password = ? LIMIT 1");
      $stmt->bind_param('ss', $email, $password);
      $stmt->execute();
      $stmt->bind_result($email, $password);
      $stmt->store_result();
      if($stmt->num_rows == 1) {
        while($stmt->fetch()) {
          session_start();
    $_SESSION['loggedin'] = true;
          header("Location: dashboard.php");
        }
      } else {
          return false;
      }
      $stmt->close();
      $stmt->free_result();
    }
  }
  $users = new users();
?>

Then on my dashboard.php I have this

 

<?PHP
session_start();
if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true) {
// User still logged
  $role = $row['role'];
// You can then use that variable later in page
// If $role == 1, Admin, show menu, prevent function access, ect
} else {
header ("Location: index.php");
}


if ($_SESSION['role'] == '2') {
       $showdiv = 'super';
    }
    else if ($_SESSION['role'] == '1') {
       $showdiv = 'admin';
    }
    echo "<script type=\"text/javascript\">document.getElementById('".$showdiv."').style.display = 'block';</script>";
?>
<div class="mainbar">
          <div id="super">
             <?php include("supernavbar.php"); ?>
            </div>
          <div id="admin">
             <?php include("navbar.php"); ?>
          </div>
        </div> <!-- /.mainbar -->

I am not understanding how to get the "User Role" into the session. I might not be doing it right in the first place. 

 

Any help would be appreciated.

Edited March 9, 2015 by laflair13

[jcbones]

The easiest route I can see off hand is:

<?PHP
session_start();
if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true) {
// User still logged
  $role = $row['role'];
// You can then use that variable later in page
// If $role == 1, Admin, show menu, prevent function access, ect
} else {
header ("Location: index.php");
}


if ($_SESSION['role'] == '2') {
       $showdiv = 'supernavbar';
    }
    else if ($_SESSION['role'] == '1') {
       $showdiv = 'navbar';
    }
    //echo "<script type=\"text/javascript\">document.getElementById('".$showdiv."').style.display = 'block';</script>";
?>
<div class="mainbar">
          <div id="menu">
             <?php include($showdiv . '.php'); ?>
          </div>          
</div> <!-- /.mainbar -->

[rwhite35]

Something else to consider.  You're using your class like a glorified function.  The class should return an object, like a car or your user...  Then in your login script, you can assign values to the session.  Generally, speaking if you have "privileged" content, you would probably want to store a way of ID'ing the user.  Example: the public might be 1, admin 2, superadmin 3.  

Pseudo table:

user_name | user_cred

public         |  1

admin         |  2

sadmin       |  3

 

So the login script would change this way:

if(isset($_POST['login'])) {
    $email = filter_var($_POST['email'],FILTER_SANITIZE_EMAIL);
    $password = filter_var($_POST['password'],FILTER_SANITIZE_STRING);
    $userObj = new Users();
    $credentials = $userObj->login($email, $password);
  }
if($credentials) $_SESSION['loggedin'] = $credentials['user_cred'];

Then in your class:

if($stmt->num_rows == 1) {
   $credentials = $stmt->fetch_assoc();
}
return $credentials; //prototype Array([email]=>string, [password]=>string, [user_cred]=>int)

Now your have a means to evaluate conditions where users with different loggedin values can access different things.  Hope that help.

Edited March 10, 2015 by rwhite35