Jump to content

Recommended Posts

In PHP, how can I restrict users based on if the currently logged user is an author of the post or admin from editing and deleting posts?
 

<div id="blog" class="blog">
   <div class="container">
   <?php foreach($query as $q){?>
   <div class="blog-box">
      <span>Author: <?php echo $q['username'];?>
      <br>Date: <?php echo $q['date'];?></span>
      <h2><?php echo $q['title'];?></h2>
      <p><?php echo $q['content'];?></p>
      <div id="buttons">
      <a href="edit.php?id=<?php echo $q['id'];?>" id="edit">Edit</a>
      <form method="POST">
      <input id="" type="text" hidden name="id" value="<?php echo $q["id"]?>">
      <button name="delete" id="delete">Delete</button>
      </form>
      </div> 
      <hr> 
   </div>
   <?php } ?>
</div>
</div>

For example:

  • user1 is currently logged in so he can edit or delete his posts but he can't do anything with posts written by others,
  • admin is logged and he is able to manage all of the posts.
<?php 
  include("connection.php");
  include("functions.php");

  $user_data = check_login($con);

  $display = "SELECT * from articles";
  $query = mysqli_query($con, $display);

  if(isset($_REQUEST['id'])){
    $id = $_REQUEST['id'];
    $sql = "SELECT * FROM articles WHERE id='$id'"; //lists all posts
    $query = mysqli_query($con,$sql);
}

 if(isset($_REQUEST['delete'])){
    $id = $_REQUEST['id'];
    $sql = "DELETE FROM articles WHERE id='$id'";
    $query = mysqli_query($con,$sql);

    header("Location: manage.php");
    die;
}

$user_data['username']; contains username of current logged user
It this possible?

Edited by AlexMcKenze

any edit/delete link/form controls and any edit/delete operation code would be conditioned by either the current user's admin permission level or the current user's id matching the owner id of the data being edited/deleted.

your login system should store the user's id in a session variable to indicate who the currently logged in user is. on each page request, you would query to get the current user's permissions (this is so that any change made to the permission level will take effect on the very next page request.) any stored data related to the user, such as blog posts, should use the user's id, not the user's username, to relate it back to the user (this is so that you can edit the username without needing to update all the related data to match the changed username value.)

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.