ianhaney10 Posted Friday at 09:36 AM Share Posted Friday at 09:36 AM I have two different user roles, one is Member and the other is Secretary and I need to be able to allow access to a php page if either Member or Secretary is logged in. I originally had the code below which worked if a Member role was logged in <?php session_start(); // If the user is not logged in redirect to the login page... if(!isset($_SESSION["account_loggedin"]) || $_SESSION["account_loggedin"] !== true || $_SESSION["account_role"] != 'Member') { include('includes/baseurl.php'); $title = "Show Diary - The British Rabbit Council"; $pgDesc=""; include ( 'includes/header.php' ); ?> I added the Secretary role to the code but it won't allow me to access the page, I think it's because I'm not logged in as a Member role and am logging as the Secretary role but I need access to the php page if I am logged in as either Member or Secretary The current code I have is below <?php session_start(); // If the user is not logged in redirect to the login page... if(!isset($_SESSION["account_loggedin"]) || $_SESSION["account_loggedin"] !== true || $_SESSION["account_role"] != 'Member' || $_SESSION["account_role"] != 'Secretary') { include('includes/baseurl.php'); $title = "Show Diary - The British Rabbit Council"; $pgDesc=""; include ( 'includes/header.php' ); ?> Can anyone help please, thank you in advance Quote Link to comment https://forums.phpfreaks.com/topic/326413-need-access-for-different-account-roles-on-a-php-page/ Share on other sites More sharing options...
ianhaney10 Posted Friday at 09:59 AM Author Share Posted Friday at 09:59 AM Think I just solved it by changing a line to the following if(!isset($_SESSION["account_loggedin"]) || $_SESSION["account_loggedin"] !== true || $_SESSION["account_role"] != 'Member' && $_SESSION["account_role"] != 'Secretary') { Quote Link to comment https://forums.phpfreaks.com/topic/326413-need-access-for-different-account-roles-on-a-php-page/#findComment-1647561 Share on other sites More sharing options...
mac_gyver Posted Friday at 10:41 AM Share Posted Friday at 10:41 AM (edited) the only user data you should store in a session variable upon login should be the user id, to identify WHO the logged in user is. this will either be set or it won't be. you should query on each page request to get any other user data, such as a username, permissions, or role. this is so that any changes made to this other user data takes effect on the very next page request. this will allow you to promote or demote a user without requiring them to logout and back in for the change to take effect. do you really want a situation where you have demoted or banned a user and they can still access a page because their session data says they can? i recommend that you simplify the logic and separate the login test from the user role test. also, to test if a variable is in a set of values, define an array of the permitted values and use in_array() to perform the test. using these suggestions, the logic would become - $page_roles = ['Member','Secretary']; // roles permitted for the current page $user_role = 'Guest'; // default value for a non-logged in user // is there a logged in user if(isset($_SESSION['user_id'])) { // query here to get any other user data, such as the user role, and store it in a regular variable // fake a value $user_role = 'Member'; // $user_role = 'Secretary'; // $user_role = 'Other'; } // logic to determine if the current user can access something on this page if(in_array($user_role,$page_roles)) { // access permitted echo 'permitted'; } // logic to determine if the current user cannot access something on this page if(!in_array($user_role,$page_roles)) { // access denied echo 'denied'; } Edited Friday at 10:49 AM by mac_gyver 1 Quote Link to comment https://forums.phpfreaks.com/topic/326413-need-access-for-different-account-roles-on-a-php-page/#findComment-1647562 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.