ianhaney10 Posted January 3 Share Posted January 3 I have two different user roles, one is Member and the other is Secretary and I need to be able to allow access to a php page if either Member or Secretary is logged in. I originally had the code below which worked if a Member role was logged in <?php session_start(); // If the user is not logged in redirect to the login page... if(!isset($_SESSION["account_loggedin"]) || $_SESSION["account_loggedin"] !== true || $_SESSION["account_role"] != 'Member') { include('includes/baseurl.php'); $title = "Show Diary - The British Rabbit Council"; $pgDesc=""; include ( 'includes/header.php' ); ?> I added the Secretary role to the code but it won't allow me to access the page, I think it's because I'm not logged in as a Member role and am logging as the Secretary role but I need access to the php page if I am logged in as either Member or Secretary The current code I have is below <?php session_start(); // If the user is not logged in redirect to the login page... if(!isset($_SESSION["account_loggedin"]) || $_SESSION["account_loggedin"] !== true || $_SESSION["account_role"] != 'Member' || $_SESSION["account_role"] != 'Secretary') { include('includes/baseurl.php'); $title = "Show Diary - The British Rabbit Council"; $pgDesc=""; include ( 'includes/header.php' ); ?> Can anyone help please, thank you in advance Quote Link to comment https://forums.phpfreaks.com/topic/326413-need-access-for-different-account-roles-on-a-php-page/ Share on other sites More sharing options...
ianhaney10 Posted January 3 Author Share Posted January 3 Think I just solved it by changing a line to the following if(!isset($_SESSION["account_loggedin"]) || $_SESSION["account_loggedin"] !== true || $_SESSION["account_role"] != 'Member' && $_SESSION["account_role"] != 'Secretary') { Quote Link to comment https://forums.phpfreaks.com/topic/326413-need-access-for-different-account-roles-on-a-php-page/#findComment-1647561 Share on other sites More sharing options...
mac_gyver Posted January 3 Share Posted January 3 (edited) the only user data you should store in a session variable upon login should be the user id, to identify WHO the logged in user is. this will either be set or it won't be. you should query on each page request to get any other user data, such as a username, permissions, or role. this is so that any changes made to this other user data takes effect on the very next page request. this will allow you to promote or demote a user without requiring them to logout and back in for the change to take effect. do you really want a situation where you have demoted or banned a user and they can still access a page because their session data says they can? i recommend that you simplify the logic and separate the login test from the user role test. also, to test if a variable is in a set of values, define an array of the permitted values and use in_array() to perform the test. using these suggestions, the logic would become - $page_roles = ['Member','Secretary']; // roles permitted for the current page $user_role = 'Guest'; // default value for a non-logged in user // is there a logged in user if(isset($_SESSION['user_id'])) { // query here to get any other user data, such as the user role, and store it in a regular variable // fake a value $user_role = 'Member'; // $user_role = 'Secretary'; // $user_role = 'Other'; } // logic to determine if the current user can access something on this page if(in_array($user_role,$page_roles)) { // access permitted echo 'permitted'; } // logic to determine if the current user cannot access something on this page if(!in_array($user_role,$page_roles)) { // access denied echo 'denied'; } Edited January 3 by mac_gyver 1 Quote Link to comment https://forums.phpfreaks.com/topic/326413-need-access-for-different-account-roles-on-a-php-page/#findComment-1647562 Share on other sites More sharing options...
Moorcam Posted January 8 Share Posted January 8 Going on what mac_gyver said, which is spot on, First, you need to define the roles that your application will support. For example, you might have roles like admin, editor, and viewer. $roles = [ 'admin' => ['create', 'edit', 'delete', 'view'], 'editor' => ['edit', 'view'], 'viewer' => ['view'] ]; Next, you will need to assign these roles to your users. This can be done in your database. For simplicity, let's assume you have a user array that includes their role. $users = [ 'user1' => ['role' => 'admin'], 'user2' => ['role' => 'editor'], 'user3' => ['role' => 'viewer'] ]; Before allowing access to a specific page or functionality, you should check if the user has the required permissions based on their role. Here’s a simple function to check permissions: function hasPermission($userRole, $action) { global $roles; return in_array($action, $roles[$userRole]); } Now, you can use the hasPermission function to control access to different parts of your application. For example: session_start(); $currentUser = $_SESSION['user_id']; // Assume the user_id is stored in session $userRole = $users[$currentUser]['role']; if (hasPermission($userRole, 'edit')) { // Allow access to edit functionality echo "You have access to edit."; } else { // Deny access echo "Access denied. You do not have permission to edit."; } Hope this makes sense and may help you somewhat. 1 Quote Link to comment https://forums.phpfreaks.com/topic/326413-need-access-for-different-account-roles-on-a-php-page/#findComment-1647695 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.