Jump to content


Photo

User Authentication with Permission levels


  • Please log in to reply
4 replies to this topic

#1 embsupafly

embsupafly
  • Members
  • PipPip
  • Member
  • 29 posts

Posted 25 April 2006 - 10:10 PM

Need a bit of help...

I have a user login system right now that does work, but what I need it to do is check permission levels based on the user_type pulled from the database.

The script is listed below and is contained in each directory such as /manager, /sales, /service. I want service users to only have access to the pages in the /service directory, sales users to only have access to the /sales directory, and managers have access to the /manager, /sales, and /service directory, but sent to the /manager directory after login. Each directory has a copy of this script, not sure if we could just do one and have the 3 directories use the same copy.

The script is listed below, but I need assistance to get the user_type feature added for the permissions to the particular directories, again, the code works, but I have not tried to implement the directory permissions yet, right now, everyone gains acccess to all areas.


<?php

   session_start();
$name = "";
   // Has a session been initiated previously?
   if (! isset($_SESSION['name']) ) {
      // If no previous session, has the user submitted the form?
      if (isset($_POST['username'])) {
         $username = strip_tags($_POST['username']);
         $pswd = strip_tags($_POST['pswd']);

         // Connect to the MySQL server and select the database
         require_once '../connection.php';

         // Look for the user in the users table.
         $query = "SELECT * FROM $users_table WHERE username='$username' AND password='$pswd'";
         $result = mysql_query($query);
         while ($row = mysql_fetch_array($result)) {
             $name = $row["username"];
             $username = $row["username"];
             $user_type = $row["user_type"];
            } }
            else { 
            echo "<b><font color='red'>You need to be logged in to access this area.</font></b><br><br> <a href=\"../index.php\">Login Page</a><br><br>If you attempted to login, this message means that your username and/or password does not match a valid account, please <a href=\"../index.php\">try again</a>.";
            exit();
            }


         // If the user was found, assign some session variables.
         if (@mysql_num_rows($result) == 1) {
            $_SESSION['name'] = "$name";
               $_SESSION['username'] = "$username";
               $_SESSION['user_type'] = "$user_type";
            $name = ucfirst($name);
         $login_result = "<b>Welcome $name!</b><br><br>Please use the menu above.";
            
         }
         // If the user has not previously logged in, show the login form
         else {
                echo "<b><font color='red'>You must be logged in to access this area.</font></b><br><br> <a href=\"../index.php\">Login Page</a><br><br>If you attempted to login, this message means that your username and/or password does not match a valid account, please <a href=\"../index.php\">try again</a>.";
            exit();    
         }
             }
       
      // The user has returned. Offer a welcoming note.
      else {
         $name = $_SESSION['name'];
         $username = $_SESSION['username'];
         $name = ucfirst($name);
         $login_result = "You are logged in as $name<br>";
      }
?>

Eric

#2 rab

rab
  • Members
  • PipPipPip
  • Advanced Member
  • 155 posts

Posted 25 April 2006 - 11:33 PM

You were doing things twice and not doing it right. Now just in every page makea fucntion to check against teh sessions to see if the user is allowed to veiw it.

<?php

   session_start();

   if (isset($_SESSION['name']) )
   {
           if (isset($_SESSION['username']))
        {
         $username = $_SESSION['username'];
         $pswd = $_SESSION['pswd'];
        }
    }else {
        $username = $_POST['username'];
        $pwsd = $_POST['paswd'];


         require_once '../connection.php';


         $query = "SELECT * FROM users_table WHERE username='$username' AND password='$pswd'";
         $result = mysql_query($query);
         $check_num = mysql_num_rows($result);
         
         if($check_num > 0)
         {
             while ($row = mysql_fetch_array($result))
             {
                 $user_type = $row["user_type"];
            }
        }else {
            echo "No User Found With The Supplied Details.";
            exit();
            }

               $_SESSION['name'] = $name;
               $_SESSION['username'] = $username;
               $_SESSION['user_type'] = $user_type;
            
               $name = ucfirst($name);
                $login_result = "<b>Welcome $name!</b><br><br>Please use the menu above.";
               
               echo "$login_result";
             

?>


#3 embsupafly

embsupafly
  • Members
  • PipPip
  • Member
  • 29 posts

Posted 26 April 2006 - 05:13 PM

Does anyone else have any comment or suggestions?
Eric

#4 embsupafly

embsupafly
  • Members
  • PipPip
  • Member
  • 29 posts

Posted 26 April 2006 - 07:24 PM

Ok I have cleaned up the code as suggested by USER: rab....

Still haven't gotten to the user directory permissions yet, but here is the code:

<?php

session_start();

if (! isset($_SESSION['name']) ) {

    if (isset($_SESSION['username'])) {
        $username = $_SESSION['username'];
        $pswd = $_SESSION['pswd'];
      }
      
   } else {
           $username = stripslashes($_POST['username']);
           $pswd = stripslashes($_POST['pswd']);

           require_once '../connection.php';

           $query = "SELECT * FROM $users_table WHERE username='$username' AND password='$pswd'";
           $result = mysql_query($query);
           $check_num = mysql_num_rows($result);
       
if ($check_num > 0) { 
     while ($row = mysql_fetch_array($result)) {
        $user_type = $row['user_type'];
    }
       } else {
           
               echo "<b><font color='red'>You need to be logged in to access this area.</font></b><br><br> <a href=\"../index.php\">Login Page</a><br><br>If you attempted to login, this message means that your username and/or password does not match a valid account, please <a href=\"../index.php\">try again</a>.";
            exit();
            }
       
$_SESSION['name'] = $name;
$_SESSION['username'] = $username;
$_SESSION['user_type'] = $user_type;

$name = ucfirst($name);
$login_result = "Welcome $name<br><br>Please use the menu above";
echo "$login_result";
   
}
      
?>

This code is in the root directory and called session_handler.php

In the /sales, /service, and /manager directory, all pages have a header.php file, inside this header file there is an include to ../session_handler.php, so all directories are using the same file and its code as listed above. The problem is that when you switch to a different directory say from /manager to /sales, it seems to kill the session variables, and catches this part of code

} else {
           
               echo "<b><font color='red'>You need to be logged in to access this area.</font></b><br><br> <a href=\"../index.php\">Login Page</a><br><br>If you attempted to login, this message means that your username and/or password does not match a valid account, please <a href=\"../index.php\">try again</a>.";
            exit();
            }

Which seems to prove that the previous session vars are dead. Is this because when moving to another directory, it recalls the session_handler.php file when the new directory header is loaded and kills them with session_start() ???

Once I can get the session vars to carry over, I will work on the user_type and permissions to each directory...
Eric

#5 embsupafly

embsupafly
  • Members
  • PipPip
  • Member
  • 29 posts

Posted 26 April 2006 - 11:44 PM

Actually,

The version rab had does not work correctly, but mine does, with the exception of the session vars being lost and having to login again if the directory is switched.

Anyone else?
Eric




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users