Jump to content

Archived

This topic is now archived and is closed to further replies.

embsupafly

User Authentication with Permission levels

Recommended Posts

Need a bit of help...

I have a user login system right now that does work, but what I need it to do is check permission levels based on the user_type pulled from the database.

The script is listed below and is contained in each directory such as /manager, /sales, /service. I want service users to only have access to the pages in the /service directory, sales users to only have access to the /sales directory, and managers have access to the /manager, /sales, and /service directory, but sent to the /manager directory after login. Each directory has a copy of this script, not sure if we could just do one and have the 3 directories use the same copy.

The script is listed below, but I need assistance to get the user_type feature added for the permissions to the particular directories, again, the code works, but I have not tried to implement the directory permissions yet, right now, everyone gains acccess to all areas.


[code]
<?php

   session_start();
$name = "";
   // Has a session been initiated previously?
   if (! isset($_SESSION['name']) ) {
      // If no previous session, has the user submitted the form?
      if (isset($_POST['username'])) {
         $username = strip_tags($_POST['username']);
         $pswd = strip_tags($_POST['pswd']);

         // Connect to the MySQL server and select the database
         require_once '../connection.php';

         // Look for the user in the users table.
         $query = "SELECT * FROM $users_table WHERE username='$username' AND password='$pswd'";
         $result = mysql_query($query);
         while ($row = mysql_fetch_array($result)) {
             $name = $row["username"];
             $username = $row["username"];
             $user_type = $row["user_type"];
            } }
            else {
            echo "<b><font color='red'>You need to be logged in to access this area.</font></b><br><br> <a href=\"../index.php\">Login Page</a><br><br>If you attempted to login, this message means that your username and/or password does not match a valid account, please <a href=\"../index.php\">try again</a>.";
            exit();
            }


         // If the user was found, assign some session variables.
         if (@mysql_num_rows($result) == 1) {
            $_SESSION['name'] = "$name";
               $_SESSION['username'] = "$username";
               $_SESSION['user_type'] = "$user_type";
            $name = ucfirst($name);
         $login_result = "<b>Welcome $name!</b><br><br>Please use the menu above.";
            
         }
         // If the user has not previously logged in, show the login form
         else {
                echo "<b><font color='red'>You must be logged in to access this area.</font></b><br><br> <a href=\"../index.php\">Login Page</a><br><br>If you attempted to login, this message means that your username and/or password does not match a valid account, please <a href=\"../index.php\">try again</a>.";
            exit();    
         }
             }
      
      // The user has returned. Offer a welcoming note.
      else {
         $name = $_SESSION['name'];
         $username = $_SESSION['username'];
         $name = ucfirst($name);
         $login_result = "You are logged in as $name<br>";
      }
?>
[/code]

Share this post


Link to post
Share on other sites
You were doing things twice and not doing it right. Now just in every page makea fucntion to check against teh sessions to see if the user is allowed to veiw it.

[code]
<?php

   session_start();

   if (isset($_SESSION['name']) )
   {
           if (isset($_SESSION['username']))
        {
         $username = $_SESSION['username'];
         $pswd = $_SESSION['pswd'];
        }
    }else {
        $username = $_POST['username'];
        $pwsd = $_POST['paswd'];


         require_once '../connection.php';


         $query = "SELECT * FROM users_table WHERE username='$username' AND password='$pswd'";
         $result = mysql_query($query);
         $check_num = mysql_num_rows($result);
        
         if($check_num > 0)
         {
             while ($row = mysql_fetch_array($result))
             {
                 $user_type = $row["user_type"];
            }
        }else {
            echo "No User Found With The Supplied Details.";
            exit();
            }

               $_SESSION['name'] = $name;
               $_SESSION['username'] = $username;
               $_SESSION['user_type'] = $user_type;
            
               $name = ucfirst($name);
                $login_result = "<b>Welcome $name!</b><br><br>Please use the menu above.";
              
               echo "$login_result";
            

?>
[/code]

Share this post


Link to post
Share on other sites
Ok I have cleaned up the code as suggested by USER: rab....

Still haven't gotten to the user directory permissions yet, but here is the code:

[code]<?php

session_start();

if (! isset($_SESSION['name']) ) {

    if (isset($_SESSION['username'])) {
        $username = $_SESSION['username'];
        $pswd = $_SESSION['pswd'];
      }
      
   } else {
           $username = stripslashes($_POST['username']);
           $pswd = stripslashes($_POST['pswd']);

           require_once '../connection.php';

           $query = "SELECT * FROM $users_table WHERE username='$username' AND password='$pswd'";
           $result = mysql_query($query);
           $check_num = mysql_num_rows($result);
      
if ($check_num > 0) {
     while ($row = mysql_fetch_array($result)) {
        $user_type = $row['user_type'];
    }
       } else {
           
               echo "<b><font color='red'>You need to be logged in to access this area.</font></b><br><br> <a href=\"../index.php\">Login Page</a><br><br>If you attempted to login, this message means that your username and/or password does not match a valid account, please <a href=\"../index.php\">try again</a>.";
            exit();
            }
      
$_SESSION['name'] = $name;
$_SESSION['username'] = $username;
$_SESSION['user_type'] = $user_type;

$name = ucfirst($name);
$login_result = "Welcome $name<br><br>Please use the menu above";
echo "$login_result";
  
}
      
?>[/code]

This code is in the root directory and called session_handler.php

In the /sales, /service, and /manager directory, all pages have a header.php file, inside this header file there is an include to ../session_handler.php, so all directories are using the same file and its code as listed above. The problem is that when you switch to a different directory say from /manager to /sales, it seems to kill the session variables, and catches this part of code

[code]
} else {
           
               echo "<b><font color='red'>You need to be logged in to access this area.</font></b><br><br> <a href=\"../index.php\">Login Page</a><br><br>If you attempted to login, this message means that your username and/or password does not match a valid account, please <a href=\"../index.php\">try again</a>.";
            exit();
            }
[/code]

Which seems to prove that the previous session vars are dead. Is this because when moving to another directory, it recalls the session_handler.php file when the new directory header is loaded and kills them with session_start() ???

Once I can get the session vars to carry over, I will work on the user_type and permissions to each directory...

Share this post


Link to post
Share on other sites
Actually,

The version rab had does not work correctly, but mine does, with the exception of the session vars being lost and having to login again if the directory is switched.

Anyone else?

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.