Jump to content

User Authentication with Permission levels


embsupafly

Recommended Posts

Need a bit of help...

I have a user login system right now that does work, but what I need it to do is check permission levels based on the user_type pulled from the database.

The script is listed below and is contained in each directory such as /manager, /sales, /service. I want service users to only have access to the pages in the /service directory, sales users to only have access to the /sales directory, and managers have access to the /manager, /sales, and /service directory, but sent to the /manager directory after login. Each directory has a copy of this script, not sure if we could just do one and have the 3 directories use the same copy.

The script is listed below, but I need assistance to get the user_type feature added for the permissions to the particular directories, again, the code works, but I have not tried to implement the directory permissions yet, right now, everyone gains acccess to all areas.


[code]
<?php

   session_start();
$name = "";
   // Has a session been initiated previously?
   if (! isset($_SESSION['name']) ) {
      // If no previous session, has the user submitted the form?
      if (isset($_POST['username'])) {
         $username = strip_tags($_POST['username']);
         $pswd = strip_tags($_POST['pswd']);

         // Connect to the MySQL server and select the database
         require_once '../connection.php';

         // Look for the user in the users table.
         $query = "SELECT * FROM $users_table WHERE username='$username' AND password='$pswd'";
         $result = mysql_query($query);
         while ($row = mysql_fetch_array($result)) {
             $name = $row["username"];
             $username = $row["username"];
             $user_type = $row["user_type"];
            } }
            else {
            echo "<b><font color='red'>You need to be logged in to access this area.</font></b><br><br> <a href=\"../index.php\">Login Page</a><br><br>If you attempted to login, this message means that your username and/or password does not match a valid account, please <a href=\"../index.php\">try again</a>.";
            exit();
            }


         // If the user was found, assign some session variables.
         if (@mysql_num_rows($result) == 1) {
            $_SESSION['name'] = "$name";
               $_SESSION['username'] = "$username";
               $_SESSION['user_type'] = "$user_type";
            $name = ucfirst($name);
         $login_result = "<b>Welcome $name!</b><br><br>Please use the menu above.";
            
         }
         // If the user has not previously logged in, show the login form
         else {
                echo "<b><font color='red'>You must be logged in to access this area.</font></b><br><br> <a href=\"../index.php\">Login Page</a><br><br>If you attempted to login, this message means that your username and/or password does not match a valid account, please <a href=\"../index.php\">try again</a>.";
            exit();    
         }
             }
      
      // The user has returned. Offer a welcoming note.
      else {
         $name = $_SESSION['name'];
         $username = $_SESSION['username'];
         $name = ucfirst($name);
         $login_result = "You are logged in as $name<br>";
      }
?>
[/code]
Link to comment
Share on other sites

You were doing things twice and not doing it right. Now just in every page makea fucntion to check against teh sessions to see if the user is allowed to veiw it.

[code]
<?php

   session_start();

   if (isset($_SESSION['name']) )
   {
           if (isset($_SESSION['username']))
        {
         $username = $_SESSION['username'];
         $pswd = $_SESSION['pswd'];
        }
    }else {
        $username = $_POST['username'];
        $pwsd = $_POST['paswd'];


         require_once '../connection.php';


         $query = "SELECT * FROM users_table WHERE username='$username' AND password='$pswd'";
         $result = mysql_query($query);
         $check_num = mysql_num_rows($result);
        
         if($check_num > 0)
         {
             while ($row = mysql_fetch_array($result))
             {
                 $user_type = $row["user_type"];
            }
        }else {
            echo "No User Found With The Supplied Details.";
            exit();
            }

               $_SESSION['name'] = $name;
               $_SESSION['username'] = $username;
               $_SESSION['user_type'] = $user_type;
            
               $name = ucfirst($name);
                $login_result = "<b>Welcome $name!</b><br><br>Please use the menu above.";
              
               echo "$login_result";
            

?>
[/code]
Link to comment
Share on other sites

Ok I have cleaned up the code as suggested by USER: rab....

Still haven't gotten to the user directory permissions yet, but here is the code:

[code]<?php

session_start();

if (! isset($_SESSION['name']) ) {

    if (isset($_SESSION['username'])) {
        $username = $_SESSION['username'];
        $pswd = $_SESSION['pswd'];
      }
      
   } else {
           $username = stripslashes($_POST['username']);
           $pswd = stripslashes($_POST['pswd']);

           require_once '../connection.php';

           $query = "SELECT * FROM $users_table WHERE username='$username' AND password='$pswd'";
           $result = mysql_query($query);
           $check_num = mysql_num_rows($result);
      
if ($check_num > 0) {
     while ($row = mysql_fetch_array($result)) {
        $user_type = $row['user_type'];
    }
       } else {
           
               echo "<b><font color='red'>You need to be logged in to access this area.</font></b><br><br> <a href=\"../index.php\">Login Page</a><br><br>If you attempted to login, this message means that your username and/or password does not match a valid account, please <a href=\"../index.php\">try again</a>.";
            exit();
            }
      
$_SESSION['name'] = $name;
$_SESSION['username'] = $username;
$_SESSION['user_type'] = $user_type;

$name = ucfirst($name);
$login_result = "Welcome $name<br><br>Please use the menu above";
echo "$login_result";
  
}
      
?>[/code]

This code is in the root directory and called session_handler.php

In the /sales, /service, and /manager directory, all pages have a header.php file, inside this header file there is an include to ../session_handler.php, so all directories are using the same file and its code as listed above. The problem is that when you switch to a different directory say from /manager to /sales, it seems to kill the session variables, and catches this part of code

[code]
} else {
           
               echo "<b><font color='red'>You need to be logged in to access this area.</font></b><br><br> <a href=\"../index.php\">Login Page</a><br><br>If you attempted to login, this message means that your username and/or password does not match a valid account, please <a href=\"../index.php\">try again</a>.";
            exit();
            }
[/code]

Which seems to prove that the previous session vars are dead. Is this because when moving to another directory, it recalls the session_handler.php file when the new directory header is loaded and kills them with session_start() ???

Once I can get the session vars to carry over, I will work on the user_type and permissions to each directory...
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.