user account types

[metalhead41]

Hi guys, I'm fairly new to php so please be gentle

I'm currently building a site thats going to have a staff only area. Now hears the where it gets a bot confusing, I only want one or 2 people when they login to be able to upload files and see the download files as well. (The upload script appends files to the download script). the people uploading are going to be the ones in charge of this area. I've got an idea how to do the if statement side of things to show different bits, I'm just confused as to how to give user's certain access rights...

I'm assuming this will be acheived with a relational database. The other thing as well, is I don't want the user's registering the accounts, I will be adding them in (it's a school site, so don't want the kids getting access ).

How would I go about this?

[drummer101]

user_level 1 = user

user_level 2 = admin

 

where user_level is a table on your database

 

Check user_level on login, if they have auth level 2 give them the admin links else give them the standard user links.

 

MAKE SURE you check auth level on all your "restricted pages" if they don't meet the auth level required, either direct them to login if they haven't or tell them they aren't authorized to access that page.

[Aureole]

You could have a field in the members table called mem_admin or maybe mem_can_upload or whatever you need. Then set it to "1" for people you want to have access and "0" otherwise. Then when they log in assign that value to the $_SESSION array... then just check the value of it on any page with restricted access.

 

That's a very basic way of doing it but it will work.

[tinker]

Have a user_level field as drummer101 say's. At install allocate a superadmin account and set the user_level to 3. Then when others register or are added this user gets to set the user_level for others. Maybe the admin's get to set certain features of registered user accounts. But say admin's can't do full backup's of your database, but are allowed to upload files, but maybe not delete other admin's files only their own, etc, etc...

 

0 = no rights

1 = registered user

2 = admin

3 = superadmin

[metalhead41]

user_level 1 = user

user_level 2 = admin

 

where user_level is a table on your database

 

Check user_level on login, if they have auth level 2 give them the admin links else give them the standard user links.

 

MAKE SURE you check auth level on all your "restricted pages" if they don't meet the auth level required, either direct them to login if they haven't or tell them they aren't authorized to access that page.

 

If I made a table called user_level and had another table called staff, how would I go about making it a relational database? Does it need to be in a relational database for that matter?

[Aureole]

It doesn't need to be...

[tinker]

depends how you want to access it, if you were using groups and you can be a member of multiple groups i'd definitely say yes, but here I might not.

[metalhead41]

Cheers for the advise, I've managed to get it working with a register page now :-).

What I'm trying to do is have a staff area on a school website that only teachers can access.

I will be registering the accounts as I don't want the kids to register and get unauthorised access.

 

Inside the staff area, depending on account level, staff will be able to upload weekly bulitins and other files, and will also be able to download them again.

Other members of staff will only be able to download the uploaded files (so will not be able to see the upload part of the page).

 

I have the upload/download scripts working already, I just need to work out how to make a query to get the user to see what I want them to.

I'm assuming it's going to be an if/else statement...  ???

[awpti]

CREATE TABLE `school_users` (

   `id` int not null primary key auto_increment,
   `username` varchar(32),
   `password` varchar(40),
   `user_level` int default 1,
);

 

So, simple table. No need for Relationships.

 

In code:

if($db_data['user_level'] >= 1)
{
  //show user menu
}

if($db_data['user_level'] >= 2)
{
  //show admin menu
}

[metalhead41]

YAY it's almost working, only bit I'm having problems with, is querying the table to include the username and user level. At the moment I'm using:

<?
  $query="SELECT username AND account FROM users";
  $result=mysql_query($query);
  
  if($query = '1'){
  ?>
   <?php include ("upload.php"); ?>
   <?php include ("download.php"); ?>
<?
   }
   if($query = '2'){
   include 'download.php';
   }
?>

Maybe I'm over complicating things...

[metalhead41]

Right, I'm trying this:

<?php
// like i said, we must never forget to start the session
session_start();

// is the one accessing this page logged in or not?
if (!isset($_SESSION['db_is_logged_in']) || $_SESSION['db_is_logged_in'] !== true) {
// not logged in, move to login page
header('Location: login2.php');
exit;
}

$errorMessage = '';
include 'library/config.php';
include 'library/opendb.php';

// check if the user id and password combination exist in database
$admin = "SELECT account FROM users WHERE account = 1";

$result = mysql_query($admin) or die('Query failed. ' . mysql_error());

if($_SESSION['account'] = $admin['account']){
	echo "I am ADMIN";
}
else{
	echo "I am NOT ADMIN";
}

include 'library/closedb.php';

?>

 

It prints "I am ADMIN" for everyone, not just the admins. I'm assuming I'm missing something.

Any help?