SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    Made with a Mac! philm's Avatar
    Join Date
    Sep 2001
    Location
    Portsmouth, UK
    Posts
    735
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Session UID and PERMISSIONS

    Below is how the 'add news' page in my test site is set out, it's using sessions for user login/logout. ATM when i'm logged in as a normal non-admin user i can type in the url for an admin page (/admin.php) and use the admin functions. Not ideal!!!

    PHP Code:
    <?
    session_start
    ();
    if(!
    session_is_registered("SESSION_UID"))
    {
    echo 
    "$session_uid";
    header("Location: error.php?ec=1");
    exit;
    }
    ?>

    <?
    if (!$submit)
    {
    ?>

    FORM HERE ATM

    <?
    }
    // or process form input
    else
    {
    ?>

    WRITE TO THE DATABASE HERE

    <?
    }
    ?>
    I'd like to add code similar to the 'check session' code at the top, but to check the permissions of the user as well. Below is the code that i think will do it?? .......

    PHP Code:
    <?
    // 'SESSION_UPERMS' holds the permission variable '$uperms'
    session_start();
    if(!
    session_is_registered("SESSION_UPERMS"))
    {
    echo 
    "$session_uid";
    // this next line will send them to the error, unauthorised user page
    header("Location: error.php?ec=4");
    exit;
    }
    ?>
    ....... but i am unsure how to combine the 2 fragments together. If i put it in as is i get a error about header already sent or such like.

    Thanks in advance


  2. #2
    SitePoint Guru
    Join Date
    Aug 2001
    Location
    Amsterdam
    Posts
    788
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    edit Oops in deed the header part... Well lets include then

    Just stick it in there..

    PHP Code:
    session_start();
    if(!session_is_registered("SESSION_UID"))
    {
    echo "$session_uid";
    header("Location: error.php?ec=1");
    exit;
    }

    // 'SESSION_UPERMS' holds the permission variable '$uperms'
    session_start();
    if(!session_is_registered("SESSION_UPERMS"))
    {
    echo "$session_uid is not an admin!";
    // this next line will send them to the error, unauthorised user page
    include("error.php?ec=4");
    exit;
    }

    if (!$submit)
    {
    ?>

    FORM HERE ATM

    <?
    }
    // or process form input
    else
    {
    ?>

    WRITE TO THE DATABASE HERE

    <?
    }
    ?>
    That should do it..

    Greets,

    Peanuts
    Last edited by peanuts; Nov 15, 2001 at 07:48.
    the neigbours (free) WIFI makes it just a little more fun

  3. #3
    Made with a Mac! philm's Avatar
    Join Date
    Sep 2001
    Location
    Portsmouth, UK
    Posts
    735
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    thanks my personal guru but........

    .... it still lets me access the page when i log in as a user with no perms... But i found some more code which is used in the navbar to determine whether admin links appear or not.

    So i stuck it in and it's almost working. I can't access the page any longer which is good!!!!!, but i'm hoping u can point out my obvious error in the code below

    PHP Code:
    if ($SESSION_UPERMS == 0)
    {
    include(
    "error.php?ec=4");
    exit;

    The include isn't working, i'm getting the error below, do 'includes' not work inside 'IF' statements?

    PHP Code:
    WarningFailed opening 'error.php?ec=4' for inclusion (include_path='.:/usr/local/lib/php4/lib/php')
    in /u/web/xxxxx/xxxxx/news/delete.php on line 17 

  4. #4
    SitePoint Enthusiast lieblick's Avatar
    Join Date
    Jun 2001
    Location
    Tallahassee, FL
    Posts
    98
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I kinda skimmed the code ... I was interested because I'm in the planning phase for some user stuff with sessions and cookies and what not ...

    I think you need to tie it into the DB. Have a 'loggedinusers' table ... when they sign in, check their user profile to see if they have perms, then insert that in the logged in users table as a 0 or 1 or whatever ...
    Vendor Ratings, Coupons & Specials:
    http://www.outcrier.com
    My Personal Site:
    http://www.epock.com

  5. #5
    Made with a Mac! philm's Avatar
    Join Date
    Sep 2001
    Location
    Portsmouth, UK
    Posts
    735
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yeh your right, i already have a table for that....

    PHP Code:
    CREATE TABLE news_users (
       
    uid tinyint(3unsigned NOT NULL auto_increment,
       
    uname varchar(10NOT NULL,
       
    upass varchar(10NOT NULL,
       
    uperms tinyint(4) DEFAULT '0' NOT NULL,
       
    PRIMARY KEY (uid),
       
    UNIQUE uname (uname)
    ); 
    It all works really well now i fixed the security breach..LOL It just kinda looks abit ugly till i can get the 'include' working.

  6. #6
    SitePoint Guru
    Join Date
    Aug 2001
    Location
    Amsterdam
    Posts
    788
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would show you my system but don't have time now..

    What I do is I have tables:

    users
    groups
    groupsusers
    grouppage

    First I check the user and his password then if they are correct I also retreive the Group the user is in.. I put this in an array (so the user can be in more than 1 group)

    Now when I enter a page that is protected for certain groups I do a check on the group versus the page..

    I might have time to show you after the weekend but I'm sorry no sooner..

    Greets,

    Peanuts
    the neigbours (free) WIFI makes it just a little more fun

  7. #7
    Made with a Mac! philm's Avatar
    Join Date
    Sep 2001
    Location
    Portsmouth, UK
    Posts
    735
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    cool!!

    np, have a good one!!!!



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •