Restricting Access
Results 1 to 5 of 5

Thread: Restricting Access

  1. #1
    Junior Member
    Join Date
    Jan 2013
    Posts
    3

    Post Restricting Access

    Please help with what and where to add to the code to restrict access to only my admins. I only have 2 admin accounts so I could do it by their usernames or ID's. Below is the authentication code that I'm using.

    <?php
    //initialize the session
    if (!isset($_SESSION)) {
    session_start();
    }

    // ** Logout the current user. **
    $logoutAction = $_SERVER['PHP_SELF']."?doLogout=true";
    if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){
    $logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']);
    }

    if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){
    //to fully log out a visitor we need to clear the session varialbles
    $_SESSION['MM_Username'] = NULL;
    $_SESSION['MM_UserGroup'] = NULL;
    $_SESSION['PrevUrl'] = NULL;
    unset($_SESSION['MM_Username']);
    unset($_SESSION['MM_UserGroup']);
    unset($_SESSION['PrevUrl']);

    $logoutGoTo = "index.php";
    if ($logoutGoTo) {
    header("Location: $logoutGoTo");
    exit;
    }
    }
    ?>
    <?php
    if (!isset($_SESSION)) {
    session_start();
    }
    $MM_authorizedUsers = "";
    $MM_donotCheckaccess = "true";

    // *** Restrict Access To Page: Grant or deny access to this page
    function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
    // For security, start by assuming the visitor is NOT authorized.
    $isValid = False;

    // When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
    // Therefore, we know that a user is NOT logged in if that Session variable is blank.
    if (!empty($UserName)) {
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
    // Parse the strings into arrays.
    $arrUsers = Explode(",", $strUsers);
    $arrGroups = Explode(",", $strGroups);
    if (in_array($UserName, $arrUsers)) {
    $isValid = true;
    }
    // Or, you may restrict access to only certain users based on their username.
    if (in_array($UserGroup, $arrGroups)) {
    $isValid = true;
    }
    if (($strUsers == "") && true) {
    $isValid = true;
    }
    }
    return $isValid;
    }

    $MM_restrictGoTo = "login-admin.php";
    if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {
    $MM_qsChar = "?";
    $MM_referrer = $_SERVER['PHP_SELF'];
    if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
    if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0)
    $MM_referrer .= "?" . $_SERVER['QUERY_STRING'];
    $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
    header("Location: ". $MM_restrictGoTo);
    exit;
    }
    ?>

  2. #2
    Senior Member
    Join Date
    Jul 2007
    Posts
    3,666
    Without wading through all code you posted (which I'm especially disinclined you don't even bother putting [php] tags around it, I'd say you're better off storing admin accessibility in the database. Now, it's unlikely that you'll change primary keys for rows in the user table in the (near) future. But IF it ever happens, you (or whomever is maintaining code 5-10 years down the road) will
    1. most likely forget about updating those id checks in the PHP code, which in best case scenario means noone gets admin access, and in worst case scenario gives a malicous user (assume they all are unless otherwise known) admin access.
    2. have a lot of code to wade through to find those id checks
    3. won't be 100% certain that you found all such places

    In it's most simple form, you'd simply have admin_access boolean default false. Or lacking boolean, int unsigned (of smallest possible kind in your dbms). Then assuming you have a user class for which you instantiate objects, you'd simply
    PHP Code:
    if (!$user->getAdminAccess())
    {
        
    # Option 1: 
        
    header('HTTP/1.1 403 Forbidden');
        exit;
    }
    # Continue processing for admins 
    However, it might make sense to create a separate table access(user_id, access int unsigned, /*possibly: access_name varchar*/). You may then have several different access values, and a user may have one or more access rights. And separate pages, db tables or whatever else you want to protect may be available to one (or possibly more access rights values depending on how you design it).
    For example, user_admin access might enable ban user, unban user, delete user as well as delete forum post and move post. At the same time, forum_moderator access might also have access to delete forum post and move post. But you could also set it up so that user_admin includes forum_moderator access by default and only allow forum_moderator to actually moderate forums - meaning that you _could_ have a user_admin without forum rights, even if they get those by default as well.

  3. #3
    Junior Member
    Join Date
    Jan 2013
    Posts
    3
    I do have an "admin" field in the database designating who has admin rights. When I tried to restrict a page by username, password and admin level though, I got an error message that the login page didn't require admin and I was unsure hoe to fix this.

  4. #4
    Senior Member
    Join Date
    Jul 2007
    Posts
    3,666
    Well, in that case you have some kind of coding error. You'd be the most likely one to know what it is since you're the one with the error message.

    But my point was: use the admin value. You don't have to check anything else (like name, id, how many cats they own etc). if $user->isAdmin() is sufficient.

  5. #5
    Junior Member
    Join Date
    Jan 2013
    Posts
    3
    Thanks for trying to help. I found a tutorial on YouTube that I think will help me figure it out. thanks again!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •