Hey all~!
I'm developing a website structure which hopefully I can use for one website, then just take the core workings and redevelop the front end for a different website (with custom features too).
Currently, I'm at the intial stages with an overall plan of what I want, but not much of a plan of how to implement it yet.. but that doesn't matter too much at this stage. What I am trying to do however, is get the user auth/access bit done and out of the way before I continue onto anything else.
So far I have a class which basically just checks to see if a user is logged in, if they are check the password etc, and if they're not authorise an anon user.
I have another class which extends the above (not sure if its the best way of doing it, but I've done it anyway as it seems logical to inherit the data from the user class). This subclass is for page access. At the moment, to keep it simple it will just restrict the overall pages (such as public and admin). However I do want to extend this even more to allow for certain user priviledges within those "admin" pages, however I'm assuming this will click into place shortly.
My question however, before I blab even more about unnecessary stuff! is how I should handle the determined pages displayed to the user. For example, what just came to mind is a login page, or access denied page.
I just had a thought about setting a session variable, called something like overwritingPage or similar.. which if set, the actual page wouldn't be loaded.. but instead the later code would display either the login page or whatever.
The reason why I'm thinking about doing it this way, is I want the code in the initial stages of the loading (user auth etc) seperate from the actual page..
I probably seem very confused to how this all works.. so if anyone could guide me, or suggest how to do this in a better way please do! 🙂
To give an idea of what I'm working on, here's my code so far: -
Currently working on the pageaccess class, else if/else statements and promptlogin unfinished.. pondering on how to do it the best way..
<?php
SESSION_START();
if ( !defined('IN_TAP') ) {
die("Hacking attempt");
}
class User
{
public function __construct() {
$this->isLoggedIn = false;
if( !isset($_SESSION['tms_user']) || $_SESSION['tms_user'] == null) {
// not logged in yet, set anon
$this->username = ANON_USER;
$this->password = ANON_PASS;
}
else {
// gather known details
$this->username = $_SESSION['tms_user'];
$this->password = $_SESSION['tms_pass'];
}
if( $this->UserPassCheck() == true) {
$this->isLoggedIn = true;
}
else {
$this->failedUsername = $this->username;
$this->LogoutSetAnon();
}
}
private function LogoutSetAnon() {
$this->username = ANON_USER;
$this->password = ANON_PASS;
$_SESSION['tms_user'] = ANON_USER;
$_SESSION['tms_pass'] = ANON_PASS;
}
public function getDetail($detail) {
$sql = sprintf("SELECT * FROM %s WHERE user = '%s'", DBTBL_USER, $this->username);
$result = @mysql_query($sql);
return @mysql_result($result, 0, $detail);
}
public function UserPassCheck() {
return ( $this->password == $this->getDetail('pass') );
}
}
?>
<?php
SESSION_START();
if ( !defined('IN_TAP') ) {
die("Hacking attempt");
}
class PageAccess extends User
{
public function __construct() {
global $pageAccessLevel;
parent::__construct();
$this->allowedAccess = false;
$this->userLevel = $this->getDetail('level');
$this->pageLevel = $pageAccessLevel;
if( $this->pageLevel == 0 ) { // page open to all
$this->allowedAccess = true;
}
else if ( $this->pageLevel > 0 && $this->userLevel == 0 ) { // needs login
$this->allowedAccess = false;
$this->promptLogin();
}
else { // already logged in, check allowed access
$this->allowedAccess = $this->allowAccessCheck();
}
}
private function allowAccessCheck() {
if( $this->userLevel >= $this->pageLevel ) {
return true;
}
return false;
}
private function promptLogin() {
//$_SESSION['']
}
}
?>
<?php
SESSION_START();
define('IN_TAP', true);
include('global.php');
// setting these to simulate someone already logged in.. login page would somehow set these otherwise
$_SESSION['tms_user'] = "User5";
$_SESSION['tms_pass'] = encrypt("asd");
$pageAccessLevel = 5;
$usr = new User;
$auth = new PageAccess;
// $auth->allowedAccess used for true/false.. should page be loaded?
echo $usr->isLoggedIn ;
echo '<br>' . $usr->username . ' (' . $usr->getDetail('level') . ') ' . $usr->password . '<br><br><br>';
?>
Oh! And I also have a query about the bigger well developed sites like phpBB.. I'm assuming these use classes for user auth, but do they even use sessions? I'm confused to whether you even need sessions if doing classes for user access properly.. main reason why I think this is that I never see SESSION_START on their pages
