[RESOLVED] members vs admin

fearfx

I have a problem actually a big one

the application i created has a members area and an admin area

now when a member logs in they have access to my admin are

and I don't know why this is

i need help

bpat1434

We need code.....

The most probable cause is that you aren't properly checking the users access.

fearfx

ok this is my secure_page file for members

  // log out if no session or user deleted
  $auth = false;
  if (isset($_SESSION['username']) && isset($_SESSION['email'])) {
	$result = mysql_query("SELECT COUNT(*) FROM wsd_members WHERE username = '" . addslashes($_SESSION['username']) . "'");
	if ($result) {
	  if ($frow = mysql_fetch_row($result)) {
		if ($frow[0] > 0) {
		  $auth = true;
		}
	  }
	}
  }

  if (!$auth) {
	if (isset($_SESSION)) {
	  while (list ($key, $val) = each ($_SESSION)) {
		session_unregister($key);
	  }
	  session_destroy();
	}
	header("Location: please_login.php");
	exit();

  }

here is my secure_page for ADMINS

  // log out if no session
  if (!isset($_SESSION['username'])) {
	if (isset($_SESSION)) {
	  while (list ($key, $val) = each ($_SESSION)) {
		session_unregister($key);
	  }
	  session_destroy();
	}
	header("Location: ./login.php");
	exit();

  }

fearfx

so the problem is

when I log in as member i can view admin

and when i log in as admin i can view members also

bpat1434

You need to implement a system of access. Either numeric levels, or textual level labels or database driven levels. Hold the user level in the database, and then for every page access query the database for the level or store the level in the session and reference that.

If they don't hold a high-enough (or not the correct bit) then they're denied access.

One way to do this is to use the bit-wise operators to define levels of access:

        +[ User Access Levels :: Binary Style ]+
        |  Admin  | Another | Member |  Guest  |
        +---------+---------+--------+---------+
Binary  |    1    |    1    |    1   |    1    |
        +---------+---------+--------+---------+
Value   |    8    |    4    |    2   |    1    |
        +--------------------------------------+

Now, if the they have access 1, then they're a guest and can't see much. 2 means they've authenticated and can see the members area. 4 means they're something else on the site, and 8 means Admin.

Now, you can combine these and create multiple levels for one user. So say one person was a part of both Admin and Member, then you'd add 8 and 2 to get 10. Now, when you do a comparison in the admin section like this:

if($_SESSION['access_level'] & 8)

then it will return true because 8 is a set bit in the number 10. For a better example:
Admin ............... : 1000
Member ............ : 0010
Admin & Member: 1010

Notice how they combine to make 10? It's confusing at first, but a short tutorial on binary numbers will help you out. You can keep going exponentially as many levels as you need. It's a very nice system. What the "&" bitwise operator does is see if the 4th bit (4th from the right: the value of 8) is set in the access level (10) in which case it is.

Hope that helps.