PHP Access Level Control ( Permissions) Help

mumba

Hi everyone, am developing an application that has two views 1 for administrator and 1 for staff. Administrator can perform all application tasks and Staff can ONLY perform certain task. I have implemented sessions quite alright and are working. Now the problem is that when I login as Staff and then I change the URL to point to an administrator's page the application is allowing that, How can I prevent that from happening. Staff MUST NOT see administrators pages. Here is my login code, logout code and code am using to protect webpages below.

Here is my login code

<?php

 //start the session
 session_start();

$username=$_POST['username'];
$password=$_POST['password'];

$encrypted=md5($password);

// set connection to database

$hostname="localhost"; // Host name
$mysql_server_username="root"; // Mysql username
$server_password=""; // Mysql password
$db_name="db_inventory"; // Database name
$table = "tbl_users";      // Table name

// Connect to server and select database.
mysql_connect("$hostname", "$mysql_server_username", "$server_password")or die("cannot connect to database server");
mysql_select_db("$db_name") or die ("Couldn't select the database.");

$admin=("select * from $table where username='$username' AND password='$encrypted' AND type = 'admin'");
$staff=("select * from $table where username='$username' AND password='$encrypted' AND type = 'staff'");

//check that at least one row was returned
$adminresult=mysql_query($admin);
$admincount = mysql_num_rows($adminresult);

$staffresult=mysql_query($staff);
$staffcount = mysql_num_rows($staffresult);

if($admincount> 0){
$_SESSION['valid_user'] = $username ;
header( "Location: main_menu.php" );
}
else if($staffcount> 0){
$_SESSION['valid_user'] = $username ;
header( "Location: staff/main_menu.php" );
}
else
{

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>title> | Login</title>
</head>

<body bgcolor="#FFFFFF"  background-repeat:no-repeat; background="images/images1.jpg">
<div align="center">
  <table width="800" height="501" border="0" cellpadding="1" cellspacing="1">
    <tr>
      <td height="100">&nbsp;</td>
    </tr>
    <tr>
      <td height="350">
      <div align="center">
      <form method="post" action="login_process.php">
        <h4 align="center"><font color="red">Incorrect Username / Password ! Please Try Again</font></h4>
          <img name="" src=images/padlock_closed.gif width="34" height="32" alt="" /><br /><br />
          <table width="314" border="0" cellspacing="1" cellpadding="1">
            <tr>
              <td>Username:</td>
              <td><label>
                <input type="text" name="username"  />
              </label></td>
            </tr>
            <tr>
              <td>Password:</td>
              <td><label>
                <input type="password" name="password" />
              </label></td>
            </tr>
            <tr>
              <td colspan="2">
              <p>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
                  <input type="submit" name ="submit" value="Login" />&nbsp; &nbsp; &nbsp;<input type="reset" value="Reset" />                

              </p>
              </td>
            </tr>
          </table>      

      </form>
       </div>
       </td>
    </tr>
    <tr>
      <td height="100">&nbsp;</td>
    </tr>
  </table>
</div>
</body>
</html>

<?php

}
?>

Here is my login out code

<?php
//start the session
session_start();

//check to make sure the session variable is registered
if(isset($_SESSION['valid_user'])){

//session variable is registered, the user is ready to logout
session_unset();
session_destroy();

//the session variable isn't registered, the user shouldn't even be on this page
header( "Location: index.php" );
}
else
{
//check to see if the session variable is not registered
if(!isset($_SESSION['valid_user'])){
//redirect to login page
header( "Location: index.php" );
}
}
?>


[B][U]Here is code I am using to protect pages[/U][/B]

<?php
//start the session
session_start();
//check to make sure the session variable is registered

if(!isset($_SESSION['valid_user'])){
//redirect to login page
header( "Location: index.php" );
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title> | Main Menu</title>
<link rel="stylesheet" type="text/css" href="css.css" />
</head>

<body>

<div id="tabsF">
<ul>
<!-- CSS Tabs -->
<li id="current"><a href="main_menu.php"><span>MAIN MENU</span></a></li>
<li><a href="stockmaster.php"><span>STOCK MASTER</span></a></li>
<li><a href="controlpanel.php"><span>CONTROL PANEL</span></a></li>
<li><a href="logout.php"><span>LOGOUT</span></a></li>

</ul>
</div>
</body>
</html>

Thank you.

sneakyimp

Please use the formatting tags on your code. It highlights the code and makes it much more readable.

The trick is to store some kind of user access level in $_SESSION and then create code at the top of each script that checks whether the current user is allowed access.

LaurenMorris

mumba,

if you managed to solve your problem. Please share with me how you fixed it. I am on the same boat, and still can not figure out how to fix it.

Lauren