[RESOLVED] limit access to heart of site

darkangel2001lv

Building website the are three parts. Part 1 is the customer side, Part 2 is the back side the company will use for a vary of things part three is a main control for the webmasters.

currently i use a login process for part to and restrict each page by user level user is assigned works great us the following to do restrict

<?php
session_start();
if(!session_is_registered(MM_Username)){
header("location:../login.php");
}

$MM_authorizedUsers = "Webmaster";
$MM_donotCheckaccess = "true";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
  // For security, start by assuming the visitor is NOT authorized. 
  $isValid = False; 

  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. 
  // Therefore, we know that a user is NOT logged in if that Session variable is blank. 
  if (!empty($UserName)) { 
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. 
    // Parse the strings into arrays. 
    $arrUsers = Explode(",", $strUsers); 
    $arrGroups = Explode(",", $strGroups); 
    if (in_array($UserName, $arrUsers)) { 
      $isValid = true; 
    } 
    // Or, you may restrict access to only certain users based on their username. 
    if (in_array($UserGroup, $arrGroups)) { 
      $isValid = true; 
    } 
    if (($strUsers == "") && true) { 
      $isValid = true; 
    } 
  } 
  return $isValid; 
}

$MM_restrictGoTo = "../login2.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {   

  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0) 
  $MM_referrer .= "?" . $_SERVER['QUERY_STRING'];
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
  header("Location: ". $MM_restrictGoTo); 
  exit;
}
?>
<?php

My question is for part three webmasters will have access to everything with admin level access. is the the above enough to safe guard part three or do i need something better?

note user level is stored in DB and then placed in cookie when user logs in

darkangel2001lv

forgot to say that webmaster part of side is located on a sub domain.

would adding these to the htaccess file in that dir prevent some from getting in that dir unless they are 1 logged in and 2 have the correct user level.

disable directory browsing

Options All -Indexes

prevent folder listing

IndexIgnore *