Restricting Access

jodbowrs

Please help with what and where to add to the code to restrict access to only my admins. I only have 2 admin accounts so I could do it by their usernames or ID's. Below is the authentication code that I'm using.

<?php
//initialize the session
if (!isset($_SESSION)) {
session_start();
}

// Logout the current user.
$logoutAction = $SERVER['PHP_SELF']."?doLogout=true";
if ((isset($SERVER['QUERY_STRING'])) && ($SERVER['QUERY_STRING'] != "")){
$logoutAction .="&". htmlentities($SERVER['QUERY_STRING']);
}

if ((isset($GET['doLogout'])) &&($GET['doLogout']=="true")){
//to fully log out a visitor we need to clear the session varialbles
$SESSION['MM_Username'] = NULL;
$SESSION['MM_UserGroup'] = NULL;
$SESSION['PrevUrl'] = NULL;
unset($SESSION['MM_Username']);
unset($SESSION['MM_UserGroup']);
unset($SESSION['PrevUrl']);

$logoutGoTo = "index.php";
if ($logoutGoTo) {
header("Location: $logoutGoTo");
exit;
}
}
?>
<?php
if (!isset($_SESSION)) {
session_start();
}
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
// For security, start by assuming the visitor is NOT authorized.
$isValid = False;

// When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that Session variable is blank.
if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($UserName, $arrUsers)) {
$isValid = true;
}
// Or, you may restrict access to only certain users based on their username.
if (in_array($UserGroup, $arrGroups)) {
$isValid = true;
}
if (($strUsers == "") && true) {
$isValid = true;
}
}
return $isValid;
}

$MM_restrictGoTo = "login-admin.php";
if (!((isset($SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $SESSION['MM_Username'], $SESSION['MM_UserGroup'])))) {

$MM_qsChar = "?";
$MM_referrer = $SERVER['PHP_SELF'];
if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
if (isset($SERVER['QUERY_STRING']) && strlen($SERVER['QUERY_STRING']) > 0)
$MM_referrer .= "?" . $_SERVER['QUERY_STRING'];
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
header("Location: ". $MM_restrictGoTo);
exit;
}
?>

johanafm

Without wading through all code you posted (which I'm especially disinclined you don't even bother putting [noparse]

[/noparse] tags around it, I'd say you're better off storing admin accessibility in the database. Now, it's unlikely that you'll change primary keys for rows in the user table in the (near) future. But IF it ever happens, you (or whomever is maintaining code 5-10 years down the road) will
1. most likely forget about updating those id checks in the PHP code, which in best case scenario means noone gets admin access, and in worst case scenario gives a malicous user (assume they all are unless otherwise known) admin access.
2. have a lot of code to wade through to find those id checks
3. won't be 100% certain that you found all such places

In it's most simple form, you'd simply have admin_access boolean default false. Or lacking boolean, int unsigned (of smallest possible kind in your dbms). Then assuming you have a user class for which you instantiate objects, you'd simply
[code=php]
if (!$user->getAdminAccess())
{
	# Option 1: 
	header('HTTP/1.1 403 Forbidden');
	exit;
}
# Continue processing for admins

However, it might make sense to create a separate table access(user_id, access int unsigned, /possibly: access_name varchar/). You may then have several different access values, and a user may have one or more access rights. And separate pages, db tables or whatever else you want to protect may be available to one (or possibly more access rights values depending on how you design it).
For example, user_admin access might enable ban user, unban user, delete user as well as delete forum post and move post. At the same time, forum_moderator access might also have access to delete forum post and move post. But you could also set it up so that user_admin includes forum_moderator access by default and only allow forum_moderator to actually moderate forums - meaning that you could have a user_admin without forum rights, even if they get those by default as well.

jodbowrs

I do have an "admin" field in the database designating who has admin rights. When I tried to restrict a page by username, password and admin level though, I got an error message that the login page didn't require admin and I was unsure hoe to fix this.

johanafm

Well, in that case you have some kind of coding error. You'd be the most likely one to know what it is since you're the one with the error message.

But my point was: use the admin value. You don't have to check anything else (like name, id, how many cats they own etc). if $user->isAdmin() is sufficient.

jodbowrs

Thanks for trying to help. I found a tutorial on YouTube that I think will help me figure it out. thanks again!

libra66

I am really impressed by this very infprmative post.Thanx for sharing it.