different user rights to view pages

[rattlsnak]

OK, I have a members only section inside a site (through a login form). However, inside the section I need another level of rights to view some pages.What I'm using now:Login query:$query="SELECT * FROM users WHERE username='$myusername' and password='$mypassword'";$result=mysql_query($query);$rowAccount=mysql_fetch_array($result);if($rowAccount){$_SESSION['id'] = $rowAccount['username'];header("location:userhome.php");exit;}else {header("location:error.php");}/////////////////////////////////////////////What I have on each page:session_start();if (! isset($_SESSION['id'])){header("location:login.php");exit;}///////////////////////////////////////////So I'm /assuming/ I need to make a different $_SESSION for different users?Like: $_SESSION['id'] = $rowAccount['username']; but somehow be able to set only certain users in this set, and make another one with a differnentname for other users, and then use and IF for normal users and a ESLEIF for privledged users and then of course the ELSE if none match.Am I on the right track?Thanks..

[jeffman]

For the IF statements, sure.I don't know why you'd mess with the session ID in this context. That usually works best if PHP handles it internally. To keep track of your user, write something like $_SESSION['user'] = $rowAccount['username']; But you'd only need that if you needed to access the DB on subsequent occasions.For the privileges, I guess you'd have an item in the DB that indicates the privilege level. So you'd keep track of that like $_SESSION['level'] = $rowAccount['level']; You'd set that at login and then access $_SESSION['level'] whenever a privileges decision comes up.

[jlhaslip]

http://jlhaslip.com/project/compare the results from using these two Loginsuser: member@member.member Pass: memberanduser: admin@admin.admin Pass: admintry that link to see if that is what you need. If I remember correctly, there are 4 different levels of users in this application, allowing for a different list of links in the sidebar for each level.

[rattlsnak]

ok, lost me,.! I have setup a 'level' field in the database with numbers assigned in that field of 1 for admin rights, and number 2 for other members.The main question I have to start with, is are you allowed to create 2 sessions on the same page? Right now all the members are assigned to the session'id', and at the top of all the member pages i run the 'check isset session'id' to validate those members so no one can bypass the login page. If I make the initial session'level' to a certain level, won't that keep the other member from accessing the normal member pages?In other words, are saying that I can make two session ids on the original login page?like:$_SESSION['id'] = $rowAccount['username'];and then another:$_SESSION['level'] = $rowAccount['level=1'];That doesnt look right to me.I guess I dont see how to use both. Once the the session is started and named (like mine - 'id'), when the member pages load I am checking for that session id isset. If I name the original session to a certain level, then half of the users couldt see the other member pages.I was thinking I had to do something like $_SESSION['level'] = $rowAccount['level=1']; but dont know how to set it.

[rattlsnak]

slip, thanks for that example, but not quite what I'm looking for, but maybe the script is similiar.What I have is a loginpage where all members can sign in (at this point admins are considered members also, as they view all the same pages as the members). A few pages into that section, I have a submit form action that goes to a page where I only want admins to go. So if a 'regular' member clicks on the link (submit button), when that page loads, it will send them to a "user not authorized" page or such, but if an admin is logged in, the page will display.like: if session level =1, its ok, but if session level = 2, not ok.Make sense?

[rattlsnak]

ok, found this from a search: (which is basically the same thing D's Dad is saying)>>when you perform the login you will query the db and check password and user name. At this stage you can get the access level and assign this to a session which you can carry throughout the applicationCode:$_SESSION['access'] = $row['level'];$_SESSION['access'] will now be set with 1,2,3 etcon every page just check this $_SESSION['access'] and either allow or disallow access depending on rights.<<SO at this point, I just need to write the code to deny usage to certain user levelsso, what I have is this:session_start();if (! isset($_SESSION['level'])){header("location:login.php");exit;}And I need somthing along the lines of this:?session_start();if (! isset($_SESSION['level']==1)){header("location:login.php");exit;}But, if I do that, then I wont know by username who is logged in?

[jeffman]

EDIT: I posted this before seeing NooB's post above.In a nutshell:PHP generates a session ID on its own for every unique user. If I log on from my machine, I get one ID. If Bob logs on from another machine, he gets a different ID. The ID gets stored in my cookies AND in a special, temporary file on your server. That's how the values stay persistent. PHP makes the match between them automatically every time I open a page with session_start() in the script.This way, when I login and you look up my row in your DB, you can set something like $_SESSION['level'] to the level you find in my row. And as long as my session is open, you never have to log me in or look for my level again. My $_SESSION['level'] will be available to every script I download -- as long as you put session_start() in the script.Same with Bob. Only his are completely different, because PHP gave him a unique ID also.That is, the value of $_SESSION['level'] is not the SAME for every user. It gets set and changed UNIQUELY for every user. Or, more specifically, the entire $_SESSION array is unique for every user. The values you set for one user do not get passed to every other user. (Unless you set them with string literals, of course -- which it seems you're trying, unproductively, to do.)Maybe I got too worried about your using a thing called $_SESSION['id']. I was associating that with PHP's own session ID, which you access through session_id(). You don't want to mess with that. And just to keep things straight, if you want a persistent variable to keep track of your users, I would call it $_SESSION['user'] instead.I suggested $_SESSION['level'] just as an efficient way of tracking each user's privilege's. Every time Bob opens a script, the script can get his privilege level just by accessing that variable. It doesn't have to open the DB every time. You don't even have to know his user name. As long as Bob got a session ID on some earlier login page, if you set $_SESSION['level'] at that time, it's still there, and you can get it in every script. This allows you to do your IF stuff. Like

if ($_SESSION['level'] == 1) {   include ("level1.php")} elseif ($_SESSION['level'] == 2) {   include ("level2.php") }

And the file you include presumably holds links or other stuff that's appropriate to Bob's level.(The result doesn't have to be an include statement. Just an example of what you might do.)

[rattlsnak]

That makes total sense to me (amazingly), and this is what I didn't quite know how to write:($_SESSION['level'] == 1)I actually had a good guess (ok, lucky guess) above in my previous post! :)The part I was getting confused on was, I was thinking that by using my original session id linked to a username, then i could see who was logged in and such and echo a statement that said "hello user X"! etc. But by assigning a session to a user level I dont understand how to do that. Obviously two different things!

[rattlsnak]

ok:I had to write it out as I wasnt fully understanding Sessions.Hopefully this can help other people:Assume we have a users table, with 4 fields and entries of :id:5username: bobpassword:smithlevel:2 $query="SELECT * FROM users WHERE username='$myusername' and password='$mypassword'";>>SELECT ALL FROM users WHERE username = Bob and password = Smith;<<$result=mysql_query($query);>>that assigns the variable/name 'result' to the entire row containing the 4 fields: id, username, password, and level.$rowAccount=mysql_fetch_array($result);>>This pulls that row or record from the database and assigns it a variable/name of 'rowAccount'. So at this point $rowAccount = 5, Bob, Smith, 2<<if($rowAccount){$_SESSION['id'] = $rowAccount['username'];>>if (5, Bob, Smith, 2) assign the Session to a name of 'id' ,which equals the username of Bob, or Bob = Session 'id'.>>So on your member pages when you run:session_start();if (! isset($_SESSION['id'])){header("location:login.php");exit;}You are basically saying, If this isn't Bob, send me to the login page.I hope thats right!Please correct me if Im wrong, but it took me writing it down to fully understand it.And of course, in php, i know there are other ways to accomplish the same thing.Thanks again for your help!

[rattlsnak]

One issue left!Once inside my member pages and now wanting to go to the admin pages, do I use an IF/ELSEIF, or what?I tried it like this and with an ELSEIF and it doesnt work.This is what i need it to do , just dont know how to write it!if (! isset($_SESSION['level'])){header("location:login.php"); <if not a member of any level, go to login page}elseif ( isset($_SESSION['level'])){header("location:acessdenied.php"); <<if a member, but with no admin rights, go to this page}elseif (isset($_SESSION['level'] == 2)) <<<if a member, with admin rights, continue...???Basically, it has to go to three different pages depending on the user level. The basic users still have be validated and if not sent to the login page, and if validated as a member, sent to the member home page, and the admin has to be validated and allowed to view the page, BUT if he is a member he needs to go back to the member home page, which is AFTER, or still inside the member login page, and back not out to log in page.Maybe I could combine statements, like:if (! isset($_SESSION['id'] == 2, OR==3)){header("location:login.php");}Sorry, if these are basic questions, but hey, that's how you learn, right?

[jlhaslip]

You are heading in the right direction, and of course you are correct in your assumptions on learning. The entire purpose of these Forums is to assist others who are learning.Using some pretend code:

if (!isset($_SESSION['id'] )){... go to the Login page ...} else { $_SESSION['id] >= 2 {  ( maybe <= 2 ? depends on the structure of your permissions levels )... acces denied ...} else {... user is allowed to be here, so run the rest of the page ...}

[jlhaslip]

<?php/*In this demonstration, I have defined a string for each 'level of user' determining which set(s) of links they can view on your site.Normal MySql procedure would be to read the User's permission level from a record in the database.For the purpose of this demonstration, an array is constructed. The output reflects the various combinations of their permissions.The strings are a series of concatenated Boolean values for the permissions allowed by a group. 0 = false (no links) 1 = true (links).As you can see, the Guests get 'some' links, Members get 'some more' links, Mods get 'still more', and the Admins get 'all' links.Array values can be read from the User Profile or from a 'group' table depending on their group membership. Each member is assigned to a Group and their permissions are given according to the Group they belong to.Whether the permissions string is stored with the member Profile ( not suggested ) or in a seperate Table in the database ( suggested ) does not really affect the function of this procedure, as long as the permissions function is fed the correct of string.Replace these simple echo commands with the code which will generate the links for your site. And normally, you would not use the else statements, so those could be removed from the code, too.Adjust the details and particular to suit your own needs. Additional Permissions could be set for allowing certain Groups the right to add, edit, delete stuff, or Ban Users, etc. Happy Coding.*/$levels = array(		  'Guests' => "1000" ,'Users' =>  "1100",'Mods' => "1110" ,'Admins' => "1111" ,);/* *Function to assign Permissions based on Group membership */ function permission( $p ){		//  Split the levels string into an array		$perm = str_split( $p );						//  Permissions array		$up = array(		'can_view_links_1' => 1,		'can_view_links_2' => 2,		'can_view_links_3' => 3,		'can_view_links_4' => 4,				);		$combine = array_combine( array_keys( $up ),  $perm );				return $combine;}/*  * Procedure Test Printing */foreach ( $levels as $i => $value) {		/* print Group name here */		echo '<h3>' . $i . '</h3>';				/* call function to assign permissions */		$p = permission( $levels[$i] ); 				/* check Guest permissions */		if( $p['can_view_links_1'] == 1 ){ 				echo 'can view Guest links  ' . $p['can_view_links_1'] . '<br />';				} else {					  echo 'no links here  ' . $p['can_view_links_1'] . '<br />';				  }					/* check Member permissions */		if( $p['can_view_links_2'] == 1 ){ 				echo 'can view Member links  ' . $p['can_view_links_2'] . '<br />';						} else {					  echo 'no links here  ' . $p['can_view_links_2'] . '<br />';				  }		/* check Moderator permissions */  		if( $p['can_view_links_3'] == 1 ){ 			echo 'can view Moderator links  ' . $p['can_view_links_3'] . '<br />';				} else {					  echo 'no links here  ' . $p['can_view_links_3'] . '<br />';				  }					/* check Administrator permissions */		if( $p['can_view_links_4'] == 1 ){ 			echo 'can view Admin links  ' . $p['can_view_links_4'] . '<br />';						} else {					  echo 'no links here  ' . $p['can_view_links_4'] . '<br />';				  }}?>

[rattlsnak]

I can follow yor post to a point, then get lost, then read it again, get a little farther, then lost again,. etc.. I do follow the flow, and what it achieves at the end, but I'm not quite ready for that yet! I would think mine would be a simple issue, see below...I think I am having an issue with the session 'id' level.When I do this:if (! isset($_SESSION['id'])){header("location:login.php");}else if ($_SESSION['id'] == '2');{echo "test?";}OR this:if (! isset($_SESSION['id'])){header("location:login.php");}else if (! $_SESSION['id'] == '2');{echo "test?";}(i tried it with an elseif, an if and an else, same result)Although it allows members to view the page, and directs non-members to the login page like it should, no matter who I am logged in as, a level 1, or 2 user, it still echos "test" to the page. SO i must have something wrong with the 'level' access, or im writing that statement wrong. I have setup a 'level' field in the database with numbers assigned in that field of 1 for admin rights, and number 2 for other members and am using this, as stated above,:$rowAccount=mysql_fetch_array($result);if($rowAccount){$_SESSION['id'] = $rowAccount['level']; <<-- 'level', being the field in the db that has either a 1, or a 2 in it depending on the user.I understand about hiding different features/links from different level users, but on this site, there are only a small number of total users, (5) so I dont care if the see the link, I just dont want them to be able to get to it.THANKS..!

[jeffman]

else if ($_SESSION['id'] == '2');----Your trouble is that big semicolon. It terminates the IF clause, and the echo statement is simply the next statement. It gets executed every time. Being inside braces doesn't change that. So just delete the semicolon.

[rattlsnak]

In this case, HUGE semi colon,. DUH!!! ok cool, that worked!!Now, if I wanted to not allow level 2, would it be something like this:}elseif ($_SESSION['id'] != '2'){ echo "test?";} OR this:}elseif (! $_SESSION['id'] == '2'){ echo "test?";} I tried both, and they dont work..THANKS!..

[jeffman]

!= is always preferable to !$var==As for the other stuff, it occurs to me that what you really want is a switch statement, not only because it's slightly faster than an IF ELSEIF ELSE, but also because it's easier for a human to read. You'd also put that after your isset() test.

[rattlsnak]

ok, this is exactly what I have, and it works pefectly:<?phpsession_start();if (! isset($_SESSION['id'])){header("location:login.php");}elseif ($_SESSION['id'] == '3'){header ("location:memberhome.php");}?>The more I thought about it, and thought about the way php works, I realized that I'm not trying to send user levels 1 or 2 away from these pages, only level 3 needs to be restricted, so the above code sends them back to the member home page and doesnt say anything about user levels 1, or 2, so they can view the page just fine. If was trying to send user level 2 somewhere else, I would simply put another ESLEIF to send him somewhere.At first, I was thinking I had to ALLOW users 1, or 2 to view this page and trying to write the code for that, but thats basically already handled in the original set session, so I just need to restrict the levels I dont want.Actually looking at and deciphering Switch statements is what pointed me in the right direction. I tried this:switch($_SESSION['id']){ case '1': $page = "location:adminhome.php"; break;case '2': $page = "location:memberhome.php"; break;case '3': $page = "location:loginhome.php"; break; } header($page); But could'nt get it to work properly. I kept getting a http 404 error everytime i tried that.In the future I hope to build sites that display different things based on user rights as you described above, but this is good enough for now with this project. I have another project in the work that I already have questions on, so I will start a new thread with that soon!Thanks again!!

[jlhaslip]

switch($_SESSION['id']){case '1': header("location:adminhome.php"); break;case '2': header( "location:memberhome.php"); break;case '3':header( "location:loginhome.php"); break;}

Does that work any better?Do you have files by those names in the same directory?

[rattlsnak]

Yes I have those pages, and I see you basically left out the variables and went just to headers. I can try that later. I am so happy I finally finished this project and not in the mood to tinker with it anymore for at least a day or so! ! I am going to read through your code above and get a better grip on it before I start my next poject that involves user rights.Thanks to you and D's Dad for all of your help, it was greatly appreciated.I will start a new thead soon with my new questions about my next project I am starting.

[jlhaslip]

Looking forward to it. :)Keep Learning.

[Guest shankar]

http://jlhaslip.com/project/compare the results from using these two Loginsuser: member@member.member Pass: memberanduser: admin@admin.admin Pass: admintry that link to see if that is what you need. If I remember correctly, there are 4 different levels of users in this application, allowing for a different list of links in the sidebar for each level.

hi jlhaslip,do u have the coding for your project.if so means,cud u give me the coding since i am also in the same kinda project.