1

I want to make some of my php pages accessible to certain users. I flag these users in my users table as 'super_user' in the 'user_privilege' attribute. So fat I have got the login and sessions working. But I'm not sure about 'super_user' only pages. Basically this is the page I want to make accessible only to super users:

<?php
require_once('../includes/su_permission.inc.php');
require_once('../includes/session_timeout_db.inc.php');
?>
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>Secret page</title>
</head>

<body>
<h1>Restricted area</h1>
<p><a href="menu_db.php">Back to restricted menu</a> </p>
<?php include('../includes/logout_db.inc.php'); ?>
</body>
</html>

The session_timeout_db.inc.php doc checks if the user's session has expired and it works fine. I have also added this: require_once('../includes/su_permission.inc.php'); in the code to check if the user is a super user. This my attempt at the code:

<?php
require_once 'login.php';
$conn = new mysqli ($host, $user, $password, $database) or die("Connection Failed");

$sql = 'SELECT user_role FROM users WHERE user_email = ?';

$stmt = $conn->stmt_init();
$stmt->prepare($sql);

$stmt->bind_param('s', $user_email);

$stmt->bind_result($user_role);
$stmt->execute();
$stmt->fetch();

if ($user_role='SU') {
  $_SESSION['privilege_level'] = $user_role;

// some other code needed here
  exit;
} else {
  echo 'No permission to visit this page';
}

I know it is a poor attempt, but I'm not sure what else to do from here. Can someone please advice the best way I can do this ?

Thanks

Improve this question
2
  • So what Sepcific erros are you getting (if any)? Have you done any debugging to try to determine where you code might have it's problems? Are you really intending to call exit when the user has successfully authenticated? This would stop the rest of the page from being output. Commented Feb 6, 2013 at 23:06
  • @MikeBrant I removed the exit part and ran the code and it still gives access to the user who is not flagged as a super user in the database. I just don't know if the method I'm using is correct Commented Feb 6, 2013 at 23:10

2 Answers 2

Reset to default
2

Here is your problem:

if ($user_role='SU') {

You need a proper comparison operator (== or ===) here. What you are doing right now is assigning a value of SU to $user_role in all cases.

A slight programming suggestion to avoid such problems is to flip to comparison order like this:

if ('SU' == $user_role) {

That way if you accidentally type = instead of == or ===, you will get an error output, rather than having your code quietly run while doing something you don't want it to do.

Improve this answer
Sign up to request clarification or add additional context in comments.

11 Comments

Ok thanks for that, I changed it to == now it says no permission to view this page but it actually views what I have on the page. I just want it to display the no permission error and not display anything else.
@elmify That's where the exit comes in handy :)
Ah I see, thanks for being patient with me but I added the exit just here: $_SESSION['privilege_level'] = $user_role; exit;
(continued) still no changes, I'm not sure if I should add something like $_SESSION['privilege_level'] = $user_role; in the restricted page
You would want to add the exit in the side of the conditional where you don't want the page displayed, but rather just the "no permission" message. So place it after that message.
|
1

I did a similar thing on the site I'm working on. I setup up three different areas, for the different user 'types'.

I then setup 3 different session check files for the groups of pages. I'm sure this could be done using only one file, and some elseifs but whatever. Anyway here is the code snippet that I use on my pages to check if a user is logged in, and if they are the right "type" of user to view the page:

if (isset($_SESSION['authenticated']) && $_SESSION['authenticated'] !== 'admin') {

//if (!isset($_SESSION['authenticated'])) {
  header("Location: $redirect");
  exit;

If they aren't right it redirects them. I hope that helps.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.