Page 1 of 2

Login Redirect for Usergroups

Posted: Tue Jul 25, 2006 4:33 pm
by Assured99
I am setting up a Login where i have only a few groups: 'Users', 'Employees', 'Patients', 'Referrals', and 'Administrators'
Now when someone first signs up they are ctagorized as a 'User' which will redirect them to sorry.php stating the admin has to assign their access.

But if they already have a specified acces i want them redirected to different pages

This is what i have so far

Code: Select all

if ($_SESSION[group1] == 'Users') {
  header("Location: sorry.php");
} else {
  header("Location: general.html");
}
Group 1 is where the Access Level is held in the database what would i need to do to get rid of the else and make it find the correct access Level and redirect????

~Snapple

Posted: Tue Jul 25, 2006 4:39 pm
by jamiel

Posted: Tue Jul 25, 2006 4:43 pm
by Assured99
Switch What???

Posted: Tue Jul 25, 2006 4:51 pm
by jamiel

Code: Select all

switch ($_SESSION['group1']) {
    case 'Users':
        header("Location: sorry.php");
        break;
     case 'Employees':
     case 'Patients':
     case 'Referrals':
     case 'Administrators':
          header('Location: general.html');
          break;
     default:
          header('Location: sorry.php');
          break;
}
Can do whatever you want from there no matter what the access level.

Posted: Tue Jul 25, 2006 4:58 pm
by Assured99
So Would This work....

Code: Select all

switch ($_SESSION['group1']) { 
    case 'Users': 
        header("Location: sorry.php"); 
        break; 
     case 'Employees': 
        header("Location: employee.php"); 
     case 'Patients': 
        header("Location: patient.php"); 
     case 'Referrals': 
        header("Location: referral.php"); 
     case 'Administrators': 
          header('Location: admin.php'); 
          break; 
     default: 
          header('Location: sorry.php'); 
          break; 
}
Or do i need to add the break after each case?

Posted: Tue Jul 25, 2006 5:01 pm
by tcsoft
....yes, you need the

Code: Select all

break;
:D

Posted: Tue Jul 25, 2006 5:20 pm
by Assured99
Well how about this First Shot and its working like a charm Thanks Again Guys



~Snapple

Posted: Tue Jul 25, 2006 5:47 pm
by Assured99
Well it was Close now i cant get my php Code to restrict access to certain users I think this is my problem but i dont know what its doing can any one explain what this means ?

Code: Select all

function allow_access($group)
{
	if ($_SESSION[group1] == "$group" || $_SESSION[group2] == "$group" || $_SESSION[group3] == "$group" ||
		$_SESSION[group1] == "Administrators" || $_SESSION[group2] == "Administrators" || $_SESSION[group3] == "Administrators" ||
		$_SESSION[user_name] == "$group")
		{
			$allowed = "yes";
		}else{
			$allowed = "no";
		}
	return $allowed;
}
EDIT: I also cant find the value for $allowed

Posted: Tue Jul 25, 2006 5:53 pm
by jamiel
All I can say is ... ewww. Completely the wrong way to go about Session Authentication. Scrap that function and start again.

Posted: Tue Jul 25, 2006 5:54 pm
by Assured99
Ok no problem it was a free script from the start that i modified but what does it mean ????

Posted: Tue Jul 25, 2006 5:54 pm
by John Cartwright
Your permission system makes little or no sense to me.. I would consider revising how you handle user groups.

..and start quoting your array indices :evil:

Posted: Tue Jul 25, 2006 5:55 pm
by feyd
remember to put quotes around your named array indices.

Posted: Tue Jul 25, 2006 5:56 pm
by RobertGonzalez
Assured99 wrote:Well it was Close now i cant get my php Code to restrict access to certain users I think this is my problem but i dont know what its doing can any one explain what this means ?
Here are some comments with a few changes to your code...

Code: Select all

function allow_access($group)
{
	// Check the value of the session vars 'group1' 'group2' 'group3' or 'user_name'
	if ($_SESSION['group1'] == $group || 
		$_SESSION['group2'] == $group || 
		$_SESSION['group3'] == $group ||
		$_SESSION['group1'] == "Administrators" || 
		$_SESSION['group2'] == "Administrators" || 
		$_SESSION['group3'] == "Administrators" ||
		$_SESSION['user_name'] == $group)
	{
		// Set the var allowed to 'yes'
		$allowed = "yes";
	} else {
		// Set the var allowed to 'no'
		$allowed = "no";
	}

	// Return the var allowed
	return $allowed;
}
As a side-note, this is a really bad way to handle authentication. You may want to consider matching your user_auth_level (the users approved level) against a known groups auth level. Both can be stored in the database and used for matching. Just a suggestion.

Posted: Tue Jul 25, 2006 6:04 pm
by Assured99
Ok im still confused i scrapped the old allow_access and replaced it with yer new allow_access

But im still Stuck what does it need to be here is the code to restrict the page

Code: Select all

<?php

//prevents caching
header("Expires: Sat, 01 Jan 2000 00:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: post-check=0, pre-check=0",false);
session_cache_limiter();
session_start();

require('http://www.mydomain.com/secure/config.php');

require('http://www.mydomain.com/secure/functions.php'); 

//this is group name or username of the group or person that you wish to allow access to
// - please be advise that the Administrators Groups has access to all pages.
if (allow_access(Administrators) != "Yes")
if (allow_access(Employees) != "no")
if (allow_access(Patients) != "no")
if (allow_access(Referrals) != "no")
if (allow_access(Users) != "no")
{ 
include ('http://www.mydomain.com/secure/no_access.html'); 
exit;
}
?>
And here is more of the config.php

Code: Select all

if ($num != 0) 
	{
		while ($sql = mysql_fetch_object($result)) 
		{
			$_SESSION[first_name] 	= $sql -> firstname;
			$_SESSION[last_name] 	= $sql -> lastname;
			$_SESSION[company] 		= $sql -> company; 
			$_SESSION[user_name] 	= $sql -> username;       
			$_SESSION[password] 	= $sql -> password;
			$_SESSION[group1]	 	= $sql -> group1;
			$_SESSION[group2]	 	= $sql -> group2;
			$_SESSION[group3] 		= $sql -> group3;
			$_SESSION[pchange]		= $sql -> pchange;  
			$_SESSION[email] 		= $sql -> email;
			$_SESSION[access] 		= $sql -> access;
			$_SESSION[redirect]		= $sql -> redirect;
			$_SESSION[verified]		= $sql -> verified;
			$_SESSION[last_login]	= $sql -> last_login;
		}
	}else{
		$_SESSION[redirect] = "$base_dir/errorlogin.html";
	}
}

//functions that will determine if access is allowed
function allow_access($group) 
{ 
        // Check the value of the session vars 'group1' 'group2' 'group3' or 'user_name' 
        if ($_SESSION['group1'] == $group || 
                $_SESSION['group2'] == $group || 
                $_SESSION['group3'] == $group || 
                $_SESSION['group1'] == "Administrators" || 
                $_SESSION['group2'] == "Administrators" || 
                $_SESSION['group3'] == "Administrators" || 
                $_SESSION['user_name'] == $group) 
        { 
                // Set the var allowed to 'yes' 
                $allowed = "yes"; 
        } else { 
                // Set the var allowed to 'no' 
                $allowed = "no"; 
        } 

        // Return the var allowed 
        return $allowed; 
}

Posted: Tue Jul 25, 2006 6:10 pm
by RobertGonzalez
This part of your code is going to choke...

Code: Select all

<?php
if (allow_access(Administrators) != "Yes")
if (allow_access(Employees) != "no")
if (allow_access(Patients) != "no")
if (allow_access(Referrals) != "no")
if (allow_access(Users) != "no")
{
    include ('http://www.mydomain.com/secure/no_access.html');
    exit;
} 
?>
1. You are passing assumed constants to your function. The function is expecting a string, so what you pass should be quoted

Code: Select all

<?php if (allow_access('Administrators') != "Yes") ?>
2. You cannot use IF like this. One if, many conditionals in the comparison (or better, maybe a switch()).
3. You first conditional checks against 'Yes' but the function returns 'yes' or 'no' (notice the case?).

You may need to rework your code a bit as it appears that the code you have now may run into problems as you begin to roll it out.