Page 1 of 1

Permission System does not allow access ever >.<

Posted: Mon Dec 01, 2008 8:29 pm
by RussianWizard
Alright I've hit a wall in a forum system I'm coding. In the page I've used to make new posts, It can never match up the user access level with the board authorization level.

My forum system uses numbers for it's permissions: 1-Admin 2-Mod (3-9)-Unassigned 10-Regular User

Here is the code to determine access to post a topic:

Code: Select all

$board_id = $_GET['board_id'];
$page_title = "Post Topic";
$sql_accessquery = mysql_query("SELECT UserLevels_Auth FROM post_board WHERE BoardID = '".$board_id."'");
$sql_accessrow = mysql_fetch_assoc($sql_accessquery);
$page_access = $sql_accessrow["UserLevels_Auth"];
After the permission Check the header calls a function:

Code: Select all

checkLogin($page_access);
The function:

Code: Select all

function checkLogin($levels) {
if ($levels == 0) {$access = TRUE;}
else {
        if($user_loggedin = FALSE) {$access = FALSE; echo "test2";}
        else {
            $user_accessid = $_SESSION['user_id'];
            $kt = split(' ', $levels);
            $query_pageaccess = mysql_query("SELECT UserLevel FROM user_db WHERE UserName = '".$user_accessid."'");
            $row_pageaccess = mysql_fetch_assoc($query_pageaccess);
            $access = FALSE;
            while(list($key, $val)=each($kt)) {
            if($val = $row_pageaccess[1]) {$access = TRUE;} }
        }
    }
}
The user level is 10 and the board access is (1 2 10), thus the need for the split() function.

Edit: Another problem I might have is the session storing on my login page. Is this the correct way to assign session variables?

Code: Select all

$_SESSION['user_id'] = $login_row['UserName'];
$_SESSION['logged_in'] = TRUE;
echo "<tr><td align='center'>You have logged in sucesfully.</td></tr>";
redirect("index.php");
Any visible problems in the code shown above?

Re: Permission System does not allow access ever >.<

Posted: Tue Dec 02, 2008 12:53 am
by requinix
Line 12 in that function: in the condition you're using = for assignment when you should be using == for comparison.
Also, mysql_fetch_assoc returns an array with the field names as the keys. [1] doesn't exist, but ["UserLevel"] does.

Re: Permission System does not allow access ever >.<

Posted: Tue Dec 02, 2008 7:21 pm
by RussianWizard
Did those changes and all the db level fields are all VARCHAR now to eliminate formatting incompatibilities.

Everything up until this line works:

Code: Select all

while(list($key, $val)=each($kt)) {if($val == $row_pageaccess["UserLevel"]) {$access = TRUE;} }
The if statement does not seem to set the access variable to true when both values match up. Any ideas?

Re: Permission System does not allow access ever >.<

Posted: Tue Dec 02, 2008 8:13 pm
by requinix
How about you replace that line with a function call?

Code: Select all

$access = in_array($row_pageaccess["UserLevel"], $kt);
If it still doesn't work, find out what each of those three variables are, then make sure they're correct.

Re: Permission System does not allow access ever >.<

Posted: Wed Dec 03, 2008 3:34 pm
by RussianWizard
Alright I think I found the break in the code:

Code: Select all

if ($access = FALSE) {echo "<h2 align='center'>You do not have sufficent priveledges to access this page.</h2>";}
else {
When I have it as ($access = FALSE) it will always allow people to post no matter the credentials. If I set it ot ($access == FALSE) it never lets anyone post.

Re: Permission System does not allow access ever >.<

Posted: Wed Dec 03, 2008 3:49 pm
by requinix
I missed one. Line 3.

Code: Select all

if($user_loggedin = FALSE)

Re: Permission System does not allow access ever >.<

Posted: Thu Dec 04, 2008 9:24 pm
by RussianWizard
alright, here's when the code seems to break:

Code: Select all

if ($access = FALSE) {echo "<h2 align='center'>You do not have sufficent priveledges to access this page.</h2>";}
This will always allow to make a post, regardless if $access is TRUE or not.

Code: Select all

if ($access == FALSE) {echo "<h2 align='center'>You do not have sufficent priveledges to access this page.</h2>";}

Code: Select all

if (!$access) {echo "<h2 align='center'>You do not have sufficent priveledges to access this page.</h2>";}
Both of the changes above block access to post for everyone, regardless if $access is TRUE or not.

Any ideas why this if statement doesnt respond to the $access variable? Is it because it's in a function?