PHP - Moved: Idea Needed On Apache/php/mysql App For Internet Access Control

This topic has been moved to Third Party PHP Scripts.

http://www.phpfreaks.com/forums/index.php?topic=333987.0

In my project. I wanted an option that was going to give me more control over what my users can and could not do. I fount a ACL Sample and well the guy that made this must have been drunk. Any way I been working with it and putting it together so that it will work. The problem is that when I view the users current permissions it doesn't seem to display then right. Blow is the code i have in a switch that I use to manage each users permissions. The $_GET['uid'] gets the users id from the URL in the admin section.

Code: (php) [Select]
case "manage":
   
    //$userACL = new ACL($_GET['uid']);
        $userACL = new ACL($_GET['uid']);
    echo '<h2>Managing '.$userACL->getUsername($_GET['uid']).'</h2>';
        echo '... Some form to edit user info ...';
        echo '<h5>Roles for user:   (<a href="users.php?action=roles&uid='.$_GET['uid'].'">Manage Roles</a>)</h5>';
        echo '<ul>';
        $roles = $userACL->getUserRoles($_GET['uid']);
foreach ($roles as $k => $v)
{
echo "<li>" . $userACL->getRoleNameFromID($v) . "</li>";
}

        echo '</ul>';
        echo '<h6>Permissions for user:   (<a href="users.php?action=perms&uid='.$_GET['uid'].'">Manage Permissions</a>)</h6>';
        echo '<ul>';
       
        //$uparms = $userACL->getAllPerms($_GET['uid']);
        //$uPerms = $userACL->getUserPerms($_GET['uid']);
        //$aPerms = $userACL->getAllPerms('full');
        $aPerms = $userACL->perms;
//foreach ($perms as $k => $v)
        foreach($aPerms as $k => $v)
{  
    //echo 'fdfdsfsd :'. $v['value'];
//if ($v['value'] == false) { continue; }
            if($v['value']) { // if (!$v['value']) { continue; }
echo "<li>" . $v['Name'] . ' : Allowed </li>';
//if ($v['inheritted']) { echo "  (inheritted)"; }

            } else {
            echo "<li>" . $v['Name'] . ' : Deny </li>';
            }           
           
            echo "</li>";
}
        echo '</ul>';       
   
break;
   

If any one needs any extra info. Please let me know.

Hi everyone, am developing an application that has two views 1 for administrator and 1 for staff. Administrator can perform all application tasks and Staff can ONLY perform certain task. I have implemented sessions quite alright and are working. Now the problem is that when I login as Staff and then I change the URL to point to an administrator's page the application is allowing that, How can I prevent that from happening. Staff MUST NOT see administrators pages. Here is my login code, logout code and code am using to protect webpages below.


Here is my login code

<?php

 //start the session
 session_start();

$username=$_POST['username'];
$password=$_POST['password'];

$encrypted=md5($password);

// set connection to database

$hostname="localhost"; // Host name
$mysql_server_username="root"; // Mysql username
$server_password=""; // Mysql password
$db_name="db_inventory"; // Database name
$table = "tbl_users";      // Table name

// Connect to server and select database.
mysql_connect("$hostname", "$mysql_server_username", "$server_password")or die("cannot connect to database server");
mysql_select_db("$db_name") or die ("Couldn't select the database.");

$admin=("select * from $table where username='$username' AND password='$encrypted' AND type = 'admin'");
$staff=("select * from $table where username='$username' AND password='$encrypted' AND type = 'staff'");

//check that at least one row was returned
$adminresult=mysql_query($admin);
$admincount = mysql_num_rows($adminresult);

$staffresult=mysql_query($staff);
$staffcount = mysql_num_rows($staffresult);

if($admincount> 0){
$_SESSION['valid_user'] = $username ;
header( "Location: main_menu.php" );
}
else if($staffcount> 0){
$_SESSION['valid_user'] = $username ;
header( "Location: staff/main_menu.php" );
}
else
{

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>title> | Login</title>
</head>

<body bgcolor="#FFFFFF"  background-repeat:no-repeat; background="images/images1.jpg">
<div align="center">
  <table width="800" height="501" border="0" cellpadding="1" cellspacing="1">
    <tr>
      <td height="100">&nbsp;</td>
    </tr>
    <tr>
      <td height="350">
      <div align="center">
      <form method="post" action="login_process.php">
        <h4 align="center"><font color="red">Incorrect Username / Password ! Please Try Again</font></h4>
          <img name="" src=images/padlock_closed.gif width="34" height="32" alt="" /><br /><br />
          <table width="314" border="0" cellspacing="1" cellpadding="1">
            <tr>
              <td>Username:</td>
              <td><label>
                <input type="text" name="username"  />
              </label></td>
            </tr>
            <tr>
              <td>Password:</td>
              <td><label>
                <input type="password" name="password" />
              </label></td>
            </tr>
            <tr>
              <td colspan="2">
              <p>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
                  <input type="submit" name ="submit" value="Login" />&nbsp; &nbsp; &nbsp;<input type="reset" value="Reset" />               
              </p>
              </td>
            </tr>
          </table>     
      </form>
       </div>
       </td>
    </tr>
    <tr>
      <td height="100">&nbsp;</td>
    </tr>
  </table>
</div>
</body>
</html>

<?php

}
?>



Here is my logout code


<?php
//start the session
session_start();

//check to make sure the session variable is registered
if(isset($_SESSION['valid_user'])){

//session variable is registered, the user is ready to logout
session_unset();
session_destroy();

//the session variable isn't registered, the user shouldn't even be on this page
header( "Location: index.php" );
}
else
{
//check to see if the session variable is not registered
if(!isset($_SESSION['valid_user'])){
//redirect to login page
header( "Location: index.php" );
}
}
?>



Here is code I am using to protect pages


<?php
//start the session
session_start();
//check to make sure the session variable is registered

if(!isset($_SESSION['valid_user'])){
//redirect to login page
header( "Location: index.php" );
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title> | Main Menu</title>
<link rel="stylesheet" type="text/css" href="css.css" />
</head>

<body>

<div id="tabsF">
<ul>
<!-- CSS Tabs -->
<li id="current"><a href="main_menu.php"><span>MAIN MENU</span></a></li>
<li><a href="stockmaster.php"><span>STOCK MASTER</span></a></li>
<li><a href="controlpanel.php"><span>CONTROL PANEL</span></a></li>
<li><a href="logout.php"><span>LOGOUT</span></a></li>

</ul>
</div>
</body>
</html>


Thank you.

Hi guys,
I have a form that the reference_id is auto generated and is stored in a session. Is there a way to use only the first auto generated reference_id until the session is unset or destroyed?

thanks

Below is the screenshots and script for user page level access i have used it for one of my old projects. Code is working as it was intended. But it needs to be improvised.

Users table

pages table , which has all the pages and links

Access level table. which has user id from users table and page id from pages table (for which user has access)

 

Once the user is created, admin gives access to the user on page basis, the permissions.php page looks like this

The modules

 

Menus inside the modules

 

Pages in each menu

 

Here is my code for permission.php

<div id="demo2-html">                    
<ul id="demo2" class="mnav">
	<li><a href="#">Sales</a>
    <ul>
    <li><a href="#">Lead</a>
    <ul>
			<table class="table table-bordered table-striped table-hover">
				
                <?php 
				
				$s1 = mysqli_query($con, "SELECT pages.page_id as pid, pages.code, pages.page, 
									pages.href, access_level.aid, access_level.page_id as pgid, 
									access_level.user_id 
								FROM pages
								LEFT JOIN access_level ON (pages.page_id=access_level.page_id 
									AND access_level.user_id=".$user." 
									) WHERE pages.code='led'") or die(mysqli_error($con));
									
				while($s2 = mysqli_fetch_array($s1)) {  ?>
				<tr><li><td><?php echo $s2['page']; ?>  </td><td><input type="checkbox" name="sn[]" value="<?php echo $s2['pid']; ?>" <?php if($s2['pgid'] === $s2['pid']) echo 'checked="checked"';?> />
                <input type="hidden" value="<?php echo $s2['pid']; ?>" name="page_id[<?php echo $s2['pgid']; ?>]">
                </td></li></tr>
                <?php } ?>
                </table>
				</ul>
			</li>
            
            <li><a href="#">Customer</a>
    <ul>
			
			<table class="table table-bordered table-striped table-hover">
				
                <?php 
				
				$s1 = mysqli_query($con, "SELECT pages.page_id as pid, pages.code, pages.page, 
									pages.href, access_level.aid, access_level.page_id as pgid, 
									access_level.user_id 
								FROM pages
								LEFT JOIN access_level ON (pages.page_id=access_level.page_id 
									AND access_level.user_id=".$user." 
									) WHERE pages.code='cst'") or die(mysqli_error($con));
									
				while($s2 = mysqli_fetch_array($s1)) {  ?>
				<tr><li><td><?php echo $s2['page']; ?>  </td><td><input type="checkbox" name="sn[]" value="<?php echo $s2['pid']; ?>" <?php if($s2['pgid'] === $s2['pid']) echo 'checked="checked"';?> />
                <input type="hidden" value="<?php echo $s2['pid']; ?>" name="page_id[<?php echo $s2['pgid']; ?>]">
                </td></li></tr>
                <?php } ?>
                </table>
				</ul>
			</li>
      //code goes for all the other modules
      
      </ul>
            </li>
            
    
    
</ul>
</div>


<input type="hidden" name="user" value="<?php echo $user; ?>" />
<div class="row" align="center">
<input type="submit" name="submit" class="btn btn-success" value="Save" />
  </form> 



// form Submission

if(isset($_POST['submit']))
{
	$user = $_POST['user'];
	
 $sql = "DELETE FROM access_level WHERE user_id = ".$user."";
 $query = mysqli_query($con, $sql) or die (mysqli_error($con));

foreach($_POST['sn'] as $sn)
{
 $sql = "insert into access_level (page_id, user_id) values (".$sn.", ".$user.")";
 $query = mysqli_query($con, $sql) or die (mysqli_error($con));
}


if($query)
{
header("location:users.php?access=1");	
}

	
}
  

So against each user i am storing all the page ids here. When i edit any of the users, it deletes all the records and again insers new records. Which i feel is not a proper way to do.
And also, if i have 10 users and 100 pages, suppose all the users are having access to all the pages, records in user_access table will be 1000. 

And in codewise also, i am redirecting the user to no_access.php (as below) page if the user do not have access.

<?php
ob_start();
include("connect.php");
include("admin_auth.php"); 
$q1 =  basename($_SERVER['REQUEST_URI'], '?' . $_SERVER['QUERY_STRING']);
$q2 = $_SERVER['REQUEST_URI'];
$var1 = "/".$q1;

$qa_path=explode('/', $q2);

$right_path = $qa_path[2].$var1;

$parsedUrl = parse_url($q2);


$curdir = dirname($_SERVER['REQUEST_URI'])."/";



$m4 = "select p.page_id, p.code, p.page, p.href, al.aid, al.page_id, al.user_id FROM pages p INNER JOIN access_level al ON p.page_id=al.page_id WHERE al.user_id=".$_SESSION['user_id']."";

$m5 = mysqli_query($con, $m4)  or die (mysqli_error($con));


while($nk1 = mysqli_fetch_array($m5)) {
	
	$href1[] = ($nk1['href']); }
	
	
	if(in_array($right_path, $href1)) {

echo "<script type='text/javascript'> document.location = ".BASE_URL."/".$right_path."</script>"; 
}
else
{

echo "<script type='text/javascript'> document.location = '../no_access.php' </script>";
exit();
}	

?>

I need help in improve and better/effective (structural) way to do this both in database and php script.