search

thedigicraft / Atom.CMS

Atom.CMS
56 stars 52 forks source link

Admin users and regular users? #105

Open ninasmurffh opened 9 years ago

ninasmurffh commented 9 years ago

Hello all you smart people on here! I have a login form on the front end similar to the one on the back end, and i'm wondering if there's a way to "separate" the admins from the "regular" users so that the "regular" users wouldn't be able to log in to the back end of the website, but still using the same "users" table in the database? I'm figuring there should be a way to do this with if-statements and adding a column to the "users" table (like type "1" would be an admin user and "2" would be a normal user), but i suck at coding and google couldn't help me with my problem either... So this is what i've got:

if($_POST) {

$q = "SELECT * FROM users WHERE email = '$_POST[email]' AND password = SHA1('$_POST[password]')";
$r = mysqli_query($dbc, $q);

if(mysqli_num_rows($r) == 1) {

    $_SESSION['username'] = $_POST['email'];
    header('Location: index.php');

}

}

creptor commented 9 years ago

To do that i have set up an extra columna in my users table(database). So when a user logs in, it also declares it's permission level (with Numbers) forma the database. Here is some example code:

if($_POST) {

$q = "SELECT [ALL YOU NEED EXCEPT THE PASSWORD TABLES] FROM users WHERE email = '$_POST[email]' AND password = SHA1('$_POST[password]')";
$r = mysqli_query($dbc, $q);

if(mysqli_num_rows($r) == 1) {
    while($list=mysqli_fetch_assoc($r)){

        $_SESSION = $list;
        header('Location: index.php');
    }
}
}

So then, when i just whant to deny access, i place the ...

If(isset($_SESSION['permission'])<4){
    die('access denied!');
}
ninasmurffh commented 9 years ago

Thanks a lot for the reply, creptor! However, it doesn't work for me, what am i doing wrong? Removing the:

$_SESSION['username'] = $_POST['email'];

and replacing it with:

$_SESSION = $list;

didn't let any user access the admin panel, so i left it like this:

$_SESSION = $list; $_SESSION['username'] = $_POST['email'];

and it worked, but i didn't know where exactly to put this piece of code:

If(isset($_SESSION['permission'])<4){ die('access denied!'); }

and wherever i place that code, it still lets any user log in to the admin panel... Anyway this is what i have now (sorry for being stupid):

if($_POST) {

$q = "SELECT id,first,email,status,type FROM users WHERE email = '$_POST[email]' AND password = SHA1('$_POST[password]')";
$r = mysqli_query($dbc, $q);

if(mysqli_num_rows($r) == 1) {
     while($list=mysqli_fetch_assoc($r)){

        $_SESSION = $list;
        $_SESSION['username'] = $_POST['email'];
    header('Location: index.php');

     }

}

}

I appreciate the help :)

creptor commented 9 years ago

the log-in code:

$q = "SELECT id,first,email,status,type,  <--permissions-->{ADD THIS NEW COLUM TO YOUR TABLE DB} FROM users WHERE email = '$_POST[email]' AND password = SHA1('$_POST[password]')";
$r = mysqli_query($dbc, $q);

if(mysqli_num_rows($r) == 1) {
    $data= mysqli_fetch_assoc($r)
    $_SESSION = $data;
    header('Location: index.php');

}

So, for the new sistem you need a permissions colum in your table (because you need to know wich permissions do the users have) and use number 4 for admin, or higher (or wathever number you place in the next code...)

And then.. place this code after the session_start(); is called (right after the setup.php) of every page you whant to deny access to newbies :3

if(!isset($_SESSION['email'])&&isset($_SESSION['permissions'])<4){
    header("Location: login.php");
    die('access denied!');
}
ninasmurffh commented 9 years ago

Ok I did that, but now on the /admin/login.php page i get this: "Parse error: syntax error, unexpected T_VARIABLE in /home/xxx/public_html/admin/login.php on line 16" So apparently there's a syntax error...? websiteproblems-1 (was i supposed to paste it in the header though?) websiteproblems-2 ps. Thank you so much for helping me out, you have no idea how much I appreciate that! :smile:

creptor commented 9 years ago

O i found it :smile:, I just forgot a ;

just add it here $data= mysqli_fetch_assoc($r) at the end. Like this: $data= mysqli_fetch_assoc($r);

Also, the code for denying acces is supposed to be the one you have just after it (it's like an replacement), so you should delete it to stop having two same process.

ALSO i have to apoloyise, because i made a mistake....

this code: if(!isset($_SESSION['email'])&&isset($_SESSION['permissions'])<4){ should be this: if(!isset($_SESSION['email'])||$_SESSION['permissions']<4){

ninasmurffh commented 9 years ago

Thanks! The syntax error is gone, but now it won't allow me to log in (it just redirects me back to /admin/login.php) although i've changed "permissions" to 4... This was harder than I thought xd

I think there needs to be a ($_SESSION['username']) somewhere because in header.php there's this piece of code:

if(!isset($_SESSION['username'])) { header('Location: login.php'); }

creptor commented 9 years ago

Ok, got it... My code basically get's all the data from the table and adds it to the $_SESSION, and that includes the colums names, like: email, id, first, etc. so they will show like $_SESSION['email'], $_SESSION['id'], etc.

So if you have any other interfiring code, just chacnge the session variable to something that it's displayed on the table, hope it works.

Posible solution:

if(!isset($_SESSION['first'])) {
    header('Location: login.php');
}