Reputation: 522
Pull users access level from database and add to session
I am working on a simple PHP & MySQL application and have been asked to add in simple ACL functionality with 3 access levels, admin (can do it all), editor (can add and edit data) and reader (can only read data and make zero edits).
I have assigned each role a value, 1 for admin, 2 for editor and 3 for reader and have added that to the user add form and also the db, what I need now is a way to be able to pull that into the login session so that it can be checked at various levels (menu and some pages).
So far what I have so far is below.
The login function
public function login($username, $password) {
global $bcrypt; // Again make get the bcrypt variable, which is defined in init.php, which is included in login.php where this function is called
$query = $this->db->prepare("SELECT `password`, `id` FROM `users` WHERE `username` = ?");
$query->bindValue(1, $username);
try{
$query->execute();
$data = $query->fetch();
$stored_password = $data['password']; // stored hashed password
$id = $data['id']; // id of the user to be returned if the password is verified, below.
if($bcrypt->verify($password, $stored_password) === true){ // using the verify method to compare the password with the stored hashed password.
return $id; // returning the user's id
}else{
return false;
}
}catch(PDOException $e){
die($e->getMessage());
}
}
And the login page.
<?php
$title = "Login";
require_once 'includes/header.php';
$general->logged_in_protect();
?>
<h1>Login</h1>
<?php
if(empty($errors) === false){
echo '<p>' . implode('</p><p>', $errors) . '</p>';
}
?>
<form method="post" action="">
<h4>Username:</h4>
<input type="text" name="username" value="<?php if(isset($_POST['username'])) echo htmlentities($_POST['username']); ?>" />
<h4>Password:</h4>
<input type="password" name="password" />
<br>
<input type="submit" name="Login" />
</form>
<br>
<a href="confirm-recover.php">Forgot your username/password?</a>
<?php
require_once 'includes/footer.php';
if (empty($_POST) === false) {
$username = trim($_POST['username']);
$password = trim($_POST['password']);
if (empty($username) === true || empty($password) === true) {
$errors[] = 'Sorry, but we need your username and password.';
} else if ($users->user_exists($username) === false) {
$errors[] = 'Sorry that username doesn\'t exists.';
} else if ($users->email_confirmed($username) === false) {
$errors[] = 'Sorry, but you need to activate your account.
Please check your email.';
} else {
$login = $users->login($username, $password);
if ($login === false) {
$errors[] = 'Sorry, that username/password is invalid';
}else {
session_regenerate_id(true);// destroying the old session id and creating a new one
$_SESSION['id'] = $login;
header('Location: index.php');
exit();
}
}
}
?>
Hoping someone will be able to point me in the right direction.
Upvotes: 0
Views: 1745
Answers (1)
Reputation: 490
Look below at where i've done "/*EDIT IS HERE */". You need to run session_start(); at the top of the page to initiate the session; It should really be in a Config file. Then you need to pull it from the database and store it in a $_SESSION global variable.
I know from your G+ you're new at PHP. But one of the worst ways of doing PHP is by using inline PHP. It's not necessarily /wrong/ but you should avoid in-line php. Keep your PHP and HTML Separate, it's a lot easier to sort through errors.
public function login($username, $password) {
global $bcrypt; // Again make get the bcrypt variable, which is defined in init.php, which is included in login.php where this function is called
/* EDIT IS HERE */
$query = $this->db->prepare("SELECT `password`, `AccessLevel`, `id` FROM `users` WHERE `username` = ?");
$query->bindValue(1, $username);
try{
$query->execute();
$data = $query->fetch();
$stored_password = $data['password']; // stored hashed password
$id = $data['id']; // id of the user to be returned if the password is verified, below.
if($bcrypt->verify($password, $stored_password) === true){ // using the verify method to compare the password with the stored hashed password.
/* EDIT IS HERE */
$_SESSION['AccessLevel'] = $data['AccessLevel'];
return $id; // returning the user's id
}else{
return false;
}
}catch(PDOException $e){
die($e->getMessage());
}
}
LOGIN PAGE
<?php
$title = "Login";
/* EDIT IS HERE */
session_start();
require_once 'includes/header.php';
$general->logged_in_protect();
?>
<h1>Login</h1>
<?php
if(empty($errors) === false){
echo '<p>' . implode('</p><p>', $errors) . '</p>';
}
?>
BOTTOM OF LOGIN PAGE
<?php
require_once 'includes/footer.php';
if (empty($_POST) === false) {
$username = trim($_POST['username']);
$password = trim($_POST['password']);
if (empty($username) === true || empty($password) === true) {
$errors[] = 'Sorry, but we need your username and password.';
} else if ($users->user_exists($username) === false) {
$errors[] = 'Sorry that username doesn\'t exists.';
} else if ($users->email_confirmed($username) === false) {
$errors[] = 'Sorry, but you need to activate your account.
Please check your email.';
} else {
$login = $users->login($username, $password);
if ($login === false) {
$errors[] = 'Sorry, that username/password is invalid';
}else {
/* EDIT IS HERE */
//session_regenerate_id(true);
// destroying the old session id and creating a new one
if($_SESSION['AccessLevel'] = "GURU"){
$_SESSION['id'] = $login;
header('Location: index.php');
exit();
}
}
}
}
?>
Upvotes: 1
Related Questions
- Access level and Authentication (PHP/MYSQL)
- Different Access levels for users by using PHP & MySQL
- Relate Mysql tables based on user session
- How to grant access to certain users using PHP
- Implementing Permissions Database structure on a PHP site to restrict the Access in Multiple levels as
- Get current user access level in Joomla 2.5
- How to identify user access privileges using PHP and MySQL?
- Identify logged users in PHP
- Check user Group Level via session or database?
- PHP - How to find user level based on their username?