0

I made a login/logout page, but now I i'll like to separate the admin from regular users as they login. What I am trying to do is to have regular users just view available files, and the admins well of course they will be able to view and edit those files.

Now my set up:

Login.php

    <?php
session_start();
include("password.php");
require_once "config.php";

/* Constants */
$TITLE = "Formation - User Login";
$CSS = array("assets/css/formation.css");
$JAVASCRIPT = array();
$mode = $_GET["mode"];
/* Template */

require_once $TEMPLATE_PATH."header.php";

if ($mode == "login") { /// do after login form is submitted
     if ($USERS[$_POST["username"]]==$_POST["password"]) { /// check if submitted username and password exist in $USERS array
          $_SESSION["login"]=$_POST["username"];
          header("location:index.php");
     } else {
          echo "Incorrect username/password. Please, try again.";
     };
} else if ($mode == "logout") {
      session_start();
      unset($_SESSION["login"],$USERS);
      header("location: login.php");
      exit(0);
};
echo <<< XHTML

    <h1>$TITLE</h1>
    <form id="form" method="post" action="{$LOGIN_URL}?mode=login">
        <label id="username_label" for="username" class="normal">Username</label> :<br />
        <input id="username" name="username" type="text" value="" class="half" /><br />
        <label id="password_label" for="password" class="normal">Password</label> :<br />
        <input id="password" name="password" type="password" value="" class="half" /><br />
        <input id="submits" type="submit" value="Login" />
    </form>

XHTML;

require_once $TEMPLATE_PATH . "footer.php";

?>

Password.php (verifies users and passwords)

<?php 
$USERS["drodrig1"] = "pwd1"; 
$USERS["jsutta"] = "pwd2"; 
$USERS["username3"] = "pwd3"; 

function check_logged(){ 
     global $_SESSION, $USERS; 
     if (!array_key_exists($_SESSION["login"],$USERS)) { 
          header("Location: login.php");
          exit(0);
     };
};
?>

Config.php 

<?php

$ASSETS_URL = "https://url-link/formationXX/assets/";
$ASSETS_PATH = "serverpath/formationXX/assets/";
$TEMPLATE_URL = "https://url-link/formationXX/assets/template/";
$TEMPLATE_PATH = "serverpath/formationXX/assets/template/";
$LOGIN_URL = "https://url-link/formationXX/login.php";
$LOGIN_PATH = "serverpath/formationXX/login.php";

?>

Index.php (After login, this is where I want to see admin differentiate from regular user. The admin should be able so see and edit the following: CSS, JS, Email, PDF and Spread Sheet. Meanwhile user can only view all except: CSS, JS)

<?php

require_once "config.php";
session_start(); /// initialize session
include("password.php"); 
check_logged(); /// function checks if visitor is logged.

/* Constants */
$TITLE = "Formation - User Login";
$CSS = array("assets/css/formation.css");
$JAVASCRIPT = array();
/* Template */

require_once $TEMPLATE_PATH."header.php";

echo <<< XHTML
        <form id="form" method="post" action="{$LOGIN_URL}?mode=login">
          <div class="full row column">
            <h1>{$TITLE}</h1>
          </div>
          <div class="full row column">
            <div class="half column small">
              <p>Logged in as: <strong>{$_SESSION["login"]}</strong> | <a href="{$LOGIN_URL}?mode=logout" class="small">Logout</a></p><br />
              Add Form | Delete Selected Form(s)
            </div>
          </div>
          <div class="full row column">
            <table id="formslist" cellpadding="0" cellspacing="0">
              <th>
                <tr>
                  <td class="form_select">
                    <input id="selectallforms" name="selectallforms" type="checkbox" value="Select All Forms" />
                  </td>
                  <td class="form_id">
                    ID
                  </td>
                  <td class="form_url">
                    URL
                  </td>
                  <td class="form_dates">
                    Launch Date
                  </td>
                  <td class="form_dates">
                    Expiration Date
                  </td>
                  <td class="form_autofill">
                    Autofill
                  </td>
                  <td class="form_save">
                    **CSS**
                  </td>
                  <td class="form_save">
                    **JS**
                  </td>
                  <td class="form_save">
                    Email
                  </td>
                  <td class="form_save">
                    PDF
                  </td>                  
                  <td class="form_dates">
                    Spread sheet
                  </td>
                </tr>
              </th>
            </table>
          </div>
        </form>
XHTML;

require_once $TEMPLATE_PATH . "footer.php";

?>
Gromstone
  • 43
  • 1
  • 6
  • Hi, this is a lot of code. What is your question? – Pekka Oct 31 '12 at 14:05
  • 1
    I belive you need a one more session for user type as `admin` and `users` then `if ($_SESSION['user_type'] == "users")` then go try this. http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes/7397773#7397773 – Rafee Oct 31 '12 at 14:05
  • You have multiple `session_start();`s in login.php, remove it from `else if ...` block. – Sampo Sarrala - codidact.org Oct 31 '12 at 14:07
  • @Sampo Thanks!, I didn't notice that. – Gromstone Oct 31 '12 at 14:14
  • @Gromstone It's up to you, but it helps if you write proper English. If you left your opening 'so' out of the paragraph it would be more elegant and not alter the meaning. You want people to answer your questions but you begin with superfluous words. – Pete Oct 31 '12 at 14:18
  • @Pete So, you are saying is not proper English?. But that still does not provide the adequate information to improve this php login. – Gromstone Oct 31 '12 at 14:23
  • @PenguinCoder Thanks. I was just having a bit of fun. I don't hear real people using 'so' in this context, but maybe it's not idiomatic in Ireland :) – Pete Oct 31 '12 at 14:24

1 Answers1

1

When user that is logged in tries to edit something you should check if that user has enough privileges to do so.

For example, here is your users:

$USERS["drodrig1"]['passw'] = "pwd1"; 
$USERS["jsutta"]['passw'] = "pwd2"; 
$USERS["username3"]['passw'] = "pwd3"; 

$USERS["drodrig1"]['level'] = 0; 
$USERS["jsutta"]['level'] = 1; 
$USERS["username3"]['level'] = 0;

And here is how we check if user can or can't do something:

if ($_GET['action'] === 'edit' && $USERS[$_SESSION["login"]]['level'] === 1) {
    // Go to function where users changes gets saved to files or db:
    saveChanges($_POST);
} else {
    die("<h1>Sorry, you cant do that!</h1>");
}

Btw, there is many problems in your code but still it is good for learning PHP.

Sampo Sarrala - codidact.org
  • 4,770
  • 2
  • 25
  • 45