0

Hi,
I have admin panel where I have one admin ( super admin ) which has full permission to all section of the website, database queries .. etc.

Now I want to create another admin (member) whit less permissions and to have access to few pages. I don't know how to start this. Can someone point me. This is what I currently use for login

$query = mysqli_query($con, "SELECT * FROM users WHERE username='".addSlashes($username)."' AND password='".addSlashes($password)."'");


    $res = mysqli_num_rows($query);

    if ($res == 1) {
        $_SESSION['username'] = $username;
        $_SESSION['password'] = $password;
        $_SESSION['userobj'] = mysqli_fetch_assoc($query);

        header('Location: main.php');
        exit;
    } else {
    echo '<a href="index.php">Wrong password/usrname. Please try again</a> ';
    }

My table for users has row 'userType' where I hold '5' for superadmin and '1' for another admin. So I guess somehow I will check for userType when is login but then?

4
Contributors
8
Replies
46
Views
2 Years
Discussion Span
Last Post by diafol
0

You would either give each page a rank number that a certain user level can access or include a portion of script to check for permissin in each page. Either way, you must document it well because you could easily forget about it.

Personally, I would create a template page and have the check as an include file to the template page, so that I don't need to worry that I have not added the check into a new page I created.

0

@Taywin,
thank you for your answer.

Can you point me to some tutorial or some sample code from where I can start?

You would either give each page a rank number that a certain user level can access 

Yes, but what if I want to have two other admins and every to have access to different pages. In this way I must give to each different rank?

Edited by JasonWung

0

If you want to do that, you may want to give each user type a rank. I prefer the super user to be the lowest number because I could give more rank levels of user type later on. May assign 255 (or whatever arbitrary value that is supposed to be high) to a guest. Also, I must ensure that user type value will never be less than or equal to 0.

To create a template page, you could look at this as an example (ignore the wordpress part but should give you a full idea of how to do it). Then on the top of the template, you check if the user type is at the appropriate rank. For example userType==1 will be for super admin only access, userType<6 will be for those users who have rank 2~5 to access, and so on. This way, you could give different access to different user rank on different pages.

0

I kinda use a template page now. I have couple of files which I include them where I need. Like header, footer, menues etc.

0

Then in the header, you could check for user rank there. Don't forget to use isset() to ensure that the value is there. ;)

0

In order to create an admin with lesser powers, create a different kind of rank variable and then copy and paste all the concurrent powers into a different segment of code using an "if" statement.

0

What I've done so far is to put one more field in each table 'level'. Then in users table I've put also one row 'level'. Now when user login I've check and store in SESSION the level and redirect.

if ( $res['level'] == 1 )
{
    // superadmin
    header('Location: admin/dash.php');
} 
elseif ( $res['level'] > 1 )
{
    // other admins
    header('Location: users/dash.php');
}
else
{
    // wrong user/password
    header('Location: index.php');
}

Then when other user than superadmin is loged in I plan to make sql query ...WHERE level=$_SESSION['level']... or something like this.
What you think guys is this going to work?

Edited by JasonWung

1

A slightly different tack would be to assign rights to roles.

Role

role_id (int, PK)
role_name (varchar)
role_rights (int, 11)

Rights

right_id (int)
right_key (varchar) e.g. Modify Users, Moderate Articles, Ban Users...
right_val (int) e.g. 1,2,4,8,16,32...

So a role_name of say "Moderator" could have role_rights of 3 (1+2 = Mod Users, Mod Articles but NOT Ban Users). The above can be quite useful if you have 32 or less rights (for 32-bit sys).

This is a simplified version of how phpBB used to assign roles and priviledges - don't know if they still do.

You can check if an user has certain powers with the & operator.

if($userRights & BAN_USER) ...
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.