I have been working now a few hours on it and I cannot find the solution so I hope someone here can help me. The code I have now is working perfectly but I would like to put a 'echo' only if the user got the level as administrator, if the logged in person don't have this status then the link will not be displayed. Below you can see the index.php. I would like to add there for example: Admin Panel, but this link should only be visible if the user is admin.
<p>Welcome <?php echo $_SESSION['username']; ?>!</p>
<p>This is secure area.</p>
<p><a href="dashboard.php">Dashboard</a></p>
<a href="logout.php">Logout</a>
And my auth file
<?php
session_start();
if(!isset($_SESSION["username"])){
header("Location: login.php");
exit();
}
?>
I hope there is someone here that can explain me how to do this.
Thanks!
Loes.
Add an additional session variable for the users access level. You can then protect pages by redirecting non admin users back to the index/home page. You can also have some simple code to display admin links.
<?php
session_start();
if($_SESSION['access'] == 'admin'){
echo "<a href='adminpage.php'>admin panel</a>";
}
?>
To redirect non admin users:
<?php
session_start();
if($_SESSION["access"] != 'admin'){
header("Location: home.php");
}
?>
this link should only be visible if the user is admin
This isn't the best solution, but the fastest:
home.php
<?php
if($_SESSION['username'] == 'admin'){
?>
<a href='administration.php'>Administration Panel</a>
<?php
}
?>
administration.php
<?php
if($_SESSION['username'] == 'admin'){
?>
<p>Welcome <?php echo $_SESSION['username']; ?>!</p>
<p>This is secure area.</p>
<p><a href="dashboard.php">Dashboard</a></p>
<a href="logout.php">Logout</a>
<?php
}else{
?>
<p>Restricted Area</p>
<?php
}
?>
If you want a real permission system, this depends on where the username and password are saved
When you check against your database to authenticate the user, the DB can contain a number that represents the users ability. For example, an Admin can have a 9, where a regular user that only reads things may have 1. A contributor could have 5.
When the user is authenticated and you build the session for that user, collect this value from the DB and add it to your session.
Auth File
<?php
$user = isset($_POST[user])?$_POST['user']:"";
$pass = isset($_POST['pass'])?$_POST['pass']:"";
if(!empty($user) AND !empty($pass)){
// Authenticate against DB
// Connect DB code & Injection safe query look code ...
// Result set:
$security = $row['security'];
} else {
header("location: login.php?error=Bad Username or Password");
}
if(isset($security)){
session_start();
$_SESSION['username'] = $user;
$_SESSION['security'] = $security;
header("location: index.php?login=successful");
}
// if all fails, logout
header("location: logout.php");
?>
Index
<?php
session_start();
?>
<html>
<body>
<?php
echo (($_SESSION['security'] > 6)?"<a href='dashboard.php'>Dashboard</a>":"") . "
";
echo ((isset($_SESSION['username']))?"<a href='logout.php'>Logout</a>":"<a href='login.php'>Log In</a>") . "
";
?>
</body>
</html>