开发者

Prevent user from accessing admin page

开发者 https://www.devze.com 2023-01-22 02:43 出处:网络
I have a php login page with session control. It routes a normal user to info.php and an admin user to info_admin.php. If I login with a \"normal\" user it goes to info.php, however, in the address ba

I have a php login page with session control. It routes a normal user to info.php and an admin user to info_admin.php. If I login with a "normal" user it goes to info.php, however, in the address bar, I can go to i开发者_运维技巧nfo_admin.php and it doesn't kick me out, gives me access. How can I control this or prevent the user from doing this manually?

For info, I'm using this script: http://php-login-script.com/

Thanks very much!


Just to make Lotus Notes' code a bit more compact:

<?php
if (!isset($_SESSION['user_level']) || ($_SESSION['user_level'] != 2)) {
    header('Location: login.php');
    exit;
}
?>

<!-- Your page HTML here -->


I quickly scanned through the login code, it seems to be setting a variable $_SESSION['user_level'] when the user first logs in.

To allow only user with level 2, for example, put this at the top of your page. It should redirect anyone who is not a level 2 user back to the login page.

<?php

if (isset($_SESSION['user_level'] && $_SESSION['user_level'] == 2) {

?>


<!-- Your page HTML here -->


<?php

} else {
    header('Location: login.php');
}

?>


The high level approach is that upon login, store the user's access level in the session or in a database. At each page call, check against that value.


Just add an extra function that checks user level--if it's at or above the desired level, return true. If not, return false and failover. Then in your page you want to protect, fire the function with the desired level of protection.

For instance:

function checkPerms($level) {
  if ($level >= number) {
   return true
  } else {
    failover here
  }
}

then call in your pages

checkperms(5);

EDIT: If you were really slick, you could just add an extra param to your original function call with the user level, defaulted to the lowest value. Then, if the user validates as registered, it could check the user level at the same time.

0

精彩评论

暂无评论...
验证码 换一张
取 消