Home > Software engineering >  How to stop logged in user from accessing Admin rights by changing URL in PHP?
How to stop logged in user from accessing Admin rights by changing URL in PHP?

Time:05-11

I am trying to learn PHP and I have created two types of users in my web app - 1. Alumni and 2. Admin. While I m logged in as Alumni and change my URL to ../admin , I m getting access to all admin functions which I should not. I can't seem to understand how to handle this. What I want is when I am logged in as Alumni and change my URL I want to be redirected to login.php of Admin . Below is my code : index.php (admin)


<!DOCTYPE html>
<html lang="en">
    
<?php session_start(); ?>
<head>
  <meta charset="utf-8">
  <meta content="width=device-width, initial-scale=1.0" name="viewport">

  <title><?php echo isset($_SESSION['system']['name']) ? $_SESSION['system']['name'] : '' ?></title>
    

<?php
  if(!isset($_SESSION['login_id']))
    header('location:login.php');
 include('./header.php'); 
 // include('./auth.php'); 
 ?>

</head>
<style>
    body{
        background: #80808045;
  }
  .modal-dialog.large {
    width: 80% !important;
    max-width: unset;
  }
  .modal-dialog.mid-large {
    width: 50% !important;
    max-width: unset;
  }
  #viewer_modal .btn-close {
    position: absolute;
    z-index: 999999;
    /*right: -4.5em;*/
    background: unset;
    color: white;
    border: unset;
    font-size: 27px;
    top: 0;
}
#viewer_modal .modal-dialog {
        width: 80%;
    max-width: unset;
    height: calc(90%);
    max-height: unset;
}
  #viewer_modal .modal-content {
       background: black;
    border: unset;
    height: calc(100%);
    display: flex;
    align-items: center;
    justify-content: center;
  }
  #viewer_modal img,#viewer_modal video{
    max-height: calc(100%);
    max-width: calc(100%);
  }

</style>

<body>
    <?php include 'topbar.php' ?>
    <?php include 'navbar.php' ?>
  <div  id="alert_toast" role="alert" aria-live="assertive" aria-atomic="true">
    <div >
    </div>
  </div>
  <main id="view-panel" >
      <?php $page = isset($_GET['page']) ? $_GET['page'] :'home'; ?>
    <?php include $page.'.php' ?>
    

  </main>

  <div id="preloader"></div>
  <a href="#" ><i ></i></a>

<div  id="confirm_modal" role='dialog'>
    <div  role="document">
      <div >
        <div >
        <h5 >Confirmation</h5>
      </div>
      <div >
        <div id="delete_content"></div>
      </div>
      <div >
        <button type="button"  id='confirm' onclick="">Continue</button>
        <button type="button"  data-dismiss="modal">Close</button>
      </div>
      </div>
    </div>
  </div>
  <div  id="uni_modal" role='dialog'>
    <div  role="document">
      <div >
        <div >
        <h5 ></h5>
      </div>
      <div >
      </div>
      <div >
        <button type="button"  id='submit' onclick="$('#uni_modal form').submit()">Save</button>
        <button type="button"  data-dismiss="modal">Cancel</button>
      </div>
      </div>
    </div>
  </div>
  <div  id="viewer_modal" role='dialog'>
    <div  role="document">
      <div >
              <button type="button"  data-dismiss="modal"><span ></span></button>
              <img src="" alt="">
      </div>
    </div>
  </div>
</body>
<script>
     window.start_load = function(){
    $('body').prepend('<di id="preloader2"></di>')
  }
  window.end_load = function(){
    $('#preloader2').fadeOut('fast', function() {
        $(this).remove();
      })
  }
 window.viewer_modal = function($src = ''){
    start_load()
    var t = $src.split('.')
    t = t[1]
    if(t =='mp4'){
      var view = $("<video src='" $src "' controls autoplay></video>")
    }else{
      var view = $("<img src='" $src "' />")
    }
    $('#viewer_modal .modal-content video,#viewer_modal .modal-content img').remove()
    $('#viewer_modal .modal-content').append(view)
    $('#viewer_modal').modal({
            show:true,
            backdrop:'static',
            keyboard:false,
            focus:true
          })
          end_load()  

}
  window.uni_modal = function($title = '' , $url='',$size=""){
    start_load()
    $.ajax({
        url:$url,
        error:err=>{
            console.log()
            alert("An error occured")
        },
        success:function(resp){
            if(resp){
                $('#uni_modal .modal-title').html($title)
                $('#uni_modal .modal-body').html(resp)
                if($size != ''){
                    $('#uni_modal .modal-dialog').addClass($size)
                }else{
                    $('#uni_modal .modal-dialog').removeAttr("class").addClass("modal-dialog modal-md")
                }
                $('#uni_modal').modal({
                  show:true,
                  backdrop:'static',
                  keyboard:false,
                  focus:true
                })
                end_load()
            }
        }
    })
}
window._conf = function($msg='',$func='',$params = []){
     $('#confirm_modal #confirm').attr('onclick',$func "(" $params.join(',') ")")
     $('#confirm_modal .modal-body').html($msg)
     $('#confirm_modal').modal('show')
  }
   window.alert_toast= function($msg = 'TEST',$bg = 'success'){
      $('#alert_toast').removeClass('bg-success')
      $('#alert_toast').removeClass('bg-danger')
      $('#alert_toast').removeClass('bg-info')
      $('#alert_toast').removeClass('bg-warning')

    if($bg == 'success')
      $('#alert_toast').addClass('bg-success')
    if($bg == 'danger')
      $('#alert_toast').addClass('bg-danger')
    if($bg == 'info')
      $('#alert_toast').addClass('bg-info')
    if($bg == 'warning')
      $('#alert_toast').addClass('bg-warning')
    $('#alert_toast .toast-body').html($msg)
    $('#alert_toast').toast({delay:3000}).toast('show');
  }
  $(document).ready(function(){
    $('#preloader').fadeOut('fast', function() {
        $(this).remove();
      })
  })
  $('.datetimepicker').datetimepicker({
      format:'Y/m/d H:i',
      startDate: ' 3d'
  })
  $('.select2').select2({
    placeholder:"Please select here",
    width: "100%"
  })
</script>   
</html>

Update: I have tried putting the following code :

if (isset($_SESSION['username'])) {
      if($_SESSION['username'] !== 'admin'){
        session_destroy();
        unset($_SESSION['username']);
        header("location: login.php");
      }};

but I can't seem to get it working. Can I know where to add this code to get it working ?

CodePudding user response:

Easy use this -> PHP Session
Before you load the page check the sessions and if the user does not have rights to access the page redirect to any other page.
Example:

if($_SESSION['user_type'] == 'admin'){
   go to admin page...
} else {
  go to hell...
  header('location: login');
}

I hope it was helpfull!

CodePudding user response:

There are some ways to do it.

By the look of it you're not using any Framework and so, you don't have a routing system neither middleware methods. In this case what is there to do would be to always check if the authenticated user is an administrator or posses adimitrator privileges. That is exactly the thing Dorvalla wrote on the comment of your question. In a way or another your system must have a flag which tells if the user is or is not an admin.

  1. So if your users don't have an attribute "isAdmin" (or anything else you prefer) in the object. Do it.
  2. Now you just need to always check if authenticated user is an admin and if it is not, just block access or filter what he/she can do at the selected file or view.

Optionaly you could create your own middleware where all PHP classes your system posses passes through there and them, it's easier to filter. That is the idea of a middleware.

Hope it helps you

Page link:https//www.codepudding.com/Softwareengineering/403175.html

Prev:Trying to write a Cypress UI test that uses a passed string
Next:Remove an array from computed reverse method Vuejs
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding