Text menu with PHP variable permission testing.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
  • pipesportugal
    Second Lieutenant

    • Jul 2007
    • 130

    Text menu with PHP variable permission testing.

    Hello Dear Colleagues from Vodahost forum,

    I have a text menu and I would like to show the several options but when the operator chooses the option, he could jump to that url only if he has permission for seeing it.

    Something like:
    if($operator_type == "Admin")
    {
    ...normal url....
    }
    else
    {
    .... another url page (just saying he does not have permission for watching it)....
    }

    I don't know if I made my self clear of what I am looking for..?

    I hope that someone can help me.

    The example is there at www.pipesportugal.com

    pipesportugal
  • Watdaflip
    Major General

    • Sep 2005
    • 2116

    #2
    Re: Text menu with PHP variable permission testing.

    Getting a certain menu to only show to an admin is not that hard of a task, the difficulty comes with knowing who is an admin or not. How were you planning on distinguishing an admin (that is unless this is the part you are stuck on, you didn't ask any question).

    You can do it many different ways...

    1) Have a login that creates a session or cookie and check against that to show the admin menu. (this is a little more complicated to do, only a, very very simple one will be able to be explained on the forum)

    2) A password stored in the url, ie. it could be setup as http://www.yoursite.com/?pw=SomePassword
    if the user has the correct password in the url, they will be able to see the menu (major problem is you will have to enter the password to begin with in the url, and will have to add a script to every page with the menu to add the password to the url for all the links)

    3) By IP Address, if the user has a certain ip they can see the menu (major problem is you most likely have a dynamic ip on your own internet connection, so you would have to continually update this)

    These are a couple ways I can think of doing it, some much less secure then other, but considering it is just a menu it shouldn't matter, if the pages the menu links to is important and should only be viewable by admins then they should be protected anyway.

    So what exactly are you having trouble with?

    Register/Login Script
    Do you use a Password Protected Directory? Need a way to allow users to make their own account, try my .htaccess Login Script

    Comment

    • pipesportugal
      Second Lieutenant

      • Jul 2007
      • 130

      #3
      Re: Text menu with PHP variable permission testing.

      Hi Watdaflip,

      I have the login / access covered up. When the operator arrives to this "menu" I know by using session variables who the user is and which "access level" he has.

      There are 4 different access level users (1-2-3-4) and depending on this level I would like to allow the operator to access some options and prevent him from accessing others.

      One of the possibilities is to create 4 diferent menus which would display differently depending on the operator level. I know how to do this with php in a html box, but I don't like the idea so much because I would like to give the low access users a "smell" of what they could access, but can't access.

      Another of my difficulties is that all the links of this menus are directing the operator to visualise pdf files (such as pricelists, and so on confidential stuff...) , so there's nothing I can do from this side.

      Unless I get from the forum a better idea, I will call a php url that will test the operators access level:

      if ($accesslevel == "Admin")
      {
      header("Location: accessgranted.php");
      }
      else
      {
      header("Location: accessdenied.php");
      }

      I am not sure if I can use the header function to call a pdf....?!

      Any help/idea would be appreciated.

      Can You explain a little bit better Your idea of the url with password ?

      Thanks,
      pipesportugal

      Comment

      • Watdaflip
        Major General

        • Sep 2005
        • 2116

        #4
        Re: Text menu with PHP variable permission testing.

        Using the header function as you are is the same as a redirect.

        If you want to restrict access to .pdf files I can only think of two things that might work. (I say might b/c I have never needed to or tried to)

        1) use fopen() and fread() functions to open the pdf file and then use some code like this (I don't know exact code offhand, this will download the file)

        $name = "some_file.pdf";
        $size = filesize("/home/user/public_hmlt/files/pdf/".$name);
        header("Pragma: public");
        header("Cache-Control: private",false);
        header("Content-Disposition: attachment; filename=$name");
        header("Content-length: $size");
        header("Content-type: application/pdf");
        echo $content_of_pdf;

        2) try an include("filename.pdf");


        The url password is really simple, just do something like

        URL: http://www.yoursite.com/?pw=someword

        <?
        $hardcoded_password = "some password";
        $pw = $_GET['pw'];
        if($pw == $hardcoded_password)
        // grant access
        else
        // access denied

        But if you do is this way you want to add at the end of every url the password if they have already entered it so they don't have to do it again
        so I would make a function

        function urlPW()
        {
        $password = $_GET['pw'];
        if($password != "")
        echo "?pw=".$password;
        }

        Then at the end of your url have
        http://www.yoursite.com/somefile.php<?=urlPW()?>
        or if its already being echo'ed
        echo "http://www.yoursite.com/somefile.php".urlPW();


        I hope that helps, post if you need anymore help

        Register/Login Script
        Do you use a Password Protected Directory? Need a way to allow users to make their own account, try my .htaccess Login Script

        Comment

        • navaldesign
          General & Forum Moderator

          • Oct 2005
          • 12080

          #5
          Re: Text menu with PHP variable permission testing.

          You have a simple solution:

          1. define the URL for every button (or other kind of link) directly from the session variable that defines the access level. So you would have something like:

          $level = $_SESSION[level]; (where, as you said, level can be 1,2,3 or 4)

          2. Then you need another piece of code that will define the URL for button nr 1 according to the access level;

          switch ($level) {
          case 1:
          $URL1 = " ......... "; // whatever you want the linked URL to be
          break;
          case 2:
          $URL1 = " ........." ;
          break;
          case 3:
          $URL1 = " .......";
          break;
          case 4:
          $URL1 = " ........";
          }


          This way, the URL for button 1 will assume the correct value according to the level case.
          If you have more buttons that also are variable with the level value, repeat similarly.

          Then, if you are using BV, simply place in the URL field of the button (or any other type of link) : <? echo $URL1;?>

          In the same way, you can define also if a button should appear or not, by using an if statement before each button. However, this requires independent buttons for each link and not a BV menubar, as it is hard (only possible by hand editing the code of the page) to edit the code.

          The ideal for this case menu, would consist in separate text links that allow you to add in the before and after Tag, the if statement that will make the decision on displaying or not the link.
          Navaldesign
          Logger Lite: Low Cost, Customizable, multifeatured Login script
          Instant Download Cart: a Powerfull, Customized, in site, DB driven, e-products Cart
          DBTechnosystems.com Forms, Databases, Shopping Carts, Instant Download Carts, Loggin Systems and more....
          Advanced BlueVoda Form Processor : No coding form processor! Just install and use! Now with built in CAPTCHA!

          Comment

          • pipesportugal
            Second Lieutenant

            • Jul 2007
            • 130

            #6
            Re: Text menu with PHP variable permission testing.

            Hi Navaldesign,

            Thank You for the suggestion. It's simple and works great.

            Regarding Watdaflip suggestion to "control" the pdf file, I did not quite understand his idea to be honest, also I never tried the fopen and fread functions of php so far. I could not even imagine, so far, that we could "touch" a php file.

            I tell You a little bit more of my text menu:
            The access problem is solved (as Naval suggested is just fine...)
            My biggest problems are the pricelists, which my competitors would surely like to have them in their hands.
            In case they are able to get the direct link to these pricelists pdf files, there is nothing I can do to avoid them to open or download them whenever they want.

            So (unless i get a better idea) I'll tell what I will do:
            1) I will name the pricelists with not its real name on the server, but with names such as aaa.pdf, bbb.pdf, ccc.pdf.
            2) When the user (for example login: donkey) logs onto the system (if he is authorised to download the pricelists...) I will copy the aaa.pdf file to pricelistdonkey1.pdf and the bbb.pdf to pricelistdonkey2.pdf and so on.
            3) These are the files that he will open or donwload.
            3) After he logs out, imediately before he logs out I delete those files.

            This way there is never a commonly known link to this pdf file.

            If another user logs in (or not) tries to "execute" the link to pricelistdonkey1.pdf, unless he is logged in as donkey it will give him a 404 ERROR.

            What do You guys think ?

            Thanks again both of You,

            pipesportugal

            Comment

            • navaldesign
              General & Forum Moderator

              • Oct 2005
              • 12080

              #7
              Re: Text menu with PHP variable permission testing.

              You can use a forced download code to make the pdf file download to the user's computer. Such a code allows you to define the name of the file as it will be downloaded, to be different from the real filename (which, in any case, is NOT revieled). This way, if anyone tries to download the file directly, simply doesn't find it (he gets a 404 error). Have a look at http://www.vodahost.com/vodatalk/blu...-play-mp3.html

              By changing the line

              header("Content-Disposition: attachment; filename=$filename");


              to be

              header("Content-Disposition: attachment; filename=$user_filename");

              the file will be downloaded with whatever name you like (Like "Price List")

              whilst $filename is the full (path/filename) name of the actual file.

              For $filename i usually use a prefix_filename.pdf type, where the prefix is usually the md5() of $now = time(). So the file is actually saved on the server with the real name which will be something like sfa463aedsae4s4s53as553sd4545e_filename.pdf but is downloaded on the users computer as Price List
              Navaldesign
              Logger Lite: Low Cost, Customizable, multifeatured Login script
              Instant Download Cart: a Powerfull, Customized, in site, DB driven, e-products Cart
              DBTechnosystems.com Forms, Databases, Shopping Carts, Instant Download Carts, Loggin Systems and more....
              Advanced BlueVoda Form Processor : No coding form processor! Just install and use! Now with built in CAPTCHA!

              Comment

              • pipesportugal
                Second Lieutenant

                • Jul 2007
                • 130

                #8
                Re: Text menu with PHP variable permission testing.

                Hello,

                I have been messing around with Your suggestions before posting my conclusion.

                They all work perfect and are already being used by me.
                Thank You for them.

                When the site is finished I will give You a login/password so that You can have a look at it.

                I sincerely hope You guys get everything You wish from life,

                Thank You,
                pipesportugal

                Comment

                Working...
                X