I'm developing a application with raw PHP. But I have a problem that needs solution. I have two types of user in my application (e.g: Administrator & User).
For administrator, I have following files under "admin" folder,
Admin (Dashboard, Change password, Add User, Profile, User List etc.)
Also for user, I have following files under "account" folder
Account (My account, Change password, Edit Profile etc.)
I want, after login user can't access any files of "admin" folder. Now, after login I check the role first, if use then I redirect him/her to www.example.com/account/my-account.php but, when user hit the following url then he/she can easily access backend functionalities.
www.example.com/admin/dashboard.php, www.example.com/admin/change-password.php, www.example.com/admin/add-user.php, www.example.com/admin/profile.php, www.example.com/admin/user-list.php
Is there any way to close the "admin" folder entrance for user?
TIA
See according to your question you have to assign a role. Though I prefer php frameworks more than a core php but still you could do.
Say you have a form where user and admin shares the same login form for logging purpose.
And you want admin to access all route and restrict few route to the user.
So , the little bit of logic, while you create admin or user you need to assign role as well.
When admin logs in ,according to it, the sql query fetches role and he is routed according to it and same goes with user also.
Set session for user and admin role. And when you enter to target after login the session you have to restrict pages not to acces by user.
Related
I have a users based site (PHP).
When a user is created, a random password is generated and they have the ability to change it.
The password is saved using
password_hash($password,PASSWORD_DEFAULT)
At login i use password_verify() to check the password and log them in to the site.
The site has an Admin Panel (in different session) and i want to give the Admin the possibility to login users without knowing their password.
I want to know what is the safest way to do so, prefer without 'master password'.
The site :
www.my-site.com
The admin panel :
www.my-site.com/admin/
I think the easiest way to do so would be simply bypassing auth if logged in as admin.
For example, let's say that you have users.php script that lists all users. It also gives you "admin" cookie when logged in as admin.
There you can add button Manage/Panel/anything else, which will take you to admin.php with GET parameter, for example, ?user=someone. Script will check if you have that "admin" cookie, and if you do, will open admin panel.
If you don't have this cookie, it will throw 403 or anything you want.
I want to create multiple logins at a time on the same browser, like admin and user.
For that we are using different models like LoginForm.php and Adminlogin.php and different identity classes, i.e. User.php and Admin.php. But when we login with admin and at that time we want to login as a user admin gets logout and user gets login.
But I want to login both admin and user at same time. How to do that?
This is happening because, when a user is logged in by any role say admin, than internally like
$_SESSION['logged_in'] = true;
$_SESSION['user_id'] = logged in user id;
when you logged in again with a diff user then the value in $_SESSION['user_id'] is overrides by the new logged in user.
So with this approach you cannot make this happen.
The best way to achieve this is to provide a role change functionality after logged in.
you can add a prefix,
like
SESSION['ADMIN_user_name']
is a admin user,
other is normal user.
My recommendation would be to use Yii 2 Advanced Application Template. This way you can have a frontend and a backend, each with their own user component for login and it's own session.
This way you can also separate views and controllers that need to be exclusive to normal users or admin users, while also sharing through common models and modules that are used by both types of users.
I have seen Joomla using many types of user access for the admin site. For example user, admin user, registered user and super user. The system actually know what type of user you are once we logged in. I'm trying to do the same thing for my web app. I need any suggestions on how this features can be achieved using PHP.
Assuming a user is in a database, you could have an column like role which would be user, admin, registered, and super.
Then in PHP you can use switch / if-condition blocks based on that role variable.
I would like to secure some of my pages with a username and password, so that no-one can access those pages without logging in. Only Registered users can view those pages. And we also want to put registration form for users to enter his/her basic details. Once user registered his details will be saved in database and sent mail to admin.
Could you please suggest me any plugin, or suitable information for making this application?
Wordpress comes with a builtin user management feature. You can create Roles and then assign specific users to these roles. You can then use a plugin (there are several) to manage what those users can or cannot see. Here is one.
http://wordpress.org/extend/plugins/capa/
HI,
i am writing and designing a website with php.in this site every want can register and admin can go to admin.php for manage the site.but my problem is that every one that type www.example/login/admin.php can access to admin.php.how can i prevent other users that can't access to admin page?
You probably want to look at .htaccess file. Check this link out
You have to do the login page for the admin.php. Only if the people with the correct username and password can see the admin page and do the admin action
How do you define terms like "user" and "admin" and what is the process for creating/registering an account?
Generally, you would associate "users" with "roles" in your database. If a user account is supposed to be an admin, you associate that user record with the admin role. If the user is a standard user, associate them with the standard user role (which may be the default by having no role, though I'm not a big fan of implicit knowledge vs. explicit definitions in software). Users should also be able to have multiple roles, in case you have various classes of "user" and they need to have overlapping privileges.
Then, in the admin section of the site, your code would check if the current logged-in user (however you track that, you didn't specify) is in a given role before rendering the page. If not, then either send the user to another page or display a message, etc.
If every user can access the admin page, then essentially every user is an admin. How do you distinguish one from another in the code or in the data? That's where you need to start.