i am new to codeigniter. For a project i have three users. SuperAdmin,Admin and users.
There are base controllers :
Superadmin_Controller,
Admin_Controller,
User Controller
which all extends to MY_Controller.
The SuperAdmin will create admin,
We can also set how much users a admin creates. I want that whatever number of user admin asks he can only create that much users.
Till now I have managed to create different credentials for all these users. Now I want to set permission of creating the users to number of users he asked for(no of users fetched from database). So basically what I want to understand is is there any way from which I can restrict the admin to create specific number of user? Please suggest a tutorial.
You can have 2 fields in database for admin i.e. "users_limit","users_created" where you can store how many no. of users can be created through admin into "users_limit" and increase value of "users_created" value by 1 whenever admin adds the user.
Check the condition whenever admin creates users
if ((users_created+1)<users_limit){
/* allow creating user*/
} else {
/* Not allowed */
}
Related
Here is the requirements. I will have three levels of access to a dashboard that is restricted from the public (System Admin, Manager, Employee).
System admin, to simply put is essentially super admin. They have the ability to index,show,create,update,delete all companies and users.
Managers are created by system admin and assigned to a company, they have the ability to index,show,create,update,delete employees only for the company they belong to.
Employees have a read only access to their companies information and files.
Here is my current routes for the users. (using Slim Framework)
System Admin only access protected by middleware:
These actions are for the system admin to manage all users.
/*** USERS ***/
// View to List Users
$this->get('/users', 'App\Controller\User\UserController:index')->setName('user.index');
// View containing user registration form
$this->get('/users/new', 'App\Controller\User\UserController:create')->setName('user.create');
// Creates new user from registration form
$this->post('/users' , 'App\Controller\User\UserController:store');
// Show single user view
$this->get('/users/{id}', 'App\Controller\User\UserController:show')->setName('user.show');
// View containing edit user form
$this->get('/users/{id}/edit', 'App\Controller\User\UserController:edit')->setName('user.edit');
// Updates new user from edit user form
$this->put('/users/{id}', 'App\Controller\User\UserController:update');
// Deletes new user from edit user form
$this->delete('/users/{id}', 'App\Controller\User\UserController:delete');
System Admin & Manager only access protected by middleware:
These interactions are for the manager to manage employees
/*** COMPANIES Employees ***/
// View to List Companies employees
$this->get('/companies/{id}/users', 'App\Controller\Company\CompanyUsersController:index')->setName('company.user.index');
// View containing new employee registration form
$this->get('/companies/{id}/users/new', 'App\Controller\Company\CompanyUsersController:create')->setName('company.user.create');
// Creates new employee from registration form
$this->post('/companies/{id}/users' , 'App\Controller\Company\CompanyUsersController:store');
// Show single user
$this->get('/companies/{id}/users/{id}', 'App\Controller\Company\CompanyUsersController:show')->setName('company.user.show');
// View containing edit company employee form
$this->get('/companies/{id}/users/{id}/edit', 'App\Controller\Company\CompanyUsersController:edit')->setName('company.user.edit');
// Updates user from edit user form
$this->put('/companies/{id}/users/{id}', 'App\Controller\Company\CompanyUsersController:update');
// Deletes new user from edit user form
$this->delete('/companies/{id}/users/{id}', 'App\Controller\Company\CompanyUsersController:delete');
You will notice that for system admin, company id is not required. However, for store manager it is. So these interactions will have separate queries. My question is more about best practice. This solution seems a little redundent to me but it effectively separates concerns as well as simplifies the methods on each controller as well as the middlewares needed for access control. Am I going about this completely wrong?
I would have the same routes for all roles as the URL represents the canonical way to view that information.
e.g.
$this->get('/companies/{id}/users', 'App\Controller\Company\CompanyUsersController:index')->setName('company.user.index');
is the correct URL for the list of users for a given company.
I understand that the store manager can only access users for her own company, but that doesn't mean that the URL has to be different. It means that even though she can access /companies/123/users, she cannot access /companies/456/users. This should be done either in group middleware or in each controller. Personally, I suspect that I'd use group middleware like this:
$app->group(/companies/{id}, function () {
$this->get('/users', 'App\Controller\Company\CompanyUsersController:index')->setName('company.user.index');
})->add(CheckUserCompanyMiddlerware::class);
and either display an error page or redirect back to the correct URL for the store manager if they go to the "wrong" company.
Actually I am created one user group and created different admin but my problem is I am getting all data whatever inside admin. i Want to get only specific data for a particular admin. Is it possible through tool in OPENCART. If any one did kindly explain me.
The User section lets you customize which users can access the admin side of the store, and what sections can be accessed or modified by them.
Before you begin creating user profiles, you should visit System > Users > User Groups to set specific access and modification permissions.
With the user groups set up, the individual users can be saved to the administration side of your store under System >Users > Users.
The User Group selected from the drop down box will assign specific permissions to the user.
Check links,
create user,
create user group
I've got a client using a WordPress site. They've got users in their site that have a series of extra fields that they can fill out- these fields save as metadata for that user. The client now wants his 'manager' level users to be able to create extra username/password combinations that would allow access to that particular 'manager' account. All of those username/password combos would be able to edit their manager's profile fields but not manage the other username/password 'aliases' for that managers account.
I can't find anything similar available via plugin. Does anyone know of anything, or could recommend a specific course of action for me to take to create a plugin that would do this? I'm prepared to write a custom plugin for this, but I want to know I'm doing it correctly. Should I create a new user role that can not see their own profile but instead the profile of the user that created them? And then allow a specific role the ability to create a user of that new limited role?
Thoughts?
Thank you!
I think you will have to create a extra table in database linked to wp_users with user id as foreign key and store user name and password there. but this process involves modification in wordpress admin files.
there is no right to access the menu home, profile, gallery, contact us.
I have 2 types of user that is the administrator and operator. eg the administrator just the home, profile, and contact us menu to see. while in the operator, just the home and profile menu are visible. how to differentiate the permissions on codeigniter?
please help me, thank you :)
A simple way is provide a profile id to differentiate the users. For example for Admin 1 and for Operator user 2. When you are displaying menu in the view file put some conditions on your menu display using profile id.
Note save profile id in session data with user data.
Having different user types works if you never envision having more than two types or people that need one admin permission but not another. A better, or rather more future proof, way to do it is through roles.
Create a roles table with your different roles in it, for your use now you would have Admin and User roles. Then you create a join table that would hold the RoleId and the UserId. When a user logs in you create a session variable and populate it with an array of the different roles they hold, then when you have a specific page that requires protection you simply have to check that array for the required permission.
As an example say you have a business site, you require user logins, a main admin login, a sales login and a warehouse login. Let's say for the sake of argument that sales and warehouse need the ability to edit products, but the warehouse shouldn't be allowed to edit prices. You could of course assign different user types and then check for those user types when a page is loaded but the more and more permissions required the messier that gets. With the roles you assign warehouse and sales people the product permission role and only sales get the price editing permission.
As I said if you only ever require two separate user types with two distinct sets of permissions, role based authentication is probably overkill. But that being said it can't hurt to plan and build for a situation where you find you're going to need more.
HI,
i am writing and designing a website with php.in this site every want can register and admin can go to admin.php for manage the site.but my problem is that every one that type www.example/login/admin.php can access to admin.php.how can i prevent other users that can't access to admin page?
You probably want to look at .htaccess file. Check this link out
You have to do the login page for the admin.php. Only if the people with the correct username and password can see the admin page and do the admin action
How do you define terms like "user" and "admin" and what is the process for creating/registering an account?
Generally, you would associate "users" with "roles" in your database. If a user account is supposed to be an admin, you associate that user record with the admin role. If the user is a standard user, associate them with the standard user role (which may be the default by having no role, though I'm not a big fan of implicit knowledge vs. explicit definitions in software). Users should also be able to have multiple roles, in case you have various classes of "user" and they need to have overlapping privileges.
Then, in the admin section of the site, your code would check if the current logged-in user (however you track that, you didn't specify) is in a given role before rendering the page. If not, then either send the user to another page or display a message, etc.
If every user can access the admin page, then essentially every user is an admin. How do you distinguish one from another in the code or in the data? That's where you need to start.