HI,
i am writing and designing a website with php.in this site every want can register and admin can go to admin.php for manage the site.but my problem is that every one that type www.example/login/admin.php can access to admin.php.how can i prevent other users that can't access to admin page?
You probably want to look at .htaccess file. Check this link out
You have to do the login page for the admin.php. Only if the people with the correct username and password can see the admin page and do the admin action
How do you define terms like "user" and "admin" and what is the process for creating/registering an account?
Generally, you would associate "users" with "roles" in your database. If a user account is supposed to be an admin, you associate that user record with the admin role. If the user is a standard user, associate them with the standard user role (which may be the default by having no role, though I'm not a big fan of implicit knowledge vs. explicit definitions in software). Users should also be able to have multiple roles, in case you have various classes of "user" and they need to have overlapping privileges.
Then, in the admin section of the site, your code would check if the current logged-in user (however you track that, you didn't specify) is in a given role before rendering the page. If not, then either send the user to another page or display a message, etc.
If every user can access the admin page, then essentially every user is an admin. How do you distinguish one from another in the code or in the data? That's where you need to start.
Related
I am making a small webpage with Laravel that has User and Admin roles.
My 'users' table consists of name, email, password and role value (0 for user, 1 for admin).
I dont need anything fancy so can I just make it so every time a normal user loads in a page that's meant for the administrator - he gets redirected?
To be more precise: How can I make it so whenever a new page loads, the users role gets checked and then my if or can statement checks if the users allowed to access the page?
For example I have a view:
results that displays all the match results(can be accessed by everyone) and I also have an admin/RESULTSadmin view, that should only be accessed by a user that has an admin role but the rest needs to get redirected. Thank you in advance!
You can make parent controller with method which should check what you need and extend your controller from that (kind of old way but most simplest)
Another option make some middleware to check access
Also please take a look on laravel auth mechanism : https://laravel.com/docs/9.x/authentication#password-confirmation-protecting-routes
I'm developing a application with raw PHP. But I have a problem that needs solution. I have two types of user in my application (e.g: Administrator & User).
For administrator, I have following files under "admin" folder,
Admin (Dashboard, Change password, Add User, Profile, User List etc.)
Also for user, I have following files under "account" folder
Account (My account, Change password, Edit Profile etc.)
I want, after login user can't access any files of "admin" folder. Now, after login I check the role first, if use then I redirect him/her to www.example.com/account/my-account.php but, when user hit the following url then he/she can easily access backend functionalities.
www.example.com/admin/dashboard.php, www.example.com/admin/change-password.php, www.example.com/admin/add-user.php, www.example.com/admin/profile.php, www.example.com/admin/user-list.php
Is there any way to close the "admin" folder entrance for user?
TIA
See according to your question you have to assign a role. Though I prefer php frameworks more than a core php but still you could do.
Say you have a form where user and admin shares the same login form for logging purpose.
And you want admin to access all route and restrict few route to the user.
So , the little bit of logic, while you create admin or user you need to assign role as well.
When admin logs in ,according to it, the sql query fetches role and he is routed according to it and same goes with user also.
Set session for user and admin role. And when you enter to target after login the session you have to restrict pages not to acces by user.
At this time, I have a simple admin login section to my web site, from which an admin could add/edit page content add/edit pages or subjects.
Now, I am thinking down the line in this project for this site to work in the way needed. I need to add multi level users system,
I would think that adding a user level as an INT to my table sets would allow this,
then in my pages where I have my "is_logged_in" function call I could also call the user level INT and store it in the session.
This way if the user is set to level 1 show links a,
if the user is set to level 2 show the links b.
or am I looking at this the wrong way?
No need to reinvent the wheel. What you're looking for is called Access Control List (ACL) functionality. There are lots of available solutions you can incorporate into your project. Personally I use Zend's Acl libraries but there are many more flavors out there.
How it works (basic version): you assign some ACL roles - e.g. "admin", "staff", "user", "guest" where "guest" would be your default anonymous visitor. When a user logs in, you save the ACL role in the user's session.
You then create an ACL class that assigns these roles to your resources. E.g. "admin" can read and edit anyone's data, "staff" can read "admin", "staff" and "user" data, but only edit its own and "user" data, "user" can read other "user" data but only edit its own data.
At any point in your application where you need to check if a user is allowed to perform some action or access certain sections of a website (e.g. the CMS), you check against your ACL rules to execute the action / allow access or tell the user he/she is not authorized.
I have seen Joomla using many types of user access for the admin site. For example user, admin user, registered user and super user. The system actually know what type of user you are once we logged in. I'm trying to do the same thing for my web app. I need any suggestions on how this features can be achieved using PHP.
Assuming a user is in a database, you could have an column like role which would be user, admin, registered, and super.
Then in PHP you can use switch / if-condition blocks based on that role variable.
I am planning to build a site which will have members and member uploaded content. I need to choose between the following:
a) A separate interface for admins and users
b) Same interface for admins and users
For example, a particular module 'yellowpages', would have listings uploaded by members. When the owner of the listing visits the page, they will be displayed edit/delete links by checking their session data against the database. The same will be displayed to an administrator. These links will not be visible to public users. The edit/delete functions will also check if the user is the owner/or is an admin so as to avoid the public from accessing the edit/delete URLs direclty.
Also, if the user is an admin, an additional navigation bar will be displayed on the top which has links to functions that will add/edit/modify site settings and everything.
So my question is, is the above a good way to do it? or to have separate interfaces for users and admins like http://philsturgeon.co.uk/blog/2009/07/Create-an-Admin-panel-with-CodeIgniter
There is another options too. And I Prefer this.
C) Mix Both (a) and (b) Options of Yours
Create a separate interface for admins.
which includes admin listing and managing of users and listings (edit/delete/ban user etc..)
Plus You can use users and permissions type of situation.
For Ex.
Add a table permissions user type can be admin, guest, registered,
moderator etc..
Depend on login type : session will be stored and as
per session in front end the operations will be displayed.
Ex.:
guest will not see "add comment" link ;
registered can add comment +
listings + edit own listing ;
moderator can edit anyone's listing ;
admin has all rights.
Depend on your application and time you can add as much as you want.
I wrote as per globalization of any application.
If you gona use same interface it whould be less secure. Intruder would be theoretically able to become admin throug user interface. Also while programming you will have to keep in mind that some methods would be used by user and admin both - so ypu can simply forget something letting intruder some way to go. I'd beter create one class with methods used by admin and user (i.e. edit(), delete()) and extend it with two classes - user and admin.