5

I'm trying to achieve something I can't wrap my mind around. The thing is that when a specific user is logged, I store in session the user and that he is logged.

Before telling me yes, I know this isn't best practice but the purpose of this page is internal only and there is no possibility to be hacked or so because you can only access it internally.

Anyway, the point is that there are some editable fields in a table which should be editable only by admin but that should only be seen by the rest.

To achieve the editable table I used datatables library together with some ajax and JQuery.

I can't think of a method to restrict editing when the logged user is not admin other than:

var logged = <?php echo $_SESSION['logged_user'];?>;
if (logged=='admin') {
    // action here
}

Do you know a better method or easier to understand? Thank you very much!

Improve this question
6
  • 1
    Even if you say it is for internal purposes only, it's still horrible. Open your F12 and see your mistake ;) Commented Jun 22, 2016 at 7:48
  • 2
    var logged = <?php echo $_SESSION['logged_user'];?>; should be var logged = '<?php echo $_SESSION['logged_user'];?>'; first of all.. Commented Jun 22, 2016 at 7:48
  • Many ways to achieve this but it all depends how you are extracting this editable data. I see you have mentioned the use of ajax. If you are requesting the table data via ajax you could check the session for "admin", depending on how you output your query result you could output JSON.Example {"Auth":{"Admin":true},"Inputs":{"InputName1":"Value1", "InputName2":"Value2", "InputName3":"Value3",}} Use the inputs to build the display of the table query and check the auth to build the editable form. I would also recommend validation the session when the client attempts to update the table data. Commented Jun 22, 2016 at 8:03
  • In my experience, your fellow employees are often much better hackers than you tend to give them credit for Commented Jun 22, 2016 at 8:04
  • @NewToJS I get the data in the table with a php MySQL query. In a foreach I show it on the page. After that I enable DataTable in JavaScript and I use Ajax for update, delete or insert in the database. Commented Jun 22, 2016 at 8:07

3 Answers 3

Reset to default
3

One solution would be to have the function/functions that edit the tables around a check with pure php instead, so the "normal" users don't have to load or can even see the javascript that makes this.

<?php If(isAdmin) { ?>
    Javascript here
<?php } ?>

This also makes it so normal users just don't inspect element -> remove the if statement and then can do the same things.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I know this might not be the best solution but it's simple and fits perfect for what I need. Thank you very much sir!
3

Make fields readonly or use label tag instead of input when user is not admin.
Making it readonly will work if it is for internal purpose only and you can toggle this field later by javascript or even you can set a javascript variable as is_admin true of false and after document.ready() you can toggle input field attribute to readonly true or false.

Improve this answer

Comments

1

Call your html with a security token as a url parameter.

Then you should send this security token back to the server in an ajax request and get the logged user by that.

Something like this

www.example.com?231212sdsldkfjsl2131212lskjlkdsj


var sec = location.search;

$http.get('testuser.php?' + sec, function(data){
    user = data.user;
});
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.