2

scenario is I have different access levels on this site, I have the simple login process working for all valid users however I am now trying to seperate the different users fo different access to pages.

here is my code at the start of my page:

// CHECKS IF THE USER HAS LOGGED IN
session_start();

if(!isset($_SESSION['logged_in']) || !$_SESSION['logged_in']){
   header("location:index.php");
}

if(!$_SESSION['mystatus']=='1'){
   header("location:access_error.php");
}

so basically I want this page to only be accessible by users with the access level of 1 if they are logged in however do not have the correct access level direct them accordingly.

at the moment it allows users who have logged in with different access levels (e.g 3) to still view this page.

help please.

many thanks,

Improve this question
3
  • Note that you might want to use lower than and greater than operators or bit-wise comparison. That allows for more fine-grained access control. Commented Mar 22, 2011 at 14:37
  • but by using say greater than surely is only decent if I want all users with a higher access level to have access the page? My case being users with access level 2, should not have access to this page. Commented Mar 22, 2011 at 14:47
  • In that case, you may want to look at bitwise operators. In short, each bit is a permission, and can be set to 0 (no access) or 1 (access). Next reading: Wikipedia article. A question about bitwise operations in PHP. Commented Mar 22, 2011 at 14:54

4 Answers 4

Reset to default
3

!$_SESSION['mystatus'] == 1 will be interpreted as (!$_SESSION['mystatus']) == 1. As $_SESSION['mystatus'] contains values non-false values like 1 and 3, it evaluates to true !true turns into false and therefore false == 1 does not match.

Use the NOT EQUAL operator (!=):

$_SESSION['mystatus'] != 1
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

@buymypies: if this answers your question, mark it as accepted by clicking the v on the left of this answer.
2 
if(!$_SESSION['mystatus']=='1'){

constructs like this are very dangerous, especially if you're new to PHP and haven't figured out its operator precedence rules.

This gets interpreted as "take the logic NOT of whatever's in the mystatus session variable, and compare to a string '1'."

What you want is

if ($_SESSION['mystatus'] !== '1') {

"If the mystatus variable is a string and not equal to a string of '1', then evaluate to true.

Improve this answer

3 Comments

+1, people always confuse =, == and === and its purpose.
i see no eason in using string '1' instead of number 1
@Col: Me either, but that's how the OP has it.
1 
if($_SESSION['mystatus']!='1'){
   header("location:access_error.php");
}
Improve this answer

Comments

0

The follow works to me. Set the level of access in your own page, and the permissions in your database, when the user try to log in you retrieve the permission and compare with the page. 

$permission = $_SESSION['PERMISSION']
$access=2; // level of access
if ($permission>$access){
    $_SESSION["pagina"]="yourPage.php";
    header("Location: accessPermission.php");
}

I hope works for you.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.