Forums
This topic is locked
PHP page restriction problem
17 May 2006 18:20:40 Andy T posted:
Using DMX 2004, trying to restrict access to certain pages. Registration and login pages seem to communicate fine with MySQL db (including assigning access levels) but the pages I add server behavior (restrict) to are not being restricted. Stuck. Frustrated. Any help much appreciated.
Replies
Replied 17 May 2006 19:11:19
17 May 2006 19:11:19 Roddy Dairion replied:
can you send the code please?
Replied 17 May 2006 20:34:03
17 May 2006 20:34:03 Andy T replied:
<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
can you send the code please?
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote>
Roddy, here's the code for the restricted page. I fiddled with the db a bit, and it seems to me that that is where my problem really lies, as all users as defined in the table either have all access to the page, or no access to the page (regardless of access level set, of which there are three: admin, member and visitor). In MySQL, my access levels are set in the field "userAccess," but I don't see that in the code. Is that my problem?
<?php
session_start();
$MM_authorizedUsers = "admin,member";
$MM_donotCheckaccess = "false";
// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
// For security, start by assuming the visitor is NOT authorized.
$isValid = False;
// When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that Session variable is blank.
if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($UserName, $arrUsers)) {
$isValid = true;
}
// Or, you may restrict access to only certain users based on their username.
if (in_array($UserGroup, $arrGroups)) {
$isValid = true;
}
if (($strUsers == ""
&& false) {
$isValid = true;
}
}
return $isValid;
}
$MM_restrictGoTo = "../user_auth/login_failed.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {
$MM_qsChar = "?";
$MM_referrer = $_SERVER['PHP_SELF'];
if (strpos($MM_restrictGoTo, "?") $MM_qsChar = "&";
if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)
$MM_referrer .= "?" . $QUERY_STRING;
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
header("Location: ". $MM_restrictGoTo);
exit;
}
?>
can you send the code please?
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote>
Roddy, here's the code for the restricted page. I fiddled with the db a bit, and it seems to me that that is where my problem really lies, as all users as defined in the table either have all access to the page, or no access to the page (regardless of access level set, of which there are three: admin, member and visitor). In MySQL, my access levels are set in the field "userAccess," but I don't see that in the code. Is that my problem?
<?php
session_start();
$MM_authorizedUsers = "admin,member";
$MM_donotCheckaccess = "false";
// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
// For security, start by assuming the visitor is NOT authorized.
$isValid = False;
// When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that Session variable is blank.
if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($UserName, $arrUsers)) {
$isValid = true;
}
// Or, you may restrict access to only certain users based on their username.
if (in_array($UserGroup, $arrGroups)) {
$isValid = true;
}
if (($strUsers == ""
&& false) { $isValid = true;
}
}
return $isValid;
}
$MM_restrictGoTo = "../user_auth/login_failed.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {
$MM_qsChar = "?";
$MM_referrer = $_SERVER['PHP_SELF'];
if (strpos($MM_restrictGoTo, "?"
) $MM_qsChar = "&";if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)
$MM_referrer .= "?" . $QUERY_STRING;
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
header("Location: ". $MM_restrictGoTo);
exit;
}
?>
Replied 18 May 2006 14:30:50
18 May 2006 14:30:50 Roddy Dairion replied:
Hi Andy did you add the users who won't be restricted to this page?
Replied 19 May 2006 16:11:20
19 May 2006 16:11:20 Andy T replied:
<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
Hi Andy did you add the users who won't be restricted to this page?
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote>
Roddy, I sure did, but wasn't helping. Was also having problems logging in. David Powers over on Friendsofed provided a nice solution to the problem. Here is his post, for future reference and for anyone else having the problem:
posted 04-12-04 02:47 PM
I have discovered there is a serious bug with the Dreamweaver MX 2004 User Authentication server behaviors when used in conjunction with PHP5. Basically, the problem is that the DW server behaviors use obsolete code that appears to work with PHP4, but breaks once deployed on PHP5 (with register_globals set to the default off setting).
I have notified Macromedia of the problem, and they have logged it as a high severity bug, but have given no indication as to when a patch will be issued. Fortunately, the solution is easily fixed by hand. The server behaviors affected are Log In User and Log Out User.
Log In User needs changes in two places, plus the removal of three lines. Find the following lines of code
$GLOBALS['PrevUrl'] = $accesscheck;
session_register('PrevUrl');
Replace them with
$_SESSION['PrevUrl'] = $accesscheck;
Then find
$GLOBALS['MM_Username'] = $loginUsername;
$GLOBALS['MM_UserGroup'] = $loginStrGroup;
Change them to
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;
Finally, DELETE the following lines
//register the session variables
session_register("MM_Username";
session_register("MM_UserGroup";
In Log Out User, locate these two lines
session_unregister('MM_Username');
session_unregister('MM_UserGroup');
Replace them with
unset($_SESSION['MM_Username']);
unset($_SESSION['MM_UserGroup']);
NOTE: There is NO need to do this if you are still using PHP4, and not experiencing any difficulties with User Authentication. However, it does affect the instructions for Chapters 14 and 15 of Foundation Dreamweaver MX 2004 for anyone switching to PHP5.
David Powers
Co-author: Foundation Dreamweaver MX 2004
Hi Andy did you add the users who won't be restricted to this page?
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote>
Roddy, I sure did, but wasn't helping. Was also having problems logging in. David Powers over on Friendsofed provided a nice solution to the problem. Here is his post, for future reference and for anyone else having the problem:
posted 04-12-04 02:47 PM
I have discovered there is a serious bug with the Dreamweaver MX 2004 User Authentication server behaviors when used in conjunction with PHP5. Basically, the problem is that the DW server behaviors use obsolete code that appears to work with PHP4, but breaks once deployed on PHP5 (with register_globals set to the default off setting).
I have notified Macromedia of the problem, and they have logged it as a high severity bug, but have given no indication as to when a patch will be issued. Fortunately, the solution is easily fixed by hand. The server behaviors affected are Log In User and Log Out User.
Log In User needs changes in two places, plus the removal of three lines. Find the following lines of code
$GLOBALS['PrevUrl'] = $accesscheck;
session_register('PrevUrl');
Replace them with
$_SESSION['PrevUrl'] = $accesscheck;
Then find
$GLOBALS['MM_Username'] = $loginUsername;
$GLOBALS['MM_UserGroup'] = $loginStrGroup;
Change them to
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;
Finally, DELETE the following lines
//register the session variables
session_register("MM_Username"
;session_register("MM_UserGroup"
;In Log Out User, locate these two lines
session_unregister('MM_Username');
session_unregister('MM_UserGroup');
Replace them with
unset($_SESSION['MM_Username']);
unset($_SESSION['MM_UserGroup']);
NOTE: There is NO need to do this if you are still using PHP4, and not experiencing any difficulties with User Authentication. However, it does affect the instructions for Chapters 14 and 15 of Foundation Dreamweaver MX 2004 for anyone switching to PHP5.
David Powers
Co-author: Foundation Dreamweaver MX 2004