0

I'm creating a web directory and I have created a system so admin can add content to site the problem is the content is static and is being added into directory because we want to show it like mysite.com/test/content/ab.html so how do I use php allow access to that url via php and user details are in mysql database. I mean if user is logged in and has permission then he it can see the mysite.com/test/content/ab.html or any file inside the content but if he/she is logged out then it should redirect.

edit: I have solved half problem using htaccess now it checks if user is logged in but how do I redirect if user is logged in ? here is the htaccess I used

# For security reasons, Option followsymlinks cannot be overridden.
#Options +FollowSymLinks +ExecCGI
Options +SymLinksIfOwnerMatch +ExecCGI
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI}  !(\.php)$
    RewriteRule (.*)  /index.php [QSA]
</IfModule>
Athar Ahmed
  • 151
  • 10
  • I think this is what you are looking for http://stackoverflow.com/questions/1340001/deny-direct-access-to-all-php-files-except-index-php – Cameron Aug 10 '13 at 03:24
  • Do you have any example(s) of code that you tried? – Funk Forty Niner Aug 10 '13 at 03:32
  • Ok, without any code, here is "a" possible scenario. 1) Make up a login form with 2 fields; one for username, one for password. If they match what's in your DB, they're in. 2) Use sessions (included in all pages) 3) Use a token. // There are a lot of code examples out there, all you need to do is Google "username password database session" and maybe add "token". – Funk Forty Niner Aug 10 '13 at 03:39
  • **Some info on the "how":** http://www.developphp.com/view.php?tid=1296 **and** http://www.developphp.com/view.php?tid=1294 **from** http://stackoverflow.com/a/18158216/1415724 – Funk Forty Niner Aug 10 '13 at 03:46
  • I have already created that what I want is how can I disallow users to view content in a directory if they are logged out or doesn't have permission to view it. I have already coded the permission system. – Athar Ahmed Aug 10 '13 at 04:26

1 Answers1

0

It's difficult to help without knowing how you log people in (you must do so you at least know they're logged in and which user they are) I'm going to assume a basic login system.

The way I do it is basic login.php page, if login successful set some basic sessions (no password, username or sensitive info) and set their user level (so you can manage what they can access)

eg, if login = successful:

$_SESSION['loggedin']['userlevel'] = $FromDatabase['userlevel'];

Then in an include file which is included in every page (header.php or config.php) I have (my config.php is before any headers/browser out put sent etc)

  if (!isset($_SESSION))
    {
      session_start();
    }

    $strUserLevel = false;

    if (isset($_SESSION['loggedin']['userlevel']))
      {
        $strUserLevel = $_SESSION['loggedin']['userlevel'];
      }

Then I can use this throughout the site to control their access, :

    if($strUserLevel == false)
      {
        header("location: login.php");
        die();
      }
    //or wherever you want to redirect them
    //or just say you need to be logged in to view this, link to login page (etc)


  if ($strUserlevel < 3) // or whatever level they need for this page
    {
      echo "You cannot edit this page";
      exit();
    }
  else
    {
      //a form or whatever
    }

The above is just basic examples. My code is a bit more complex as I always use config.php in includes and set global variables to use site wide there, and have a basic login check function (checks their current IP matches the one I checked at login time and stored in DB and other things etc).

Another method of permission control is using mysql tables. So if you have TABLE tblEditPageAB, anyone who's name is in in a row in that table can edit that page. Though this is more used for admin control, ie you have tblAdministrateOtherUsers - again anyone who has their name/details in a row in that table can administrate the other users (or whatever)

To check this you just simply query, and if no results they can't.

Again, the best approach all depends on your site, scenario, how many page syou have to be edited, if they're created on the fly, etc. There are all manner of approaches, but hopefully I've given you food for thought, and helped :)

James
  • 4,644
  • 5
  • 37
  • 48
  • my code is similar like yours what I want how do I disable direct user access to uploads folder if they aren't logged in remember it is `folder` and users login are in database. – Athar Ahmed Aug 10 '13 at 10:54
  • in "mysite.com/test/content/ab.html" include the code that redirects them if not logged in. For folder view blocking, you can use `Options -Indexes` in htaccess file in the folder you want to block, unless you want users logged in to be able to view folder listings, in which case you'd probably be better of just locking all folder listing with ht access, then controlling the viewing of files/folders in php. If user logged in show folders on web page (not default apache folder view) – James Aug 10 '13 at 11:12
  • yes I have sucessfully implemented the system however here there are 2 points 1. the folder I'm talking about can be uploaded from admin panel. 2. how do I use `file_get_contents` to show requested file to user? – Athar Ahmed Aug 10 '13 at 11:47