beer-monkey.com
|
| Posted: 01/16/2002, 2:28 AM |
|
The problem that i have is that i would like to have nurmerous different administrators operating/updating my one database via 10 different administration menus/forms. Basically i want different administrators controlling different divisions. Each administrator will only be able to access THEIR relevant administration menu and ammend using THEIR administration update forms etc....
I've heard that there can be problems with this in that once logged in a user can access any admin menu as long as their security level is high enough). How might i resolve this problem?
|
|
|
 |
Nicole
|
| Posted: 01/16/2002, 4:22 AM |
|
Try to set different security level to each group of users. Refer to GotoCode article where using of more than 3 security levels is described:
http://www.gotocode.com/art.asp?art_id=99&
|
|
|
|
Ron Borkent
|
| Posted: 01/16/2002, 6:20 AM |
|
Because codecharge uses a level only check, using level as security for different departments doesn't work.
Admin for dep.A with level 2 security is able to acces pages from dep.B wich also requires level 2 security.
I created an extra field in the login table "domain". For dep.A this could be "depa". With custum login I not only get userid and level but also domain from the database and load these in session variables. I now have UserId, UserRights and DomainRights as session variables.
//-------------------------------
$sLogin = get_param("Login");
$sPassword = get_param("Password");
$db->query("SELECT login_id,security_level_id, domain FROM login WHERE login =" . tosql($sLogin, "Text") . " AND pasword=" . tosql($sPassword, "Text"));
$is_passed = $db->next_record();
if($is_passed)
{
//-------------------------------
// Login and password passed
//-------------------------------
set_session("UserID", $db->f("login_id"));
set_session("UserRights", $db->f("security_level_id"));
set_session("DomainRights", $db->f("domain"));
$sPage = get_param("ret_page");
if (strlen($sPage))
{
header("Location: " . $sPage);
exit;
}
}
else
{
$sInloggenErr = "Login or Password is incorrect.";
}
//-------------------------------
In the page events, custom security I added (PHP);
if (get_session("DomainRights") <>"depa")
{
header("location: loginfail.php");
}
This checks if the value for DomainRights is the required "depa"
If not it redirects the user to the page loginfail.php wich tells the user that his current authorisation rights are insufficient for the page he is trying to acces and that he should re loggin. It has a login form wich gives the user the change to re loggin.
This means that I can set different rights for each page if I wanted to.
Hope this helps.
Ron
|
|
|
|
in-secure
|
| Posted: 01/16/2002, 8:05 AM |
|
Nicole,
Do you have ASP version of your codes? Thnx
|
|
|
|
Nicole
|
| Posted: 01/17/2002, 2:05 AM |
|
Hello in-secure,
I suppose it'd be better to ask Ron for ASP code as PHP code id posted by him.
|
|
|
|
Ron Borkent
|
| Posted: 01/17/2002, 11:09 AM |
|
I can barely keep up in PHP, Im a bit of a newbie but willing to learn 
The best part of the php i posted is what CC generates itself so if you go to custum login and click on obtain generated code you get this:
'-------------------------------
sLogin = GetParam("Login")
sPassword = GetParam("Password")
bPassed = CLng(DLookUp("login", "count(*)", "login =" & ToSQL(sLogin, "Text") & " and pasword=" & ToSQL(sPassword, "Text")))
if bPassed > 0 then
'-------------------------------
' Login and password passed
'-------------------------------
Session("UserID") = CStr(DLookUp("login", "login_id", "login =" & ToSQL(sLogin, "Text") & " and pasword=" & ToSQL(sPassword, "Text")))
'add this:
Session("DomainRights") = CLng(DLookUp("login", "domain", "login =" & ToSQL(sLogin, "Text") & " and pasword=" & ToSQL(sPassword, "Text")))
'next is standard CC stuff again
Session("UserRights") = CLng(DLookUp("login", "security_level_id", "login =" & ToSQL(sLogin, "Text") & " and pasword=" & ToSQL(sPassword, "Text")))
if not(sPage = request.serverVariables("SCRIPT_NAME")) and not(isEmpty(sPage)) then
response.redirect(sPage & "?" & sQueryString)
end if
else
sFormErr = "Login or Password is incorrect."
end if
'-------------------------------
In page event you'll have to add the domain check. This is some asp I pieced together from the custom logout event
if if CLng(Session("Domainrights")) <> CLng(idomain) then
Session("UserID") = Empty
Session("UserRights") = Empty
cn.Close
Set cn = Nothing
if not isEmpty(sPage) then response.redirect(sPage & "?" & sQueryString)
response.redirect(sFileName)
end if
Again, I dont know any asp but pieced it together from what CC generates itself and from what I have seen of code snippets from others in this group. Hope this helps you on the way.
Ron
|
|
|
|
Ron Borkent
|
| Posted: 01/17/2002, 11:57 AM |
|
sorry I think:
if if CLng(Session("Domainrights")) <> CLng(idomain) then
should be:
if CLng(Session("Domainrights")) <> "yourdomaindescriptionforthatpage" then....etc
Again, I think 
Ron
|
|
|
|
Don Hohman
|
| Posted: 03/05/2003, 7:17 AM |
|
I'm having the same issue but is ASP. Does anyone have an ASP solution to setting and passing multiple session vaiables to all the pages?
|
|
|
|
|
