The users when they sign up are given a default ‘member_type’ as “User”. I’m trying to restrict access to certain pages from “Users” and unauthenticated visitors using $_SERVER[‘SCRIPT_NAME’] using a function stored in the header.php.
The concept is sound (I believe) but I really need some fresh eyes to help me solve the logic.
Here is the function in the header:
$basicAuth = array("member.php", "order.php", "logout.php");
$adminonly = array("admin.php", "v_feedback.php", "user.php", "v_content.php", "product.php");
restrictAccess($basicAuth, $adminonly);
And here is the function in its entirety:
function restrictAccess($basicAuth, $adminonly){
$error = "You do not have the authentication privileges to access this area, go <a href=\"index.php\" alt=\"Home\">home</a>.";
if (isset($_SESSION['type'])){
$auth = "Basic";
if($_SESSION['type']=="Admin"){
$auth = "Admin";
}
} else {
$auth = "None";
}
//For testing purposes
echo $auth;
if ($auth == "None"){
if(($_SERVER['SCRIPT_NAME']==$basicAuth)||($_SERVER['SCRIPT_NAME']==$adminonly)){
echo $error;
exit();
}
}elseif($auth =="Basic"){
if(($_SERVER['SCRIPT_NAME'])==$adminonly){
echo $error;
exit();
}
}
}
I have a feeling that it something to do with the logic behind the way I’ve structured it which is to fault.
Thank you.
if($_SERVER['SCRIPT_NAME']==$basicAuth)is completely wrong.You can not compare array and a string.
if(array_search($_SERVER['SCRIPT_NAME'],$basicAuth) !== FALSE)would serve, but You better use keys instead of values, and thenif(array_key_exists($_SERVER['SCRIPT_NAME'],$basicAuth)).And, by the way, isn’t it simplier to include “basicAuthNeeded.php” into some scripts and “adminAuthNeeded.php” into other instead of Your method?
Or else use more complex but more flexible method (define some roles, define resources and use some
checkPermissions($role, $resource))?