mardi 7 février 2017

Codeigniter Restrict Admin Page via URL

Vote count: 0

I am building a website wherein I have an admin and user page. I have a problem wherein I can access the admin page via URL even though I am logged in as a user. I have validation checks at the login page, however if I am already logged in as a user or as an admin, I can access all the pages. I want to restrict the pages to their roles only. Here's my code.

MY_Controller:

function __construct()
{
    parent::__construct();
    $this->is_logged_in();


}

function is_logged_in()
{
    $is_logged_in = $this->session->userdata('is_logged_in');

    if(!isset($is_logged_in) || $is_logged_in != true) {
        redirect('login');
        die();
    }
}

Model:

function validate()
{
    $this->db->where('username', $this->input->post('username'));
    $this->db->where('password', $this->input->post('password'));
    $query = $this->db->get('accounts');
    $result = $query->row();

    if($query->num_rows() == 1)
    {
        return true;
    }
    else
    {
        return false;
    }
}

function check_role()
{
    $this->db->where('username', $this->input->post('username'));
    $this->db->where('password', $this->input->post('password'));
    $this->db->where('role', 1);
    $query = $this->db->get('accounts');
    $result = $query->row();

    if($query->num_rows() == 1)
    {
         $data = array(
            'userid' => $result->userid,
            'username' => $result->username,
            'password' => $result->password,
            'firstname' => $result->firstname,
            'lastname' => $result->lastname,
            'email' => $result->email,
            'address' => $result->address,
            'monthly_dues' => $result->monthly_dues,
            'arrears' => $result->arrears,
            'isAdmin' => true,
            'contactnum' => $result->contactnum,
            'role' => $result->role,
            'is_logged_in' => true
        );
        $this->session->set_userdata($data);
        return true;
    }
    else
    {
        return false;
    }
}

function check_user()
{
    $this->db->where('username', $this->input->post('username'));
    $this->db->where('password', $this->input->post('password'));
    $this->db->where('role', 0);
    $query = $this->db->get('accounts');
    $result = $query->row();

    if($query->num_rows() == 1)
    {
         $data = array(
            'userid' => $result->userid,
            'username' => $result->username,
            'password' => $result->password,
            'firstname' => $result->firstname,
            'lastname' => $result->lastname,
            'email' => $result->email,
            'address' => $result->address,
            'monthly_dues' => $result->monthly_dues,
            'arrears' => $result->arrears,
            'isAdmin' => false,
            'contactnum' => $result->contactnum,
            'role' => $result->role,
            'is_logged_in' => true
        );
        $this->session->set_userdata($data);
        return true;
    }
    else
    {
        return false;
    }
}

function check_active()
{
    $this->db->where('username', $this->input->post('username'));
    $this->db->where('password', $this->input->post('password'));
    $this->db->where('isActive', 1);
    $query = $this->db->get('accounts');
    $result = $query->row();

    if($query->num_rows() == 1)
    {
        return true;
    }
    else
    {
        return false;
    }
}

Controller:

function validate_login()
{
    $this->load->model('model_accounts');
    $valid = $this->model_accounts->validate();
    $isAdmin = $this->model_accounts->check_role();
    $isUser = $this->model_accounts->check_user();
    $isActive = $this->model_accounts->check_active();

    if($valid && $isAdmin && $isActive) // Active Admin
    {
        redirect('admin_ticketing/new_tickets');
    }
    else if($valid && $isActive && $isUser)  // Active User
    {
        redirect('user_home');
    }
    else if(($valid && $isAdmin) && $isActive == false)  //Deactivated Admin
    {
        redirect('login/admindeact');
    }
    else if($valid && ($isActive && $isAdmin) == false) //Deactivated User
    {
        redirect('login/userdeact');
    }
    else if($valid == false) //Invalid Account
    {
        $data['message'] = "Sorry, the username and password you entered did not match our records. Please double-check and try again. ";
        $this->template->load('template', 'view_login', $data);
    }
}
asked 22 secs ago
coderszx

Let's block ads! (Why?)



Codeigniter Restrict Admin Page via URL
Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)