I would like to know:
1 - How to create two different middlewares (for ADMIN and STAFF) from SESSION variables to use them later to prevent users who are neither ADMIN nor STAFF from accessing pages I don't want that they have access ???
Here's what I did, but I'm completely unsure and stuck:
FUNCTION PROCESSING ACCESS FOR ADMIN MEMBERS:
function checkAdmin()
{
$_SESSION['hlbank_admin_user'] = array('name' => 'Admin');
// if the session id is not set, redirect to login page
if (!isset($_SESSION['hlbank_admin_user'])) {
header('Location: ' . WEB_ROOT . 'admin/login.php');
exit;
}
// the user want to logout
if (isset($_GET['logout'])) {
doLogout();
}
}
FUNCTION PROCESSING ACCESS FOR STAFF MEMBERS:
function checkStaff()
{
// if the session id is not set, redirect to login page
if(strlen($_SESSION['staff_id'])==0) {
$host = $_SERVER['HTTP_HOST'];
$uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
$extra= WEB_ROOT . "admin/pages_staff_index.php";
$_SESSION["staff_id"]="";
header("Location: http://$host$uri/$extra");
}
// the user want to logout
if (isset($_GET['logout'])) {
doLogout();
}
}
So please help me to correct my two functions above which aim to
check via THE SESSION if the connected User is an ADMIN and a
STAFF.
How to use both functions at the same time in a Page to check if the
User is an ADMIN or a STAFF and thus block access to users who are
neither ADMIN nor STAFF ???
Thank you please help me.
There are lots of ways to implement this but here's one. I'd simplify the functions so that they each return a boolean. Move all the redirect logic, logout stuff into the calling code.
I am not sure the name of the session keys you use so I just used hlbank_admin_user and staff_id. I also made the assumption that if they're set, then the user is that role.
I renamed the functions to isAdmin and isStaff.
function isAdmin(): bool
{
return isset($_SESSION['hlbank_admin_user']);
}
function isStaff(): bool
{
return isset($_SESSION['staff_id']);
}
Then, in your calling code, you can check for either one.
if (!isAdmin() && !isStaff()) {
// Not authorized >> redirect
}
Taking it one step further, you can create a single function to check if they are either an admin or staff.
function isPrivileged(): bool
{
return isAdmin() || isStaff();
}
Then, in your calling code, you can check for that.
if (!isPrivileged()) {
// Not authorized >> redirect
}
Thank you for your reply. But I'm confused by your answer. Actually, what I don't understand is why you didn't first declare the session variables $_SESSION['hlbank_admin_user'] and $_SESSION['staff_id'] returned in the isAdmin() functions and isStaff() because you just returned them with isset in each of those two functions ???
But why return them knowing that they have not yet declared???
Just to clear up any confusion, the way this normally works is during log-in, you set some session variables that you want to track in future requests. You don't need to redeclare them at all in the future. You can simply check for them, or read them.
Pseudocode for log in,
session_start()
if (username & password = true) {
// These sessions values will persist for the entire session.
// Just make sure to call `session_start()` on every page before trying to access them
$_SESSION['isLoggedIn'] = true;
$_SESSION['role'] = admin;
}
Then, when they try to access a restricted page you simply check if they are logged in and of a specific role.
Pseudocode to check access,
session_start()
$loggedIn = $_SESSION['isLoggedIn'] ?? false;
$role = $_SESSION['role'] ?? '';
if ($isLoggedIn === true && $role === 'admin') {
// You are logged in and an admin
}
Thank you for your reply. But I'm confused by your answer. Actually, what I don't understand is why you didn't first declare the session variables $_SESSION['hlbank_admin_user'] and $_SESSION['staff_id'] returned in the isAdmin() functions and isStaff() because you just returned them with isset in each of those two functions ???
But why return them knowing that they have not yet declared???