0

我创建了一个登录/注销页面,但现在我想在登录时将管理员与普通用户分开。我想做的是让普通用户只查看可用文件,而管理员当然可以查看和编辑这些文件。

现在我的设置:

登录.php

    <?php
session_start();
include("password.php");
require_once "config.php";

/* Constants */
$TITLE = "Formation - User Login";
$CSS = array("assets/css/formation.css");
$JAVASCRIPT = array();
$mode = $_GET["mode"];
/* Template */

require_once $TEMPLATE_PATH."header.php";

if ($mode == "login") { /// do after login form is submitted
     if ($USERS[$_POST["username"]]==$_POST["password"]) { /// check if submitted username and password exist in $USERS array
          $_SESSION["login"]=$_POST["username"];
          header("location:index.php");
     } else {
          echo "Incorrect username/password. Please, try again.";
     };
} else if ($mode == "logout") {
      session_start();
      unset($_SESSION["login"],$USERS);
      header("location: login.php");
      exit(0);
};
echo <<< XHTML

    <h1>$TITLE</h1>
    <form id="form" method="post" action="{$LOGIN_URL}?mode=login">
        <label id="username_label" for="username" class="normal">Username</label> :<br />
        <input id="username" name="username" type="text" value="" class="half" /><br />
        <label id="password_label" for="password" class="normal">Password</label> :<br />
        <input id="password" name="password" type="password" value="" class="half" /><br />
        <input id="submits" type="submit" value="Login" />
    </form>

XHTML;

require_once $TEMPLATE_PATH . "footer.php";

?>

密码.php(验证用户和密码)

<?php 
$USERS["drodrig1"] = "pwd1"; 
$USERS["jsutta"] = "pwd2"; 
$USERS["username3"] = "pwd3"; 

function check_logged(){ 
     global $_SESSION, $USERS; 
     if (!array_key_exists($_SESSION["login"],$USERS)) { 
          header("Location: login.php");
          exit(0);
     };
};
?>

配置.php

<?php

$ASSETS_URL = "https://url-link/formationXX/assets/";
$ASSETS_PATH = "serverpath/formationXX/assets/";
$TEMPLATE_URL = "https://url-link/formationXX/assets/template/";
$TEMPLATE_PATH = "serverpath/formationXX/assets/template/";
$LOGIN_URL = "https://url-link/formationXX/login.php";
$LOGIN_PATH = "serverpath/formationXX/login.php";

?>

索引.php (登录后,这是我希望看到管理员区别于普通用户的地方。管理员应该能够看到和编辑以下内容:CSS、JS、电子邮件、PDF 和电子表格。同时用户只能查看除:CSS,JS)

<?php

require_once "config.php";
session_start(); /// initialize session
include("password.php"); 
check_logged(); /// function checks if visitor is logged.

/* Constants */
$TITLE = "Formation - User Login";
$CSS = array("assets/css/formation.css");
$JAVASCRIPT = array();
/* Template */

require_once $TEMPLATE_PATH."header.php";

echo <<< XHTML
        <form id="form" method="post" action="{$LOGIN_URL}?mode=login">
          <div class="full row column">
            <h1>{$TITLE}</h1>
          </div>
          <div class="full row column">
            <div class="half column small">
              <p>Logged in as: <strong>{$_SESSION["login"]}</strong> | <a href="{$LOGIN_URL}?mode=logout" class="small">Logout</a></p><br />
              Add Form | Delete Selected Form(s)
            </div>
          </div>
          <div class="full row column">
            <table id="formslist" cellpadding="0" cellspacing="0">
              <th>
                <tr>
                  <td class="form_select">
                    <input id="selectallforms" name="selectallforms" type="checkbox" value="Select All Forms" />
                  </td>
                  <td class="form_id">
                    ID
                  </td>
                  <td class="form_url">
                    URL
                  </td>
                  <td class="form_dates">
                    Launch Date
                  </td>
                  <td class="form_dates">
                    Expiration Date
                  </td>
                  <td class="form_autofill">
                    Autofill
                  </td>
                  <td class="form_save">
                    **CSS**
                  </td>
                  <td class="form_save">
                    **JS**
                  </td>
                  <td class="form_save">
                    Email
                  </td>
                  <td class="form_save">
                    PDF
                  </td>                  
                  <td class="form_dates">
                    Spread sheet
                  </td>
                </tr>
              </th>
            </table>
          </div>
        </form>
XHTML;

require_once $TEMPLATE_PATH . "footer.php";

?>
4

1 回答 1

1

当登录的用户尝试编辑某些内容时,您应该检查该用户是否有足够的权限这样做。

例如,这是您的用户:

$USERS["drodrig1"]['passw'] = "pwd1"; 
$USERS["jsutta"]['passw'] = "pwd2"; 
$USERS["username3"]['passw'] = "pwd3"; 

$USERS["drodrig1"]['level'] = 0; 
$USERS["jsutta"]['level'] = 1; 
$USERS["username3"]['level'] = 0;

下面是我们如何检查用户是否可以做某事:

if ($_GET['action'] === 'edit' && $USERS[$_SESSION["login"]]['level'] === 1) {
    // Go to function where users changes gets saved to files or db:
    saveChanges($_POST);
} else {
    die("<h1>Sorry, you cant do that!</h1>");
}

顺便说一句,你的代码有很多问题,但它仍然对学习 PHP 有好处。

于 2012-10-31T14:18:38.013 回答