I would only like users to gain access if they meet the following two criteria:

userLevel column = 2
userActivity column = 1

I understand how to setup an "allow if" statement restricting access based on 1 of these, but cannot seem to stack 2 allow if's to restrict on both.

How can I go about restricting access based on 2 database fields.

The first thing to do is to create session values for each upon user authentication.

Then go into your rules manager and create a new rule. Then in your new rule, use the dialogue box to compare the value in the session to your entered value to make sure the user has the correct credentials.

The rules access manager has a "+" button that will allow you to add as many conditions as you like.

Cheers,

Brian

Brian,

Thanks for the response. I have done as you has stated.

I have created session variables for the following:

userLevel
userActivity

I have then created rules as follows:

Rule Name: Admin
Allow if <?php echo $_SESSION['userActivity']; ?> = 1
Allow if <?php echo $_SESSION['userLevel']; ?> = 2

Rule Name: User
Allow if <?php echo $_SESSION['userActivity']; ?> = 1
Allow if <?php echo $_SESSION['userLevel']; ?> = 1

The rules work fine when I just have the userLevel in the conditions, but when I stack the allow if statements to add userActivity they fail to work. Access is denied for all when testing.

Are you not allowed to stack "allow if" statements? If not how should I phrase it.

Thanks.

Yes... you shouldn't have any issue.

I wonder, then, if UserActivity session is getting truly set.

On the page that it is supposed to work on, can you echo out the session.UserActivity above the HTML and see what comes up. My guess is that it is not getting set properly.

I ran into a similar issue when I created an "active" column in one of my user DBs... since we know the User Level appears to work, I have a feeling this a problem with the other session variable.

After you echo the other session, let me know your findings. (you may need to remove the access rules for the time being).

Cheers,

Brian

Brian,

My session variables were set correctly. It seems you cannot stack two "allow if" statements. If you do this it appears to let in users when either of the two individual conditions are true (as opposed to both true - which was what i wanted). In your experience is this true?

To fix, i had to do as follows:
restrict if
<?php echo $_SESSION['userActivity']; ?> = 0

Then underneath (had to be below the restrict if statement for some reason)
allow if
<?php echo $_SESSION['userLevel']; ?> = 2

All seems to be working properly now.

Yes... that is the correct way... nice work.

Actually that is the correct logic to deny all rules you wish to restrict against first - because if your allow statement is first, it will become "true" before the other statements actually would be factored in. And if you want to ensure that a user has all of the credentials needed and not just one... you first would try to negate all others and then confirm the final.

You could even add another layer of protection to an admin section.

Say for example, you set your default access level in your database to "user". But you wanted to ensure your admin section required the credentials of active and admin. You could create a rule set where you first restrict if their account is not active (set to 0)... then restrict if their access level is set to user... then allow if their access level is set to admin.

Maybe a bit over the top, but there is no way that someone gets in by accident.

Cheers,

Brian

Brian,

Thanks for the added advice. I will probably add that for the admin users as you stated. That logic actually makes more sense to me.

Establishing User Levels and Authentication in WA seems a bit more complicated than it was in ADDT, but I just need to get used to it and better understand the logic.

Appreciate it. DL

It is a bit more complicated on the surface... as I am an ADDT owner, as well, I know exactly what you're talking about.

But, I do love the added flexibility - where you can combine several rules to make groups... something that ADDT wasn't as flexible in.

For example, you may have four levels on a site, so you create rules like "user", "poweruser", "admin", and "superadmin".

Now, with WebAssist - after you create your various rules... you can though go to the groups manager to say, allow access to all admins by allowing anyone who meets the conditions of "admin" or "superadmin".

Or, you could add a group for all actives where it includes all four groups.

When I started creating super complex applications, I found WebAssist's model to be far superior. For a single quick project - the ADDT method was great - but the limitations of the ADDT method showed when you needed to couple groups together.

Cheers,

Brian