Security levels not working

5/30/2013 6:58 pmmrs

There was an interactive tutorial on your old site by Mark Jones (I think that was his name) for creating multiple level access with security assist. Where has it gone?

Anyways, I have built an admin log in using security assist, and I have then created a CRUD system for master admins to add lower level admins. I have tested the pages with the bog standard 'Logged in to tbl_admin' settings and all works fine apart from the fact that any admin has access to these pages. I then went about creating admin levels, and applied them, but they failed to check if I was logged in or not and let me straight into the admin area.

I have used the Access Rules Manager to edit and create access group levels:

Logged in to tbl_admin (levels of 3, 2 and 1)
Logged in to tbl_admin Power Admin Users (levels of 3 and 2)
Logged in to tbl_admin Master Admin Users (levels of 3 only)

None of these are working... I just go straight into the admin and am free to edit without ever signing in.

What I've noticed is that the code on the login.php seems to refer to the unique column (fld_adminID) rather than the access column (fld_adminACTIVE).

"sessionColumns" => explode($WA_Auth_Separator,"fld_adminID"),
"sessionNames" => explode($WA_Auth_Separator,"SecurityAssist_fld_adminID"),

I've changed the code where I can see it to refer to the access column of the DB (fld_adminACTIVE), and I have tried to rename the session name to SecurityAssist_fld_adminACTIVE, but now I am locked out of the admin even though I know I am entering the correct log in details! I've now changed the code back from ACTIVE to ID. I found the code in the helpergroupsrulesphp.php and login.php.

Within the Access Rules Manager, the default settings produced by Security Assist is:

Allow if
Value:<?php echo $_SESSION['SecurityAssist_fld_adminID']; ?>
Crteria: <>
Compare to: '' (field left empty)

And I changed it to:

Allow if
Value:<?php echo $_SESSION['SecurityAssist_fld_adminACTIVE']; ?>
Crteria: In group
Compare to: Logged in to tbl_admin

What am I doing wrong? What do I need to change? During the wizard process, what do I set to ensure the security is checking against the level rather than the unique record ID?

I've attached zip of the admin section with my levels in, but some code somewhere is still wrong... unless I have approached this entirely incorrectly!

Email me with all replies to this thread

Title:

Public Message: (viewable by anyone reading this thread)
(do not cut and paste code into this field unless necessary, attach copies of your pages so they can be opened in Dreamweaver for debugging)

Type in the characters exactly as displayed below - if you don't complete the Captcha correctly you will get a blank page, so you may want to copy the text of your message before you submit!

Quote message in reply?

Private Message: (viewable only by you, the person you are replying to, and WebAssist employees)
(only put truly private information in this area such as ftp details and phone numbers. Keep as much of your post public as possible)

These attachments are private (viewable only by you, the person you are replying to, and WebAssist employees)

Manage Attachments

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

Security levels not working

5/30/2013 6:58 pmmrs