Opening Profile page

Our system requires that only the Admin has access to the Profile page. If Admin needs to update a visitor's profile, eg change their user level, how do they open the page? Logging in as Admin allows Admin to open their own Profile page but there's no clear way to access other users' profiles.

I'm thinking this out as I type this... You've described (2) possible levels of security.

1. Users
2. Admin

You'll have the following code on that page

<?php require_once( "../WA_SecurityAssist/Helper_PHP.php" ); 

if (!WA_Auth_RulePasses("Logged in to users")){

    WA_Auth_RestrictAccess("login.php");

}

?>

This rule provides access to only USERS. So I would think that you could make a new rule for that page for Admin....

However I don't think that you'll have a lot of success with that as your SecurityAssist doesn't offer a universal login option... or at least I don't think it does.


What I do for that type of activity for my clients is to create a "Admin Backend" web application that lives in a protected directory. In this back end you can create a full new set of tools that would allow you to touch all of your data for all users.

It is really easy to do this if you have DataAssist too.

Like tom says, you'll need to have data assist as well.


Run the data assist wizard for and select the users table to create the necessary search, results, insert, update and delete pages.

the admin can then search for the user they need to update, and click the link on the results page to go to that users information.

Thanks Tom, I'm interested in the possibility of using a new rule as I don't have DataAssist and I'm over budget already for this job.

The code is currently:

<?php require_once( "../WA_SecurityAssist/Helper_PHP.php" ); ?>
<?php
if (!WA_Auth_RulePasses("Administrator")){
WA_Auth_RestrictAccess("../admin/access_denied.php");
}
?>

This is as per the Authenticate User Solution Recipe, where the objective is to create an Admin-only access for the Update User page. But what is the use if Admin can only access their own profile???

So I'd be grateful if anyone can help me with the code to create a new rule enabling Admin to access anyone's Profile page. I have about 50 user levels and page access rules here, another one won't hurt. I should add that our site caters for about 50 groups of scientists on various committees and panels, each with their own set of restricted pages, and often a scientist on one panel will be invited onto a second panel (some are on 7 or 8), thus the need to update user levels quite often. Naturally, we don't want them updating their own user levels (much as we trust them!).

I thought I just had a great idea but sadly I'm still at a dead-end.

The idea was to use "Show region" on the User Level part of the Profile Update page (if Admin), then change the access rule to "Logged in as visitor". Sheer brilliance!

But sadly, although this now allows any visitor to view and update their profile (except their user level - good), and it allows Admin to log into any Profile Update page using the user's log-in (good), Admin can still only see User Level for their own Profile. D'oh!

So anyone who can tell me how to use the Profile Update page to update profiles gets a gold star :-)

My thought about SecurityAssist and adding an admin level... SecurityAssist wasn't designed to do that. My gut tells me that you'll never be able to do that with SecurityAssist. SecurityAssist does one thing very well. It allows one person access to the pages they've been given access....period.

I go back to creating a backend UPDATE/EDIT page that you place in a password protected directory. I would recommend using DataAssist, but if you are already over budget, then just use the regular edit option. You can use a query the looks for an email address. Select * from <table> where email = _$POST['email'].... Something like that. Then update the fields that you want to change.

The following is rough... But it's a good place to start...
You'll have to create a page with a <form method="POST" action="update_user.php"> and an <input name="email" value=""> to push your user info to your Update page.

That will get the job done.

Ok. I decided to create a set of simple sample pages using ONLY Dreamweaver CS3. The following are what I came up with. I hope they help. :)


page1.php ( Find Record Form )

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
</head>
<body>
<form action="page2.php" method="post">
<table>
 <tr>
  <td nowrap="nowrap">Enter Email Address:</td>
  <td>&nbsp;</td><td><input name="email" type="text" size="30" /></td>
  <td>&nbsp;</td><td><input type="submit" value="Go" /></td>
 </tr>
</table>
</form>
</body>
</html>

page2.php - ( Update Record )

<?php require_once('../Connections/dbconnect.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "update")) {
  $updateSQL = sprintf("UPDATE users SET FirstName=%s, LastName=%s WHERE UserID=%s",
                       GetSQLValueString($_POST['fname'], "text"),
                       GetSQLValueString($_POST['lname'], "text"),
                       GetSQLValueString($_POST['id'], "int"));

  mysql_select_db($database_dbconnect, $dbconnect);
  $Result1 = mysql_query($updateSQL, $dbconnect) or die(mysql_error());

  $updateGoTo = "page1.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $updateGoTo .= (strpos($updateGoTo, '?')) ? "&" : "?";
    $updateGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $updateGoTo));
}

$colname_getUsers = "-1";
if (isset($_POST['email'])) {
  $colname_getUsers = (get_magic_quotes_gpc()) ? $_POST['email'] : addslashes($_POST['email']);
}
mysql_select_db($database_dbconnect, $dbconnect);
$query_getUsers = sprintf("SELECT * FROM users WHERE UserEmail = %s", GetSQLValueString($colname_getUsers, "text"));
$getUsers = mysql_query($query_getUsers, $dbconnect) or die(mysql_error());
$row_getUsers = mysql_fetch_assoc($getUsers);
$totalRows_getUsers = mysql_num_rows($getUsers);
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
</head>
<body>
<h3>Update User: <?php echo $row_getUsers['UserEmail']; ?></h3>
<hr />
<form  action="<?php echo $editFormAction; ?>" method="POST" name="update">
<table>
 <tr> 
  <td>First name:</td><td>&nbsp;</td><td><input name="fname" type="text" value="<?php echo $row_getUsers['FirstName']; ?>" size="30" /></td>
 </tr>
 <tr> 
  <td>Last name:</td><td>&nbsp;</td><td><input name="lname" type="text" value="<?php echo $row_getUsers['LastName']; ?>" size="30" /></td>
 </tr>
</table>

<table>
 <tr>
  <td><input type="submit" value="Save" />
    <input name="id" type="hidden" value="<?php echo $row_getUsers['UserID']; ?>" /></td>
 </tr>
</table>
<input type="hidden" name="MM_update" value="update" />
</form>
</body>
</html>
<?php
mysql_free_result($getUsers);
?>

Tom, this is great, you're a hero :)
At the risk of pushing my luck here, can I ask you to cast your eye over my current code for your page2.php, which is now page4.php as I played it safe and saved a couple of versions along the way before going out on a limb? I changed all the connection and database and table and column names, and added a row (User Level) and made it a dropdown list (have I learned a lot lately! pretty good for a php novice :-P) and it all worked - until I click on Save and I get the following error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE VisitorID=NULL' at line 1

I can't see what it's referring to. I will attach it here as I can't see how to display code in a message on this forum.
Thanks heaps, Jen

Show me your SQL table structure please.

I see the issue looks to be in the actual UPDATE record...

$updateSQL = sprintf("UPDATE users SET FirstName=%s, LastName=%s, userLevel=%s, WHERE VisitorID=%s",

That's the only place you see 'WHERE VisitorID=NULL'

OK, thanks, here's a screenshot.
I thought I had it when I saw 'users' - it should be 'visitors' shouldn't it? But it made no difference.

Could it be something it's expecting on page1.php? I created that page but there's nothing on it.