close ad
Databridge V2 with MySQLi support IS Now Available!
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Opening Profile page

Thread began 6/10/2011 12:31 am by jen425288 | Last modified 6/18/2011 11:42 am by Lon Winters | 3237 views | 26 replies |

jen425288

Opening Profile page

Our system requires that only the Admin has access to the Profile page. If Admin needs to update a visitor's profile, eg change their user level, how do they open the page? Logging in as Admin allows Admin to open their own Profile page but there's no clear way to access other users' profiles.

Sign in to reply to this post

tom92909Beta Tester

I'm thinking this out as I type this... You've described (2) possible levels of security.

1. Users
2. Admin

You'll have the following code on that page

php:
<?php require_once( "../WA_SecurityAssist/Helper_PHP.php" ); 

if (!
WA_Auth_RulePasses("Logged in to users")){
    
WA_Auth_RestrictAccess("login.php");
}
?>



This rule provides access to only USERS. So I would think that you could make a new rule for that page for Admin....

However I don't think that you'll have a lot of success with that as your SecurityAssist doesn't offer a universal login option... or at least I don't think it does.


What I do for that type of activity for my clients is to create a "Admin Backend" web application that lives in a protected directory. In this back end you can create a full new set of tools that would allow you to touch all of your data for all users.

It is really easy to do this if you have DataAssist too.

Sign in to reply to this post

Jason ByrnesWebAssist

Like tom says, you'll need to have data assist as well.


Run the data assist wizard for and select the users table to create the necessary search, results, insert, update and delete pages.

the admin can then search for the user they need to update, and click the link on the results page to go to that users information.

Sign in to reply to this post

jen425288

Thanks Tom, I'm interested in the possibility of using a new rule as I don't have DataAssist and I'm over budget already for this job.

The code is currently:

<?php require_once( "../WA_SecurityAssist/Helper_PHP.php" ); ?>
<?php
if (!WA_Auth_RulePasses("Administrator")){
WA_Auth_RestrictAccess("../admin/access_denied.php");
}
?>

This is as per the Authenticate User Solution Recipe, where the objective is to create an Admin-only access for the Update User page. But what is the use if Admin can only access their own profile???

So I'd be grateful if anyone can help me with the code to create a new rule enabling Admin to access anyone's Profile page. I have about 50 user levels and page access rules here, another one won't hurt. I should add that our site caters for about 50 groups of scientists on various committees and panels, each with their own set of restricted pages, and often a scientist on one panel will be invited onto a second panel (some are on 7 or 8), thus the need to update user levels quite often. Naturally, we don't want them updating their own user levels (much as we trust them!).

Sign in to reply to this post

jen425288

I thought I just had a great idea but sadly I'm still at a dead-end.

The idea was to use "Show region" on the User Level part of the Profile Update page (if Admin), then change the access rule to "Logged in as visitor". Sheer brilliance!

But sadly, although this now allows any visitor to view and update their profile (except their user level - good), and it allows Admin to log into any Profile Update page using the user's log-in (good), Admin can still only see User Level for their own Profile. D'oh!

So anyone who can tell me how to use the Profile Update page to update profiles gets a gold star :-)

Sign in to reply to this post

tom92909Beta Tester

My thought about SecurityAssist and adding an admin level... SecurityAssist wasn't designed to do that. My gut tells me that you'll never be able to do that with SecurityAssist. SecurityAssist does one thing very well. It allows one person access to the pages they've been given access....period.

I go back to creating a backend UPDATE/EDIT page that you place in a password protected directory. I would recommend using DataAssist, but if you are already over budget, then just use the regular edit option. You can use a query the looks for an email address. Select * from <table> where email = _$POST['email'].... Something like that. Then update the fields that you want to change.

The following is rough... But it's a good place to start...
You'll have to create a page with a <form method="POST" action="update_user.php"> and an <input name="email" value=""> to push your user info to your Update page.

That will get the job done.

Sign in to reply to this post

tom92909Beta Tester

Ok. I decided to create a set of simple sample pages using ONLY Dreamweaver CS3. The following are what I came up with. I hope they help. :)


page1.php ( Find Record Form )

html:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
</head>
<body>
<form action="page2.php" method="post">
<table>
<tr>
<td nowrap="nowrap">Enter Email Address:</td>
<td>&nbsp;</td><td><input name="email" type="text" size="30" /></td>
<td>&nbsp;</td><td><input type="submit" value="Go" /></td>
</tr>
</table>
</form>
</body>
</html>



page2.php - ( Update Record )

php:
<?php require_once('../Connections/dbconnect.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function 
GetSQLValueString($theValue$theType$theDefinedValue ""$theNotDefinedValue ""
{
  
$theValue get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  
$theValue function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch (
$theType) {
    case 
"text":
      
$theValue = ($theValue != "") ? "'" $theValue "'" "NULL";
      break;    
    case 
"long":
    case 
"int":
      
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case 
"double":
      
$theValue = ($theValue != "") ? "'" doubleval($theValue) . "'" "NULL";
      break;
    case 
"date":
      
$theValue = ($theValue != "") ? "'" $theValue "'" "NULL";
      break;
    case 
"defined":
      
$theValue = ($theValue != "") ? $theDefinedValue $theNotDefinedValue;
      break;
  }
  return 
$theValue;
}
}

$editFormAction $_SERVER['PHP_SELF'];
if (isset(
$_SERVER['QUERY_STRING'])) {
  
$editFormAction .= "?" htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset(
$_POST["MM_update"])) && ($_POST["MM_update"] == "update")) {
  
$updateSQL sprintf("UPDATE users SET FirstName=%s, LastName=%s WHERE UserID=%s",
                       
GetSQLValueString($_POST['fname'], "text"),
                       
GetSQLValueString($_POST['lname'], "text"),
                       
GetSQLValueString($_POST['id'], "int"));

  
mysql_select_db($database_dbconnect$dbconnect);
  
$Result1 mysql_query($updateSQL$dbconnect) or die(mysql_error());

  
$updateGoTo "page1.php";
  if (isset(
$_SERVER['QUERY_STRING'])) {
    
$updateGoTo .= (strpos($updateGoTo'?')) ? "&" "?";
    
$updateGoTo .= $_SERVER['QUERY_STRING'];
  }
  
header(sprintf("Location: %s"$updateGoTo));
}

$colname_getUsers "-1";
if (isset(
$_POST['email'])) {
  
$colname_getUsers = (get_magic_quotes_gpc()) ? $_POST['email'] : addslashes($_POST['email']);
}
mysql_select_db($database_dbconnect$dbconnect);
$query_getUsers sprintf("SELECT * FROM users WHERE UserEmail = %s"GetSQLValueString($colname_getUsers"text"));
$getUsers mysql_query($query_getUsers$dbconnect) or die(mysql_error());
$row_getUsers mysql_fetch_assoc($getUsers);
$totalRows_getUsers mysql_num_rows($getUsers);
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
</head>
<body>
<h3>Update User: <?php echo $row_getUsers['UserEmail']; ?></h3>
<hr />
<form  action="<?php echo $editFormAction?>" method="POST" name="update">
<table>
 <tr> 
  <td>First name:</td><td>&nbsp;</td><td><input name="fname" type="text" value="<?php echo $row_getUsers['FirstName']; ?>" size="30" /></td>
 </tr>
 <tr> 
  <td>Last name:</td><td>&nbsp;</td><td><input name="lname" type="text" value="<?php echo $row_getUsers['LastName']; ?>" size="30" /></td>
 </tr>
</table>

<table>
 <tr>
  <td><input type="submit" value="Save" />
    <input name="id" type="hidden" value="<?php echo $row_getUsers['UserID']; ?>" /></td>
 </tr>
</table>
<input type="hidden" name="MM_update" value="update" />
</form>
</body>
</html>
<?php
mysql_free_result
($getUsers);
?>
Sign in to reply to this post

jen425288

Tom, this is great, you're a hero :)
At the risk of pushing my luck here, can I ask you to cast your eye over my current code for your page2.php, which is now page4.php as I played it safe and saved a couple of versions along the way before going out on a limb? I changed all the connection and database and table and column names, and added a row (User Level) and made it a dropdown list (have I learned a lot lately! pretty good for a php novice :-P) and it all worked - until I click on Save and I get the following error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE VisitorID=NULL' at line 1

I can't see what it's referring to. I will attach it here as I can't see how to display code in a message on this forum.
Thanks heaps, Jen

Attached Files
page4.zip
Sign in to reply to this post

tom92909Beta Tester

Show me your SQL table structure please.

I see the issue looks to be in the actual UPDATE record...

php:
$updateSQL = sprintf("UPDATE users SET FirstName=%s, LastName=%s, userLevel=%s, WHERE VisitorID=%s",



That's the only place you see 'WHERE VisitorID=NULL'

Sign in to reply to this post

jen425288

OK, thanks, here's a screenshot.
I thought I had it when I saw 'users' - it should be 'visitors' shouldn't it? But it made no difference.

Could it be something it's expecting on page1.php? I created that page but there's nothing on it.

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...