Two rules allowing access to two sets of pages

Not sure if that title explains my issue very well.

The set up is fairly straightforward - I have a set of pages that users can access to upload tour itineraries to a website. And also a second set of admin pages only accessible to site owners to perform administrative functions.

I've just noticed that when a user from either group is logged in, they can access the other group's pages. Obviously this should not be happening.

I suspect this may be my fault to a degree, as in both database tables the unique ID field is the same name - UserID.

Because of this, the session name has ended up being the same in each case, ie SecurityAssist_UserID.

If anyone could advise of the most painless and straightforward way to fix this that would be much appreciated. Thanks.

So you have 2 different user tables and 2 different login systems on the same site?

the "easiest" way to correct this would be to edit one of the login pages, edit the authenticate user behavior and change the name of the user ID session that will be created

You will then need to create a new logged in rule that uses the new session variable, and edit any pages that reference the session directly to reference the new one.

However: This is really not a very good way to set the site up.

the best way to fix the problem would be to use only one user table in the site, and set up user level authentication to allow different access levels to different users in the system.

Thanks Jason - that makes sense I guess. I have another site which is more like that, where all users are employees of the company, with administrators with rights to all admin pages, and editors who are able to edit records.

This one is a little different in that the administrators are the site owners, and the other users are third parties who can log in and add their own tour itineraries to the site.

But yes - now that you mention it groups will work - the fields for the administrators are just a subset of the fields for the third party users, so one table should easily cover both groups.

As its still at an early stage it should be easy enough to combine the tables. So I'll do that in the first instance and come back to you if I have any questions about setting up the user level authentication.

separate user tables is always a bad idea.

one of the basic concepts in database design is to avoid duplications.

any time you find your self creating a duplicate (table , column...) in your database, stop!! there is a better way.

in the case of a duplicate table, the better way is using a column to define a unique attribute. in this case a user level.

in the case of a duplicate column, the better way is to use a linking table instead.

Data Normalization is the main goal of a well designed database.


Duplicates are messy, and prone to causing issues.

OK - I'm now just using the one table, and the site is currently set up to allow access to all the admin pages if users have logged in.

So I guess I need to change that and have two rules to allow access to different pages depending on which group the logged in user belongs to.

I have added a new field (User_Level) populated with either Administrator or Editor for each user.

I assumed the next step was to create two Groups, using Web Assist > Security Assist > Manage Site Access > Access Groups Manager, but when I looked in there, I wasn't sure as I was expecting to be able to define two groups where my field User_Level = Administrator and User_Level = Editor. But its more like asking me to enter users manually?

Or can I just edit the rules directly or create new ones based on being logged in + User_Level = Administrator / Editor?

you need to edit the authenticate user behavior on the login page. go to the session tab to set the user level in a session variable.

then you create the access rules based on the user level session.

see the user Level Authentication tutorial in the archived documentation section of the security assist support page for more details:

securityassist/

Thanks Jason - can you check that link? I don't see that tutorial, or link to an archived section there. (Apologies if I'm being blind!)

the archived documentation link is along the right hand side.

Underneath the tab for Frequently asked Question, there is a column containing various links, there is a documentation section that contains links to Recent Updates, Built - in Help and Archived Documentation.w


follow the archived documentation link to find the user Level Authentication tutorial

Thanks Jason.

I've been through that now, I think correctly, but perhaps not as I still have the same issue.

I have attached some screenshots showing how I have the Authenticate User behaviour set up, and also my two rules for Administrators and Editors.

Can you let me know if they look OK?

in your rules, set the first condition to use:


Restrict
Value: <?php echo $_SESSION['SecurityAssist_UserID'?>
Criteria: =
Compare to: (leave blank)