close ad
Help us test the new Databridge BETA with MySQLi support
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Two rules allowing access to two sets of pages

Thread began 9/18/2012 9:53 am by iainmacdonald331081 | Last modified 9/19/2012 12:31 pm by iainmacdonald331081 | 1151 views | 12 replies |

iainmacdonald331081

Two rules allowing access to two sets of pages

Not sure if that title explains my issue very well.

The set up is fairly straightforward - I have a set of pages that users can access to upload tour itineraries to a website. And also a second set of admin pages only accessible to site owners to perform administrative functions.

I've just noticed that when a user from either group is logged in, they can access the other group's pages. Obviously this should not be happening.

I suspect this may be my fault to a degree, as in both database tables the unique ID field is the same name - UserID.

Because of this, the session name has ended up being the same in each case, ie SecurityAssist_UserID.

If anyone could advise of the most painless and straightforward way to fix this that would be much appreciated. Thanks.

Sign in to reply to this post

Jason ByrnesWebAssist

So you have 2 different user tables and 2 different login systems on the same site?

the "easiest" way to correct this would be to edit one of the login pages, edit the authenticate user behavior and change the name of the user ID session that will be created

You will then need to create a new logged in rule that uses the new session variable, and edit any pages that reference the session directly to reference the new one.

However: This is really not a very good way to set the site up.

the best way to fix the problem would be to use only one user table in the site, and set up user level authentication to allow different access levels to different users in the system.

Sign in to reply to this post

iainmacdonald331081

Thanks Jason - that makes sense I guess. I have another site which is more like that, where all users are employees of the company, with administrators with rights to all admin pages, and editors who are able to edit records.

This one is a little different in that the administrators are the site owners, and the other users are third parties who can log in and add their own tour itineraries to the site.

But yes - now that you mention it groups will work - the fields for the administrators are just a subset of the fields for the third party users, so one table should easily cover both groups.

As its still at an early stage it should be easy enough to combine the tables. So I'll do that in the first instance and come back to you if I have any questions about setting up the user level authentication.

Sign in to reply to this post

Jason ByrnesWebAssist

separate user tables is always a bad idea.

one of the basic concepts in database design is to avoid duplications.

any time you find your self creating a duplicate (table , column...) in your database, stop!! there is a better way.

in the case of a duplicate table, the better way is using a column to define a unique attribute. in this case a user level.

in the case of a duplicate column, the better way is to use a linking table instead.

Data Normalization is the main goal of a well designed database.


Duplicates are messy, and prone to causing issues.

Sign in to reply to this post

iainmacdonald331081

OK - I'm now just using the one table, and the site is currently set up to allow access to all the admin pages if users have logged in.

So I guess I need to change that and have two rules to allow access to different pages depending on which group the logged in user belongs to.

I have added a new field (User_Level) populated with either Administrator or Editor for each user.

I assumed the next step was to create two Groups, using Web Assist > Security Assist > Manage Site Access > Access Groups Manager, but when I looked in there, I wasn't sure as I was expecting to be able to define two groups where my field User_Level = Administrator and User_Level = Editor. But its more like asking me to enter users manually?

Or can I just edit the rules directly or create new ones based on being logged in + User_Level = Administrator / Editor?

Sign in to reply to this post

Jason ByrnesWebAssist

you need to edit the authenticate user behavior on the login page. go to the session tab to set the user level in a session variable.

then you create the access rules based on the user level session.

see the user Level Authentication tutorial in the archived documentation section of the security assist support page for more details:

securityassist/

Sign in to reply to this post

iainmacdonald331081

Thanks Jason - can you check that link? I don't see that tutorial, or link to an archived section there. (Apologies if I'm being blind!)

Sign in to reply to this post

Jason ByrnesWebAssist

the archived documentation link is along the right hand side.

Underneath the tab for Frequently asked Question, there is a column containing various links, there is a documentation section that contains links to Recent Updates, Built - in Help and Archived Documentation.w


follow the archived documentation link to find the user Level Authentication tutorial

Sign in to reply to this post

iainmacdonald331081

Thanks Jason.

I've been through that now, I think correctly, but perhaps not as I still have the same issue.

I have attached some screenshots showing how I have the Authenticate User behaviour set up, and also my two rules for Administrators and Editors.

Can you let me know if they look OK?

Attached Files
security_assist_screenshots.zip
Sign in to reply to this post

Jason ByrnesWebAssist

in your rules, set the first condition to use:


Restrict
Value: <?php echo $_SESSION['SecurityAssist_UserID'?>
Criteria: =
Compare to: (leave blank)

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...