Security levels not working
There was an interactive tutorial on your old site by Mark Jones (I think that was his name) for creating multiple level access with security assist. Where has it gone?
Anyways, I have built an admin log in using security assist, and I have then created a CRUD system for master admins to add lower level admins. I have tested the pages with the bog standard 'Logged in to tbl_admin' settings and all works fine apart from the fact that any admin has access to these pages. I then went about creating admin levels, and applied them, but they failed to check if I was logged in or not and let me straight into the admin area.
I have used the Access Rules Manager to edit and create access group levels:
Logged in to tbl_admin (levels of 3, 2 and 1)
Logged in to tbl_admin Power Admin Users (levels of 3 and 2)
Logged in to tbl_admin Master Admin Users (levels of 3 only)
None of these are working... I just go straight into the admin and am free to edit without ever signing in.
What I've noticed is that the code on the login.php seems to refer to the unique column (fld_adminID) rather than the access column (fld_adminACTIVE).
"sessionColumns" => explode($WA_Auth_Separator,"fld_adminID"),
"sessionNames" => explode($WA_Auth_Separator,"SecurityAssist_fld_adminID"),
I've changed the code where I can see it to refer to the access column of the DB (fld_adminACTIVE), and I have tried to rename the session name to SecurityAssist_fld_adminACTIVE, but now I am locked out of the admin even though I know I am entering the correct log in details! I've now changed the code back from ACTIVE to ID. I found the code in the helpergroupsrulesphp.php and login.php.
Within the Access Rules Manager, the default settings produced by Security Assist is:
Allow if
Value:<?php echo $_SESSION['SecurityAssist_fld_adminID']; ?>
Crteria: <>
Compare to: '' (field left empty)
And I changed it to:
Allow if
Value:<?php echo $_SESSION['SecurityAssist_fld_adminACTIVE']; ?>
Crteria: In group
Compare to: Logged in to tbl_admin
What am I doing wrong? What do I need to change? During the wizard process, what do I set to ensure the security is checking against the level rather than the unique record ID?
I've attached zip of the admin section with my levels in, but some code somewhere is still wrong... unless I have approached this entirely incorrectly!