Security levels not working

There was an interactive tutorial on your old site by Mark Jones (I think that was his name) for creating multiple level access with security assist. Where has it gone?

Anyways, I have built an admin log in using security assist, and I have then created a CRUD system for master admins to add lower level admins. I have tested the pages with the bog standard 'Logged in to tbl_admin' settings and all works fine apart from the fact that any admin has access to these pages. I then went about creating admin levels, and applied them, but they failed to check if I was logged in or not and let me straight into the admin area.

I have used the Access Rules Manager to edit and create access group levels:

Logged in to tbl_admin (levels of 3, 2 and 1)
Logged in to tbl_admin Power Admin Users (levels of 3 and 2)
Logged in to tbl_admin Master Admin Users (levels of 3 only)

None of these are working... I just go straight into the admin and am free to edit without ever signing in.

What I've noticed is that the code on the login.php seems to refer to the unique column (fld_adminID) rather than the access column (fld_adminACTIVE).

"sessionColumns" => explode($WA_Auth_Separator,"fld_adminID"),
"sessionNames" => explode($WA_Auth_Separator,"SecurityAssist_fld_adminID"),

I've changed the code where I can see it to refer to the access column of the DB (fld_adminACTIVE), and I have tried to rename the session name to SecurityAssist_fld_adminACTIVE, but now I am locked out of the admin even though I know I am entering the correct log in details! I've now changed the code back from ACTIVE to ID. I found the code in the helpergroupsrulesphp.php and login.php.

Within the Access Rules Manager, the default settings produced by Security Assist is:

Allow if
Value:<?php echo $_SESSION['SecurityAssist_fld_adminID']; ?>
Crteria: <>
Compare to: '' (field left empty)

And I changed it to:

Allow if
Value:<?php echo $_SESSION['SecurityAssist_fld_adminACTIVE']; ?>
Crteria: In group
Compare to: Logged in to tbl_admin

What am I doing wrong? What do I need to change? During the wizard process, what do I set to ensure the security is checking against the level rather than the unique record ID?

I've attached zip of the admin section with my levels in, but some code somewhere is still wrong... unless I have approached this entirely incorrectly!

The wizard cannot be configured to create user level authentication, that needs to be done manually.

Your approach is correct, the problem is that you have entered an empty member of each of the groups.


if you look in the webassist/security_assist/helpergrouprules,php file, the code for the groups is:

function WA_Auth_GetGroup($groupName){

    $group = Array();

    

                switch ($groupName){

        case "All Admin Users":

            $group = array("1","2","3","");

            break;

        case "Master Admin Users":

            $group = array("3","");

            break;

        case "Power Admin Users":

            $group = array("2","3","");

            break;

    }

    return $group;

}

each one of the groups contains an empty member for example:

$group = array("1","2","3","");

should be:

$group = array("1","2","3");

having an empty member like this will allow access if the session is not set, i.e not logged in.

Aah... do you know, I looked at them and removed them too, but I tested them after I have changed the fld_adminID to fld_adminACTIVE and that's when I thought: "You know, I've tried but I need some help now!"

Thanks Jason.

I'll give it a go and come back if I need further help.

Removing that blank option deosn't make the code work properly. Basically, I have just created a user in the admin table with an access level of '0'. In the access levels, I have only used 1, 2 and 3, so by default I would expect 0 to be kicked out of the admin. I have tried adding a user without any access levels i.e: NULL, and that is kicked out, so something is referring to the fld_adminACTIVE field.

So, what's wrong with this still? Is it because the behaviour is looking at the ID field instead of the ACTIVE access level field?

I am assuming that I have set the access rules and groups up correctly. Do I need to add restrict if rule to the current settings I have?

Thanks

I'll need to troubleshoot directly, see the private message section.

Details provided

master.php should only allow one admin level, power.php should allow two admin levels. I can't get in to master.php at all regardless of how I've signed in, and power.php doesn't seem to matter what level I sign in with.

master.php is set to 3 (Logged in to tbl_admin Master Admin Users - in group Master admin users)
power.php is set to 2 and 3 (Logged in to tbl_admin Power Admin Users - in group Power admin users)
all pages with admin in the name are now set to 1, 2 and 3 (Logged in to tbl_admin - in group All admin users)

The admin-named pages were set to Power Admin Users, but all administrators could view them regardless of their access level. I have changed it so it's should be easier for you to trouble shoot, or at least I assume it will be easier.

Thanks.

On your pages on the server, the column you are storing in the session is fld_adminID and the session name is SecurityAssist_fld_adminID

YOu should be using the fld_adminACTIVE column in the session.


the fld_adminID column stores the Primary key value, not the grpoup level.

when the user Matthew logs in, the session value is 1 so is not considered a Master Admin.

Ah, I thought so. So, where do I set that up in the security assist wizard?

In the database settings, I have the menu User ID to select which user is being used to detect the unique user id for password reminders and user updates, but it doesn't work for the session setting requirement of the security levels.

Perhaps a user level column choice is something that could be added to the wishlist for the next version of security assist.

UPDATE:

So, just to be sure, because I am only using the login and logout pages, if I change the following:

"sessionColumns" => explode($WA_Auth_Separator,"fld_adminID"),
"sessionNames" => explode($WA_Auth_Separator,"SecurityAssist_fld_adminID"),
to
"sessionColumns" => explode($WA_Auth_Separator,"fld_adminACTIVE"),
"sessionNames" => explode($WA_Auth_Separator,"SecurityAssist_fld_adminACTIVE"),

and change SecurityAssist_fld_adminID to SecurityAssist_fld_adminACTIVE anywhere else it occurs, then my problem should be fixed. Is this going to break any functionality elsewhere?

Thanks