Access rule with third condition not working.

trying to add a secure page behaviour to a page, which in the past has been a simple process, but currently I am unable to get this to work.
I have created a login system manually ( not using WA Create Security Pages ) which I have done before with no issues.

The problem seems to be when I want to add a third condition to the access rule.

If i use the access rule that has two conditions such as:

case "logged in to registered_apps":
$comparisons[0] = array(TRUE, "".((isset($_SESSION['acc_id']))?$_SESSION['acc_id']:"") ."", 2, "");
$comparisons[1] = array(TRUE, "".((isset($row_rsCurrentUser['email_verified']))?$row_rsCurrentUser['email_verified']:"") ."", 1, "1");

this works fine.

But the particular page I am wanting to secure needs a third condition which checks the database to see if the ’status’ column in the database has a value of ‘Consolidation’. If it doesn’t then it redirects to a different page.

so the access rule would be as as follows:

case "Logged in and Consolidation":
$comparisons[0] = array(TRUE, "".((isset($_SESSION['acc_id']))?$_SESSION['acc_id']:"") ."", 2, "");
$comparisons[1] = array(TRUE, "".((isset($row_rsCurrentUser['email_verified']))?$row_rsCurrentUser['email_verified']:"") ."", 1, "1");
$comparisons[2] = array(TRUE, "".((isset($row_rsCurrentUser['status']))?$row_rsCurrentUser['status']:"") ."", 1, "Consolidation");

So on the page I’m wanting to secure would be the following:

<?php
if (!WA_Auth_RulePasses("Logged in and Consolidation")){
WA_Auth_RestrictAccess("consent-list.php");
}
?>

I've attached relevant pages..

Thanks in advance!

see private message for remote access to test site.

You shouldn't be referencing the recordset directly in rules. You should instead save the recordset values as session variables during login and then use the session variable in the rule. I think that is probably the source of the problem.

I’ve tried what you suggested but it still isn’t working for me.

I have added two session values to the ‘Authenticate user’ behaviour. which are ‘email_verified’ and ‘status’.

A successful login directs to the ‘consent-consolidation.php’ page, which uses the following rule:

case "Logged in and Consolidation":
$comparisons[0] = array(FALSE, "".((isset($_SESSION['acc_id']))?$_SESSION['acc_id']:"") ."", 1, "");
$comparisons[1] = array(TRUE, "".((isset($_SESSION['email_verified']))?$_SESSION['email_verified']:"") ."", 1, "1");
$comparisons[2] = array(FALSE, "".((isset($_SESSION['status']))?$_SESSION['status']:"") ."", 1, "Consolidated");
break;

... in a secure page behaviour, if it fails it redirects to the ‘consent-list.php’ page.

So basically if a user logs in and their ‘status’ value is ‘Consolidation’ then they get access to the ‘consent-consolidation.php’ page. if their ‘status’ value is ‘Consolidated’ they get redirected to the ‘consent-list.php’ page.

But it doesn’t!!

mayne this isn’t the best way for me to achieve my goal. To put it in simple terms..

When the user logs in, if their ‘status’ value is ‘consolidation’ i want them to stay on the ‘consent-consolidation.php’ page. If their ’status’ value is ‘Consolidated’ they get redirected to the ‘consent-list.php’ page.

I’ve attached the pages as they are. Plus they are on the remote test site ( see post #2 for access ).

Thanks in advance.

So if I'm reading this right, you have a rule set up:

Restrict if $_SESSION['acc_id'] = 1
Allow if $_SESSION['email_verified'] = 1
Restrict if $_SESSION['status'] = Consolidated

The way this works is it reads down the list but once something is allowed or restricted it doesn't read any further.

So if $_SESSION['acc_id'] equals 1 it will fail the validation and won't go any further.

If $_SESSION['acc_id'] does not equal Consolidated then it will go to the next line and Allow if $_SESSION['email_verified'] equals 1. If it does than it will allow and won't read the next line.

So if you want to restrict solely on the basis of the status, you should create a separate rule and only check that value.

OK so I'm a bit confused now..

So I need the page to be accessed by logged in users only, so 'acc_id' and 'emailVerified' is checked. Then I need to check on the 'status' value. if it's 'consolidation' then its accessed. If its 'consolidated' then the user is redirected to another page ( consent-list.php )

So how can I achieve these two goals?

Restrict if $_SESSION['acc_id'] does not equal 1
Restrict if $_SESSION['email_verified'] does not equal 1
Restrict if $_SESSION['status'] does not equal consolidated