4 replies to this topic

[Pelleke]

Hello!

In a certain snippet I want to figure out if a visitor turns out to be a logged-in administrator or other member with page-edit rights on the page. For that check i rented this snippet from EtoGal (and altered it a little.)

function access() {
	global $etomite;
	$userdetails=$etomite->userLoggedIn();
	if($userdetails['id']) {
  // check whether user is allowed to modify this page (-> $result1=1)
  $rs1=$etomite->dbQuery("SELECT * FROM (" . $etomite->db . "member_groups JOIN " . $etomite->db . "membergroup_access ON user_group=membergroup) JOIN " . $etomite->db . "document_groups ON documentgroup=document_group WHERE member='" . $userdetails['id'] . "' and document='" . $etomite->documentIdentifier . "'");
  $result1=mysql_num_rows($rs1);

  // check if user is administrator (-> $result2=1)
  $rs2=$etomite->dbQuery("SELECT * FROM " . $etomite->db . "user_attributes WHERE id='" . $userdetails['id'] . "' AND role='1'");
  $result2=mysql_num_rows($rs2);
  if($result1>0 || $result2>0) $access_permitted=1;
  else $access_permitted=0;
	}
	else $access_permitted=0;
	if ($access_permitted == 1) return true; else return false;
}

Testing the snippet on an 0.6.1rc3 install gives me the pain in the ass of a non-existing userLoggedIn-object (or something like that; the first evaluation in this quote is not true, so it doesn't have an 'id'-thing.)

Anyone knows what's going on here, and how to handle it?

Edited by pelleke, 17 January 2006 - 05:30 PM.

[Jelmer]

http://www.etomite.com/index.php?showtopic=3791

[Pelleke]

Jelmer, on Jan 17 2006, 07:48 PM, said:

http://www.etomite.com/index.php?showtopic=3791

Yeah, I read it, but the nasty thing about it is that now I have to dirty my frontend with a login-feature which no-one ever needs... Is there no way for these sessions to 'communicate' in a certain way so that I still can check if someone is logged-in at the backend? (Without doing weird stuff like patching the backend or so?)

... or am I just missing the solution for this all?

Edited by pelleke, 17 January 2006 - 06:24 PM.

[Dean]

Add it to a hidden page that only you know the url of?

[mikef]

Dean, on Jan 17 2006, 06:32 PM, said:

Add it to a hidden page that only you know the url of?

Which is what I've done (except that few more people also know where it is). It's good if you want to avoid scaring updaters with the manager interface, but a bit messy if what you are really doing is 'management' that should really be in the manager (MySQLBackup, the snippet for changing page editted dates and templates, for example.)

Edited by mikef, 17 January 2006 - 06:42 PM.