基于MySQL角色的登录重定向问题

Question

我已经在我的系统中为管理员设置了登录系统。但是现在我需要添加多个页面，这些页面应该只有“超级管理员”才能访问。我需要改变他们的方向。我被困在某处了。需要帮助才能弄清楚。

以下是代码：

Login.php是主要逻辑

<?php

/**
 * Class login
 * handles the user's login and logout process
 */
class Login
{
    /**
     * @var object The database connection
     */
    private $db_connection = null;
    /**
     * @var array Collection of error messages
     */
    public $errors = array();
    /**
     * @var array Collection of success / neutral messages
     */
    public $messages = array();

    /**
     * the function "__construct()" automatically starts whenever an object of this class is created,
     * you know, when you do "$login = new Login();"
     */
    public function __construct()
    {
        // create/read session, absolutely necessary
        session_start();

        // check the possible login actions:
        // if user tried to log out (happen when user clicks logout button)
        if (isset($_GET["logout"])) {
            $this->doLogout();
        }
        // login via post data (if user just submitted a login form)
        elseif (isset($_POST["login"])) {
            $this->dologinWithPostData();
        }
    }

    /**
     * log in with post data
     */
    private function dologinWithPostData()
    {
        // check login form contents
        if (empty($_POST['user_name'])) {
            $this->errors[] = "Username field was empty.";
        } elseif (empty($_POST['user_password'])) {
            $this->errors[] = "Password field was empty.";
        } elseif (!empty($_POST['user_name']) && !empty($_POST['user_password'])) {

            // create a database connection, using the constants from config/db.php (which we loaded in index.php)
            $this->db_connection = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);

            // change character set to utf8 and check it
            if (!$this->db_connection->set_charset("utf8")) {
                $this->errors[] = $this->db_connection->error;
            }

            // if no connection errors (= working database connection)
            if (!$this->db_connection->connect_errno) {

                // escape the POST stuff
                $user_name = $this->db_connection->real_escape_string($_POST['user_name']);

                // database query, getting all the info of the selected user (allows login via email address in the
                // username field)
                //$sql = "SELECT user_name, user_email, user_password_hash
                //        FROM users1
                //        WHERE user_name = '" . $user_name . "' OR user_email = '" . $user_name . "';";
                $sql = "SELECT * FROM users
                        WHERE username = '" . $user_name . "' OR uemail = '" . $user_name . "';";
                $result_of_login_check = $this->db_connection->query($sql);

                // if this user exists
                if ($result_of_login_check->num_rows == 1) {

                    // get result row (as an object)
                    $result_row = $result_of_login_check->fetch_object();

                    // using PHP 5.5's password_verify() function to check if the provided password fits
                    // the hash of that user's password
                    //if (password_verify($_POST['user_password'], $result_row->user_password_hash)) {
                    if ($_POST['user_password'] == $result_row->password) {
                        // write user data into PHP SESSION (a file on your server)
                        $_SESSION['user_name'] = $result_row->username;
                        $_SESSION['user_email'] = $result_row->uemail;
                        $_SESSION['user_login_status'] = 1;
                        $_SESSion['user_role'] = $result_row->role;

                    } else {
                        $this->errors[] = "Wrong password. Try again.";
                    }
                } else {
                    $this->errors[] = "This user does not exist.";
                }
            } else {
                $this->errors[] = "Database connection problem.";
            }
        }
    }

    /**
     * perform the logout
     */
    public function doLogout()
    {
        // delete the session of the user
        $_SESSION = array();
        session_destroy();
        // return a little feeedback message
        $this->messages[] = "You have been logged out.";

    }

    /**
     * simply return the current state of the user's login
     * @return boolean user's login status
     */
    public function isUserLoggedIn()
    {
        if (isset($_SESSION['user_login_status']) AND $_SESSION['user_login_status'] == 1) {

            return true;
        }
        // default return
        return false;
    }
    // Check if user is a Super Admin
    public function isSuperUser()
    {
        if (isset($_SESSION['user_role']) AND $_SESSION['user_role'] == "admin"){

            return true;
        }
        // default return
        return false;
    }
}

index.php有重定向信息

<?php

/**
 * A simple, clean and secure PHP Login Script / MINIMAL VERSION
 *
 * Uses PHP SESSIONS, modern password-hashing and salting and gives the basic functions a proper login system needs.
 *
 * @author Panique
 * @link https://github.com/panique/php-login-minimal/
 * @license http://opensource.org/licenses/MIT MIT License
 */

// checking for minimum PHP version
if (version_compare(PHP_VERSION, '5.3.7', '<')) {
    exit("Sorry, Simple PHP Login does not run on a PHP version smaller than 5.3.7 !");
} else if (version_compare(PHP_VERSION, '5.5.0', '<')) {
    // if you are using PHP 5.3 or PHP 5.4 you have to include the password_api_compatibility_library.php
    // (this library adds the PHP 5.5 password hashing functions to older versions of PHP)
    require_once("libraries/password_compatibility_library.php");
}

// include the configs / constants for the database connection
require_once("config/db.php");

// load the login class
require_once("classes/Login.php");

// create a login object. when this object is created, it will do all login/logout stuff automatically
// so this single line handles the entire login process. in consequence, you can simply ...
$login = new Login();

// ... ask if we are logged in here:
if ($login->isUserLoggedIn() == true) {

    // the user is logged in. you can do whatever you want here.
    // for demonstration purposes, we simply show the "you are logged in" view.
    if ($login->isSuperUser() == true) {
        include("views/su_logged_in.php");

    }else{
        include("views/logged_in.php");
    }



} else {
    // the user is not logged in. you can do whatever you want here.
    // for demonstration purposes, we simply show the "you are not logged in" view.
    include("views/not_logged_in.php");
}

?>

我的用户表如下：

  | Uid  | uname  |  name | uemail |  password |  role |

我没有分开的角色表。我确实检查了超级管理的角色列是否有admin字符串值。

我需要超级管理员看到被重定向到su_logged_in.php。我试过使用$_SESSION，但我想我做错了什么。如果能提供任何帮助，我将不胜感激。先谢谢你。

Answer 1

可能是login.php中的小故障

 public function isSuperUser()
    {
        // here you are comparing $_SESSION['user_role'] == "admin", 
        // question arise here how you are saving user_role in user table , a user role ID or user role string like  "admin"
        // if its string , then your code is clean
        // if it role ID then, compare with super user role ID like below comment
        // if (isset($_SESSION['user_role']) AND $_SESSION['user_role'] == 1){
        if (isset($_SESSION['user_role']) AND trim($_SESSION['user_role']) == "admin"){

            return true;
        }
        // default return
        return false;
    }

如果您的login.php中有更多错误，

if ($_POST['user_password'] == $result_row->password) {
                        // write user data into PHP SESSION (a file on your server)
                        $_SESSION['user_name'] = $result_row->username;
                        $_SESSION['user_email'] = $result_row->uemail;
                        $_SESSION['user_login_status'] = 1;
                        $_SESSION['user_role'] = $result_row->role; // here was SESSION case issue

                    }