Redirecting users to different pages according to their roles

nkacharani · May 17, 2011, 10:34am

hello!..

I have a table users in my database and I have also a login page where user submit their username and password before entering the system, I was wondering how can I redirect different users to different pages using their roles.

Can someone please help?

chris_upjohn · May 17, 2011, 12:20pm

In my head a switch would be a nice solution otherwise a collection of IF statements.

switch()

// Login code....

switch ($role) {
    case 'user':
        $redirect = 'user.php';
    break;
    case 'moderator':
        $redirect = 'moderator.php';
    break;
    case 'administrator':
        $redirect = 'administrator.php';
    break;
}

header('Location: ' . $redirect);

IF statement

// Login code...

if ($role == 'user') {
    $redirect = 'user.php';
} else if ($role == 'moderator') {
    $redirect = 'moderator.php';
} else if ($role == 'administrator') {
    $redirect = 'administrator.php';
}

header('Location: ' . $redirect);

DarthGuido · May 17, 2011, 12:31pm

Or a roles table, with a row for each role, and containing the role id, the page for that role, and whatever other info about the roles you need.

nkacharani · May 17, 2011, 12:39pm

<?php
// process the script only if the form has been submitted
if (array_key_exists(‘login’, $_POST)) {
// start the session
session_start();
require_once(‘includes/dbConnect.inc.php’); //connect to the database
include ‘includes/title.inc.php’; //display title
include (‘includes/corefuncs.inc.php’);
// clean the $_POST array and assign to shorter variables
nukeMagicQuotes();
$username = trim($_POST[‘username’]);
$password = trim($_POST[‘password’]);
//$userrole = $_POST[‘userrole’];
$userrole = $_POST[‘userrole’];

// connect to the database as a restricted user
$conn = dbConnect(‘query’);
// get the username’s details from the database
$sql = “SELECT * FROM users WHERE username = ‘$username’”;
$result = mysql_query($sql);
$row = mysql_fetch_assoc($result);

if (md5($password)== $row[‘password’]) {
$_SESSION[‘authenticated’] = ‘Nkacharani’;
}
// if no match, destroy the session and prepare error message
else {
$_SESSION = array();
session_destroy();
$error = ‘Invalid username or password’;
}
// if the session variable has been set, redirect
if (isset($_SESSION[‘authenticated’])) {
// get the time the session started
$_SESSION[‘start’] = time();
switch($userrole){
case ‘admin’:
header(‘Location: front_page.php’);
break;
case ‘clerk’:
header(‘Location: clerk.php’);
break;
case ‘user’:
header(‘Location: user_list.php’);
}
}
?>

<?php
if (isset($error)) {
echo “<p>$error</p>”;
}
elseif (isset($_GET[‘expired’])) {
?>
<p>Your session has expired. Please log in again.</p>
<?php } ?>
<h2 align=“center”>Enter your username and password</h2>

	&lt;form id="log"  name="login" method="post" class="details" action=""&gt;

 	&lt;div &gt;

<label class=“fixedwidth”>Username:</label>
<input name=“username” id=“username” type=“text” class=“fixedwidth” />
</div>

<div >
<label class=“fixedwidth”>Password:</label>
<input name=“password” id=“password” type=“password” class=“fixedwidth” />
</div>
<div>
<input type=“hidden” name=“userrole” value=“<?php echo $userrole; ?>” />
</div>
<div class=“buttonarea”>
<input name=“login” id=“login” type=“submit” value=“User Login” />
</div>
</form>

Thank you!..
…this is what I had before and I have added the switch code if I enter username and password it is not redirecting anywhere and no any errors messages:(

DarthGuido · May 17, 2011, 12:47pm

You have userrole as a hidden field in the form. Not only is this a security risk, but you don’t even give it a value (try doing a print_r of $_POST and you’ll see it’s empty), so the switch will never redirect anywhere.

nkacharani · May 17, 2011, 1:17pm

I did that because I thought it would help me to compare the roles from table users. Can you help me the best way to do it.

I am stack real!(::headbang:

DarthGuido · May 17, 2011, 1:31pm

How do you know what role a user has?

nkacharani · May 17, 2011, 1:40pm

I guess what I want to do is; Check the username against its userrole in a table and if the role is admin say I would direct the user to Admin page. So I thought by fetching the userrole as a hidden field I could just use it in switch code to check the user role and redirect user accordingly.

DarthGuido · May 17, 2011, 2:37pm

Ok, assuming you have userrole column in your users table, all you have to do is

$userrole = $row['userrole'];

after you’ve fetched the result from your query and before you reach the switch.

Don’t use the hidden field in the form. A malicious user could make himself admin by sending the correct value for that field.

nkacharani · May 17, 2011, 2:51pm

Thank you!..:D, Its done.