Role Bases Access Control Issues

Hi all,

I am working my way through the PHP & MySQL Novice to Ninja book by Kevin Yank.

I am experiencing some strange behaviour with the role based user access control. The following is happening.

I have 3 roles which are Admin, Coach and Player.

If I have just an admin in the playerrole table (and other relevant tables), everything works fine.

I go to click on the coach and player links to log in and get the appropriate ‘Access Denied’ pages.

Then I go to add a player. I can see that they are assigned the correct role of Player in the database.

However now when the admin goes back to the page that displays the logins, if they click on the ‘Player Login’, they are allowed in and no ‘Access Denied’ message is displayed.

The admin can still not access the coach area. However as soon as I add a coach they then have access.

Please note that everyone then has access to absolutely everything. So a player who should be only able to view their own details now has the same access rights at the admin.

Does anyone have any ideas why this might be happening?

Thanks for your time and help.

You are probably missing some WHERE clause in your query. Just a wild guess though, without seeing some code it’s impossible to tell.

Thanks for the quick reply. I will have a look in a short while and see if I can see anything.