| Author |
Message |
California
Hangin' Around
Joined: Mar 24, 2005
Posts: 28
|
 Posted:
Thu Mar 24, 2005 12:30 am |
|
I am working on limiting admin access to a module so only the super admin or content admin has access. I am using the following code but it is denying access to everyone.
Code:}
$aid = trim($aid);
$result = sql_query("select radmincontent, radminsuper from ".$prefix."_authors where aid='$aid'", $dbi);
list($radmincontent, $radminsuper) = sql_fetch_row($result, $dbi);
if (($radmincontent==1) OR ($radminsuper==1)) {
|
The code works on other modules fine so I am wondering if someone can help me figure out why it is not working in this specific module. Here is some more of the module code including above:
Code:if (!eregi("modules.php", $_SERVER['PHP_SELF'])) {
die ("You can't access this file directly...");
}
$aid = trim($aid);
$result = sql_query("select radmincontent, radminsuper from ".$prefix."_authors where aid='$aid'", $dbi);
list($radmincontent, $radminsuper) = sql_fetch_row($result, $dbi);
if (($radmincontent==1) OR ($radminsuper==1)) {
require_once("mainfile.php");
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
$pagetitle = "- "._IPTRACKING."";
if(is_user($user)) {
if($cookie[9]=="") $cookie[9]=$Default_Theme;
if(!$file=@opendir("themes/$cookie[9]")) {
$ThemeSel = $Default_Theme;
} else {
$ThemeSel = $cookie[9];
}
} else {
$ThemeSel = $Default_Theme;
}
$now = date("d-m-Y");
$dot = explode ("-",$now);
$nowdate = $dot[0];
$nowmonth = $dot[1];
$nowyear = $dot[2];
|
|
Last edited by California on Fri Mar 25, 2005 4:14 pm; edited 1 time in total |
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2496
|
| Posted:
Thu Mar 24, 2005 7:49 am |
|
If its in 7.6 the authors table had the modules removed. Look at the News module as an example of how to check the permissions. |
_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 |
|
|
|
|
California
|
| Posted:
Thu Mar 24, 2005 12:46 pm |
|
It is in 7.0
I took the above code in the first block from a stock module (content) that came with 7.0 and it works with some other modules but not with this module.
It seems to be having trouble looking up the author information as it denies access to everyone even super admins so there must be something conflicting or I made a mistake.
I do not understand some of the code below where it processes cookies and users so I am not sure if that is causing the trouble.
Any help would be appreciated. The author of the module is no where to be found, I already tried that. |
| |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Thu Mar 24, 2005 12:54 pm |
|
Try placing this statement after the $aid = trim($aid); to see if $aid is resolving.
die('aid = '.$aid);
If it is, then change thisCode:$result = sql_query("select radmincontent, radminsuper from ".$prefix."_authors where aid='$aid'", $dbi);
|
toCode:$result = mysql_query("select radmincontent, radminsuper from ".$prefix."_authors where aid='$aid'") or die("MySQL said: ".mysql_error());
|
and see if there's an error that prints out. |
| |
|
|
|
|
California
|
| Posted:
Fri Mar 25, 2005 12:48 am |
|
| Raven wrote: | Try placing this statement after the $aid = trim($aid); to see if $aid is resolving.
die('aid = '.$aid); |
I only get aid = (with no result)
I went back and checked the code again and it is the same as my content module which works as expected...
I tried Code:$result = mysql_query("select radmincontent, radminsuper from ".$prefix."_authors where aid='$aid'") or die("MySQL said: ".mysql_error());
|
and got the "access denied" message intended for someone without proper authorization. I was signed in as a superadmin. I clicked the content module where I got the code and got access but it is still not working in this IP_Tracking module. |
| |
|
|
|
|
California
|
| Posted:
Fri Mar 25, 2005 1:18 am |
|
I tried using nuke_authors for the table name instead of using the ".$prefix."_authors and here is what I got:
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /var/www/html/includes/sql_layer.php on line 286
Access Denied
I also tried using the global $prefix to find the _authors table but must be doing it wrong as I get an error similar to above. |
| |
|
|
|
|
Raven
|
| Posted:
Fri Mar 25, 2005 10:15 am |
|
It just dawned on me that you are trying to use administrator code in a module, rather than from the admin menu. $aid is set in admin.php, not modules.php. So, you need to have this code at the top. I have included both code for $user and $admin check. You can decide which to use.Code:if (!eregi("modules.php", $_SERVER['PHP_SELF'])) {
die ("You can't access this file directly...");
}
require_once("mainfile.php");
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
$pagetitle = "- "._IPTRACKING."";
if (is_admin($admin)) {
cookiedecode($admin);
$aid = $cookie[0];
}
if (is_user($user)) {
cookiedecode($user);
$aid = $cookie[1];
}
|
|
| |
|
|
|
|
California
|
| Posted:
Fri Mar 25, 2005 4:13 pm |
|
Yes that worked. Thank you for the help.
I was focusing on the ".$prefix." as the problem and thought the $aid was defined in the mainfile.php which I tried to include but it did not work without the proper cookiedecode.
I have chat moderators which are getting logged in as admins due to a glitch in the FlashChat login after their session expires so the admin designation in the modules control panel was not enough (FYI incase anyone reading this was wondering why I am using administrator code in a module).
Thanks again Raven! |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
