Getting Correct Permissions

[Fait]

Hey,
I am creating a facebook like page feature so far its going great bare in mind im working from my 3DS at the momment this is till I get a new PC within a week..
Anyway, I made a feature where a user can lock a status sort of like a forum But what i want is If the user is A Site Admin/Mod or The page founder/an assigned admin then they can still reply? can someone please modify this abit for me? it would help alot
Thanks
The Current codes are here http://admintalk.net/learn/pages/help/

You should get what file they are by there names

Thanks Again ;D
Spudster

PS: I can doit on a PC But its complicated on a 3DS because how small the system is..

 

[amalfra]

Try this get the page admin from pages_admin table. Check if current session username is equal to page admin username. So,

if(($user==true)&&($check['locked']==no))

would be like

if( (($user==true)&&($check['locked']==no) )||($_SESSION['username']==<page admin user name got from db>))

A extra query to get page_admin table would add up in 'comment' page.

Hope this helps 🙂

 

[Fait]

I know how todo this by adding if($row['admin']==$session)
echo "You can administer this page!";
But i don't know were to include it in comment.php

a } else { statement won't since im already using that for something else
Hope this info helps and thanks for your help 😉

 

[terryh]

$sid = $_GET['sid'];

You should really change this to:

$sid = (int)$_GET['sid'];

Otherwise you could have a huge security issue on your hands.

 

[Fait]

Ok, I know just some testing code the real one will have alot more security

 

[amalfra]

i have modified comment.php . does it work now?

 

[Fait]

Thanks 🙂

check it when i get, should let you know shortly.<br /><br />-- 30 Aug 2012, 21:25 --<br /><br />It doesn't seem to work ;(

If i had a PC I could do it myself, Need to wait to next week...

 

[amalfra]

Your pages_admin table has page id(pid), corresponding admin's username(admin), am i right?
The $_GET['sid'] in comment.php must be page_id, isn't it?

 

[Fait]

the $_GET['sid'] is == to the status id I tried adding ?sid=3&pid=5 but then users can change &pid=5 to A page that they own.. thats a huge security risk.
Wonder if theres a way to add &pid=5 without them changing to another page thats nothing todo with the status update?
sid= Status ID
pid= Page ID..

They do this within the url..

im using a few tables

Pages_status(using the sid in a $get value)
Pages (using row page_creator)
pages_admin (using row admin)

 

[amalfra]

so, cant this page status and all be kept in a single table? a column for status(like 0 for no 1 for yes etc...).

is no page_id present is the page comment.php? in session array or something? I suppose there wont be because all queries in that page are based on sid. i suppose the pages_status table would have page id. so getting that from first query on pages_status table

$select = mysql_query("SELECT * FROM pages_status WHERE sid='$get_sid'") or die ("Error");

and replacing

// Added here
$num_query_1 = mysql_query("SELECT * FROM pages_admin WHERE pid='$get_sid' AND admin='$user'");
$check_1 = mysql_num_rows($num_query_1);
// Added here

with

// Added here
$t_pid=$row['pid']; // the name of page id column, i suppose its pid. 
$num_query_1 = mysql_query("SELECT * FROM pages_admin WHERE pid='$t_pid' AND admin='$user'");
$check_1 = mysql_num_rows($num_query_1);
// Added here

work?

 

[Fait]

I could but it may be more comfusing.
I am getting the page id from the $dbpid = $row['pid'];

 

[amalfra]

then try replacing the query in comment.php :

$num_query_1 = mysql_query("SELECT * FROM pages_admin WHERE pid='$get_sid' AND admin='$user'");

with

$dbpid = $row['pid'];
$num_query_1 = mysql_query("SELECT * FROM pages_admin WHERE pid='$dbpid' AND admin='$user'");

 

[Fait]

Thats what i tried doing but for some reason that doesent seem to work..

But im glad i get this far many people wouldnt bhe able to get this far at a first attempt 😀