Add user role in PHP Session to remove dependency on check_login - will require you to logout & back in to take effect after the update

2022-05-07 17:44:04 +01:00 · 2022-05-07 17:44:04 +01:00 · 7bb68a36d9
parent 5cbd0fad0d
commit 7bb68a36d9
2 changed files with 8 additions and 6 deletions
--- a/functions.php
+++ b/functions.php
@ -443,7 +443,7 @@ function validateCSRFToken($token){
 */

 function validateAdminRole(){
-  if($session_user_role != 3){
+  if(!isset($_SESSION['user_role']) || $_SESSION['user_role'] != 3){
    $_SESSION['alert_type'] = "danger";
    $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED;
    header("Location: " . $_SERVER["HTTP_REFERER"]);
@ -452,7 +452,7 @@ function validateAdminRole(){
 }

 function validateTechRole(){
-  if($session_user_role == 1){
+  if(!isset($_SESSION['user_role']) || $_SESSION['user_role'] == 1){
    $_SESSION['alert_type'] = "danger";
    $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED;
    header("Location: " . $_SERVER["HTTP_REFERER"]);
@ -461,7 +461,7 @@ function validateTechRole(){
 }

 function validateAccountantRole(){
-  if($session_user_role == 2){
+  if(!isset($_SESSION['user_role']) || $_SESSION['user_role'] == 2){
    $_SESSION['alert_type'] = "danger";
    $_SESSION['alert_message'] = WORDING_ROLECHECK_FAILED;
    header("Location: " . $_SERVER["HTTP_REFERER"]);
--- a/login.php
+++ b/login.php
@ -57,13 +57,15 @@ if(isset($_POST['login'])){
        $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM users LEFT JOIN user_settings on users.user_id = user_settings.user_id WHERE user_email = '$email' AND user_archived_at IS NULL"));
        if (password_verify($password, $row['user_password'])) {

+            // User variables
            $token = $row['user_token'];
-            $_SESSION['user_id'] = $row['user_id'];
-            $_SESSION['user_name'] = $row['user_name'];
            $user_name = $row['user_name'];
            $user_id = $row['user_id'];

-            // CSRF Token
+            // Session info
+            $_SESSION['user_id'] = $row['user_id'];
+            $_SESSION['user_name'] = $row['user_name'];
+            $_SESSION['user_role'] = $row['user_role'];
            $_SESSION['csrf_token'] = keygen();

            // Setup encryption session key