Student Listing: Adding User Logins - Access Authorization (with Session Variables)

Modifying Authorization Script to Check Access Privileges

Currently our authorizeaccess.php script is using HTTP authentication to control access to scripts we protect with authorizeaccess.php. If a user is not authorized to access the protected page, we will redirect them to an unauthorizedaccess.php script. We need to add two conditions to achieve this:

• Prevent access to users not logged in
• Prevent access to users without administrative privileges AND NOT editing their own student details

If any of these conditions are true, we send the user to the unauthorizedaccess.php script.

If the first condition is false, we can assume the user is logged in

If the second condition is false, it's because the user does not have admininstrative privileges and they're not editing their own details

Overwrite the current contents of the authorizeaccess.php script with the following code:

authorizeaccess.php - Student Listing: Complete Code Listing

<?php
    session_start();

    // Not logged in, redirect to unauthorizedaccess.php script
    if (!isset($_SESSION['user_id']) || !isset($_SESSION['user_access_privileges']))
    {
        header("Location: unauthorizedaccess.php");
        exit();
    }

    // IF NOT admininstrative access AND NOT editing their own details, redirect to unauthorizedaccess.php script
    $id_to_edit = "";

    if (isset($_GET['id_to_edit']))
    {
        $id_to_edit = $_GET['id_to_edit'];
    }
    else if (isset($_POST['id_to_update']))
    {
        $id_to_edit = $_POST['id_to_update'];
    }

    if ($_SESSION['user_access_privileges'] != 'admin' &&
            ($_SESSION['user_student_listing_id'] != $id_to_edit ))
    {
        header("Location: unauthorizedaccess.php");
        exit();
    }