I'm using PHP to make a forum, and trying to make usergroups

Question

This is my "config.php" file:

    <?php
/******************************************************
------------------Required Configuration---------------
Please edit the following variables so the forum can
work correctly.
******************************************************/

//We log to the DataBase
mysql_connect('', '', '');
mysql_select_db('');

//Username of the Administrators
$admin='Hexagon';
$mod='test1';

/******************************************************
-----------------Optional Configuration----------------
******************************************************/

//Forum Home Page
$url_home = 'index.php';

//Design Name
$design = 'default';


/******************************************************
----------------------Initialization-------------------
******************************************************/
include('init.php');
    ?>

and this is my "delete_topic.php" file:

<?php
//This page let delete a topic
include('config.php');
if(isset($_GET['id']))
{
    $id = intval($_GET['id']);
if(isset($_SESSION['username']))
{
    $dn1 = mysql_fetch_array(mysql_query('select count(t.id) as nb1, t.title, t.parent, c.name from topics as t, categories as c where t.id="'.$id.'" and t.id2=1 and c.id=t.parent group by t.id'));
if($dn1['nb1']>0)
{
if($_SESSION['username']==$admin)
if($_SESSION['username']==$mod)
{
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <link href="<?php echo $design; ?>/style.css" rel="stylesheet" title="Style" />
        <title>Delete a topic - <?php echo htmlentities($dn1['title'], ENT_QUOTES, 'UTF-8'); ?> - <?php echo htmlentities($dn1['name'], ENT_QUOTES, 'UTF-8'); ?> - Forum</title>
    </head>
    <body>
        <div class="header">
            <a href="<?php echo $url_home; ?>"><img src="<?php echo $design; ?>/images/logo.png" alt="Forum" /></a>
        </div>
        <div class="content">
<?php
$nb_new_pm = mysql_fetch_array(mysql_query('select count(*) as nb_new_pm from pm where ((user1="'.$_SESSION['userid'].'" and user1read="no") or (user2="'.$_SESSION['userid'].'" and user2read="no")) and id2="1"'));
$nb_new_pm = $nb_new_pm['nb_new_pm'];
?>
<div class="box">
    <div class="box_left">
        <a href="<?php echo $url_home; ?>">Forum Index</a> &gt; <a href="list_topics.php?parent=<?php echo $dn1['parent']; ?>"><?php echo htmlentities($dn1['name'], ENT_QUOTES, 'UTF-8'); ?></a> &gt; <a href="read_topic.php?id=<?php echo $id; ?>"><?php echo htmlentities($dn1['title'], ENT_QUOTES, 'UTF-8'); ?></a> &gt; Delete the topic
    </div>
    <div class="box_right">
        <a href="list_pm.php">Your messages(<?php echo $nb_new_pm; ?>)</a> - <a href="profile.php?id=<?php echo $_SESSION['userid']; ?>"><?php echo htmlentities($_SESSION['username'], ENT_QUOTES, 'UTF-8'); ?></a> (<a href="login.php">Logout</a>)
    </div>
    <div class="clean"></div>
</div>
<?php
if(isset($_POST['confirm']))
{
    if(mysql_query('delete from topics where id="'.$id.'"'))
    {
    ?>
    <div class="message">The topic have successfully been deleted.<br />
    <a href="list_topics.php?parent=<?php echo $dn1['parent']; ?>">Go to "<?php echo htmlentities($dn1['name'], ENT_QUOTES, 'UTF-8'); ?>"</a></div>
    <?php
    }
    else
    {
        echo 'An error occured while deleting the topic.';
    }
}
else
{
?>
<form action="delete_topic.php?id=<?php echo $id; ?>" method="post">
    Are you sure you want to delete this topic?
    <input type="hidden" name="confirm" value="true" />
    <input type="submit" value="Yes" /> <input type="button" value="No" onclick="javascript:history.go(-1);" />
</form>
<?php
}
?>
        </div>
        <div class="foot"><a href="http://www.webestools.com/scripts_tutorials-code-source-26-simple-php-forum-script-php-forum-easy-simple-script-code-download-free-php-forum-mysql.html">Simple PHP Forum Script</a> - <a href="http://www.webestools.com/">Webestools</a></div>
    </body>
</html>
<?php
}
else
{
    echo '<h2>You don\'t have the right to delete this topic.</h2>';
}
}
else
{
    echo '<h2>The topic you want to delete doesn\'t exist.</h2>';
}
}
else
{
    echo '<h2>You must be logged as an administrator to access this page: <a href="login.php">Login</a> - <a href="signup.php">Sign Up</a></h2>';
}
}
else
{
    echo '<h2>The ID of the topic you want to delete is not defined.</h2>';
}

?>

yet for some reason anyone in the $mod group cannot delete topics. This has been irking me for some time, as I need moderators to be able to delete topics, and edit posts, but they can't even delete the topic. Any suggestions? This is a really big project I'm working on and it is important to me that I can have mods AND admins as to differ between the two. [btw, the database info is filled out in MY config.php file]

If you format your PHP code properly it would make it easier for people to help you. In fact, you'd probably be helping yourself too. — Tristan, Mar 13 '14 at 06:09

score 1 · Answer 1 · answered Mar 13 '14 at 04:57

A good way to sort this problem out, is to make a field in your users ( or members) table and call this field "user_levels", where set the
Admin as 1,
Moderator as 2,
other members as 3 or empty or 0 (whatever you like).
Than you can set a session $_SESSION['user_levels'] and always check against that session as follows

if ($_SESSION['user_levels']==1 || $_SESSION['user_levels']==2) 
{ 
   // Grant him permission to delete the record 
} 
else 
{ 
   // tell him that he is not authorize to delete it 
}

@user3394931 if you liked my answer, than please accept the answer by clicking on the tick mark to the left of the answer. Thank You. — Bangash, Mar 13 '14 at 21:08

score 0 · Answer 2 · answered Mar 13 '14 at 04:15

0

Your problem is here..

if($_SESSION['username']==$admin)
if($_SESSION['username']==$mod)
{

What's happening is if the $admin conditional is not satisfied, you're finding yourself out of the block that allows deleting... I think you may want this instead

if($_SESSION['username']==$mod || $_SESSION['username']==$admin)
{

Also please start using mysqli as mysql is deprecated.

answered Mar 13 '14 at 04:15

Bryan

3,449
1
19
23

haveyou started the seesion and made sure the $_SESSION variable has what you expect in it? – Bryan Mar 13 '14 at 04:23
and what do you mean not work< can you see the form or what is the message – Bryan Mar 13 '14 at 04:24
well I assume so, because $admin has permissions to delete and edit topics. – Ian Blank Mar 13 '14 at 04:24
1

Don't assume. var_dump($_SESSION); – Bryan Mar 13 '14 at 04:25
if you could delete with admin before the change, that means $admin and $mod have the same value – Bryan Mar 13 '14 at 04:26
After I put if($_SESSION['username']==$mod || $_SESSION['username']==$admin) { $admin could delete, but $mod couldn't – Ian Blank Mar 13 '14 at 04:28
that means, $mod isn't what you expect it should be. – Bryan Mar 13 '14 at 04:29
and how do I make it what I expect it to be? – Ian Blank Mar 13 '14 at 04:29
First you need to know what it is... and then find out why it's not what you think it should be, then fix it. start with var_dump($_SESSION); after you set the session variables. – Bryan Mar 13 '14 at 04:31
@user3394931 I think you must check against the mod only, which test if the user is an admin, or just an ordinary member. – Bangash Mar 13 '14 at 04:31
like $admin='Hexagon'; var_dump($SESSION) $mod='test1'; – Ian Blank Mar 13 '14 at 04:31

I'm using PHP to make a forum, and trying to make usergroups

2 Answers2