Can access admin php

Admin only access php

I’m trying to code a page that only allows user with Admin rights (recorded as admin against role in DB). If they are admin then photos are pulled from database for approval. If not admin then they get redirected to admin page and don’t see images. At the moments anyone logged in can view the page and images are displayed. What am I doing wrong? Thanks

log out"; > $username = $_SESSION['username']; //var_dump($username); include("..\connection\connection.php"); // Connect to server and select database. mysql_connect($host, $username, $password)or die("cannot connect"); mysql_select_db($db_name) or die("cannot select DB"); $query=mysql_query("SELECT * FROM users WHERE username = '$username' AND role = 'admin'"); echo(mysql_error()); $num_rows = mysql_num_rows($query); if ($num_rows =1) < include("..\connection\connection.php"); // Connect to server and select databse. mysql_connect($host, $username, $password)or die("cannot connect"); mysql_select_db($db_name) or die("cannot select DB"); $photo=mysql_query("SELECT * FROM images WHERE approved='N'"); echo(mysql_error()); $numrows = mysql_num_rows($photo);//counts the number or rows returned from database matching the mysql_query. if ($numrows==0)< echo "There are no images awaiting approval."; >while($get_photo=mysql_fetch_array($photo)) " target=""> ?> else< die ("You do not have permission to view this page. Redirect to index.phph Click here to log in."); // > ?> 

2 Answers 2

Oh yeah. Of course. Thanks. I changed to == but now user with admin rights gets message «You do not have permission to view this page» same as users with non-admin roles.

Yeah that worked. Also, It looks like it was the path to my connection file not being recognised. When I put in mysql_connect and specified host, etc. it worked.

Источник

user_can_access_admin_page() │ WP 1.5.0

Возвращает

Использование

user_can_access_admin_page();

Заметки

• Global. Строка. $pagenow The filename of the current screen.
• Global. Массив. $menu
• Global. Массив. $submenu
• Global. Массив. $_wp_menu_nopriv
• Global. Массив. $_wp_submenu_nopriv
• Global. Строка. $plugin_page
• Global. Массив. $_registered_pages

Список изменений

Код user_can_access_admin_page() user can access admin page WP 6.2.2

function user_can_access_admin_page() < global $pagenow, $menu, $submenu, $_wp_menu_nopriv, $_wp_submenu_nopriv, $plugin_page, $_registered_pages; $parent = get_admin_page_parent(); if ( ! isset( $plugin_page ) && isset( $_wp_submenu_nopriv[ $parent ][ $pagenow ] ) ) < return false; >if ( isset( $plugin_page ) ) < if ( isset( $_wp_submenu_nopriv[ $parent ][ $plugin_page ] ) ) < return false; >$hookname = get_plugin_page_hookname( $plugin_page, $parent ); if ( ! isset( $_registered_pages[ $hookname ] ) ) < return false; >> if ( empty( $parent ) ) < if ( isset( $_wp_menu_nopriv[ $pagenow ] ) ) < return false; >if ( isset( $_wp_submenu_nopriv[ $pagenow ][ $pagenow ] ) ) < return false; >if ( isset( $plugin_page ) && isset( $_wp_submenu_nopriv[ $pagenow ][ $plugin_page ] ) ) < return false; >if ( isset( $plugin_page ) && isset( $_wp_menu_nopriv[ $plugin_page ] ) ) < return false; >foreach ( array_keys( $_wp_submenu_nopriv ) as $key ) < if ( isset( $_wp_submenu_nopriv[ $key ][ $pagenow ] ) ) < return false; >if ( isset( $plugin_page ) && isset( $_wp_submenu_nopriv[ $key ][ $plugin_page ] ) ) < return false; >> return true; > if ( isset( $plugin_page ) && $plugin_page === $parent && isset( $_wp_menu_nopriv[ $plugin_page ] ) ) < return false; >if ( isset( $submenu[ $parent ] ) ) < foreach ( $submenu[ $parent ] as $submenu_array ) < if ( isset( $plugin_page ) && $submenu_array[2] === $plugin_page ) < return current_user_can( $submenu_array[1] ); >elseif ( $submenu_array[2] === $pagenow ) < return current_user_can( $submenu_array[1] ); >> > foreach ( $menu as $menu_array ) < if ( $menu_array[2] === $parent ) < return current_user_can( $menu_array[1] ); >> return true; >

Источник

Admin Page Access

I have a page which only admins can access once they click a link. If the logged in user is a standard user then they should not be able to access the page. However, when a standard user tries to access the admin page they have access to the page. I would appreciate a pair of second eyes to see if they can spot anything wrong with the code which would make the functionality work as intended. Thanks

 else < header('Location: login.php'); exit; >function isAdmin() < $conn = mysqli_connect("localhost", "root", "dbpass", "dbname") or die ('Could not connect to database!'); $sql = "SELECT * FROM `usertable` WHERE userID ='" . $_SESSION['sess_uid'] . "'"; $mainaccess = $conn->query($sql); print_r($mainaccess); if(!$mainaccess)< echo $conn->error; > if ($mainaccess -> userLevel == 0) < return true; >else < return false; >> function check_login () < if(isset($_SESSION['sess_uid']) && $_SESSION['sess_uid'] != '') < return true; >else < false; return; >> ?> 

Is that the real SQL? Because you don’t seem to be filtering on a username or ID? Hence it will always return the admin account

I thought that was all I was looking for though, as I only want admin accounts to access the page. Thats the real SQL.

Agreed with Trent, how are you checking that particular user. You do not check by the users id, which is what needs to happen.

3 Answers 3

The issue is that you are selecting from the database users where they have admin access already ie

SELECT `userID` FROM `usertable` WHERE `userLevel` = 0 

So you are always showing anyone as an admin. The query needs to be changed to check specifically if the logged in user is an admin. So changing the query to something like so

$sql = "SELECT * FROM `usertable` WHERE userID = $_SESSION['sess_uid']"; 

Where $_SESSION[‘sess_uid’] is the userID

We have to remove both the userLevel check, as this is irrelevant when selecting the user, we also have to change from SELECT userID , to SELECT * , as if you only select the userID , you will not have the userLevel in your array and the line

Will not work. By selecting everything you ensure all attributes can be accessed, ie

$mainaccess -> 'userLevel' $mainaccess -> 'userID' 

The correct way to access the table data will be using either

Object (this is the method you will use)

$mainaccess -> 'userLevel'// Incorrect $mainaccess->userLevel //correct 

$mainaccess -> 'userLevel'// Incorrect $mainaccess['userLevel'] //correct 

You query is also incorrect please use this block of code as your sql query is not pulling in the right info.

function isAdmin() < $conn = mysqli_connect("localhost", "root", "dbpass", "dbname") or die ('Could not connect to database!'); $sql = "SELECT * FROM `usertable` WHERE userID = $_SESSION['sess_uid']"; if($result = $mainaccess = $conn->query($sql)) < while($obj = $result->fetch_object()) < $user = $obj; >> if ($user->userLevel == 0) < return true; >else < return false; >> 

Источник

Only administrator allow to access wp-admin and login?

I would like to do that only administrator(role) allow to login with wp-admin not any other role, other uses like(editor,author) are login from front end and it’s working fine but i would like only administrator can login through wp-admin. I have used ultimate member plug in for front end login. Ultimate Plugin link also i have used below code for access wp-admin only for administrator(role) but it’s not working.

 > add_action( 'admin_init', 'restrict_admin', 1 ); ?> 

You can just use this plugin. Once installed, go to Settings > Dashboard access, and choose «Administrators only».

this things are working but i need only administrator(role) can login through wp-admin not editor , author and subscriber user can login through wp-admin.

If you choose the right option («Administrators only») like I told you, only administrators have access to wp-admin.

It’s hard to understand what you’re saying — if you log in with an editor account, to what page are you being redirected?

4 Answers 4

Thank you guys for your help, I am answering my own question hope this will help others too.

I have solved this with hook wp_authenticate

 add_action( 'wp_authenticate' , 'check_custom_authentication' ); function check_custom_authentication ( $username ) < $username; $user = new WP_User($username); $user_role_member=$user->roles[0]; if($user_role_member == 'author' || $user_role_member == 'editor') < session_destroy(); wp_redirect( home_url() ); exit; >> 

This does not lock out already logged in users, right? Also, if a user is member of multiple roles, this does not work. You have to test all the user roles, not just the first item.

add_action( 'admin_init', 'redirect_none_admin' ); function redirect_none_admin()< if(is_admin() && current_user_can(activate_plugins))< //. >else < wp_redirect(home_url()); >> 

i tested this one and it worked i think it is simple and easy you can find Roles and Capabilities here

This does not check for roles, just for users that have the «activate_plugin» capability. Besides you’re missing quotes around «activate_plugins».

If anyone will need the same here is code that allows only administrators, authors and editors to login using /wp-login.php

//------------- This website is read only - so only staff can log in ------------- add_filter( 'authenticate', 'myplugin_auth_signon', 30, 3 ); function myplugin_auth_signon( $user, $username, $password ) < $user_role_member=$user->roles[0]; if(!in_array($user_role_member,array('administrator','author','editor')))< wp_logout(); return new WP_Error( 'broke', __( "This website is read only for regular users", "your_wp_domain_name" ) ); exit; >else < return $user; >> //------------- this website is read only - so staff can log in ------------------ 

You can add\remove roles in the array above array(‘administrator’,’author’,’editor’)

Источник

how to get admin access on certain pages

I have created a website that has a basic registration and login system, I have pages that I only want admins to access. My database for the accounts has a role column with 1 user assigned as admin and the other assigned as user AUTHENTICATE.PHP

 // Now we check if the data from the login form was submitted, isset() will check if the data exists. if ( !isset($_POST['username'], $_POST['password']) ) < // Could not get the data that should have been sent. exit('Please fill both the username and password fields!'); >// Prepare our SQL, preparing the SQL statement will prevent SQL injection. if ($stmt = $con->prepare('SELECT id, password FROM accounts WHERE username = ?')) < // Bind parameters (s = string, i = int, b = blob, etc), in our case the username is a string so we use "s" $stmt->bind_param('s', $_POST['username']); $stmt->execute(); // Store the result so we can check if the account exists in the database. $stmt->store_result(); if ($stmt->num_rows > 0) < $stmt->bind_result($id, $password); $stmt->fetch(); // Account exists, now we verify the password. // Note: remember to use password_hash in your registration file to store the hashed passwords. if (password_verify($_POST['password'], $password)) < // Verification success! User has loggedin! // Create sessions so we know the user is logged in, they basically act like cookies but remember the data on the server. session_regenerate_id(); $_SESSION['loggedin'] = TRUE; $_SESSION['name'] = $_POST['username']; $_SESSION['id'] = $id; $_SESSION['admin'] = true/false; header('location: home.php'); >else < echo 'Incorrect password!'; >> else < echo 'Incorrect username!'; >$stmt->close(); > ?> 

that’s the code I’m using in the page, the problem I have is it doesn’t matter who I log in as it always redirects, whereas I want the page to be accessible for admins but not users.

Источник