Content Access

2 posts by 2 authors in: Forums > CMS Builder
Last Post: November 17 (RSS)

Hoping for some help adjusting this code. I have designed a dashboard for a group of property owners.

Their user accounts have a custom field called 'owner_access' that is either checked or not checked.
If checked, they can click on their property and see everything on the detail page.
If they click on another property owner's profile, most of the information should be hidden.
Any user that has 'admin_access' checked on their user account, can see all profiles and content. (custom field created on accounts.ini.php)

I have tried several ways of getting this done, but can't seem to make it work. Admins can see everything with this method, but owner accounts get NOT AUTHORIZED on all records, even their own. What am I missing here?

Here's what I have now:

<?php require_once "/home/$user/public_html/webadmin/lib/viewer_functions.php";

if (!$CURRENT_USER) { websiteLogin_redirectToLogin(); }

// Determine the user's access level and modify the query accordingly
$userAccessCondition = '';
if (@$CURRENT_USER['admin_access']) {
    // Admin can access any record
    $userAccessCondition = "1"; // Always true condition
} else if (@$CURRENT_USER['owner_access']) {
    // Regular owner can only access their own record
    $userAccessCondition = sprintf("createdByUserNum = '%s'", mysql_escapef($CURRENT_USER['num']));
} else {
    // No access if neither admin nor owner
    die("Access Denied");
}

list($ownersRecords, $ownersMetaData) = getRecords(array(
    'tableName'   => 'owners',
    'where'       => $userAccessCondition,
    'loadUploads' => true,
    'allowSearch' => false,
    'limit'       => '1',
));

// Now that $ownersRecords is fetched, check if the current user is viewing their own profile
$isCurrentUserProfile = false;
if (isset($CURRENT_USER['lot_number']) && isset($ownersRecords[0]['lot_number'])) {
    $isCurrentUserProfile = $CURRENT_USER['lot_number'] === $ownersRecords[0]['lot_number'];
}
?>

<?php if($isCurrentUserProfile || @$CURRENT_USER['admin_access']): ?>
<section role="main" class="content-body">
  <header class="page-header">
    <h2 class="text-uppercase text-primary">
      <a href="<?= $ownersMetaData['_listPage'] ?>" class="text-primary text-decoration-none text-hover-primary">
        Owners
      </a>
    </h2>
    <span class="float-end p-2 d-none d-sm-block">
      <a href="<?= $ownersMetaData['_listPage'] ?>" class="btn btn-sm btn-dark-blue" role="button">
        <i class="fa-duotone fa-chevrons-left me-2"></i>All Owners
      </a>
<?php if($isCurrentUserProfile || @$CURRENT_USER['admin_access']): ?>
      <a href="<?= $domain; ?>/webadmin/admin.php?menu=owners&action=edit&num=<?= $ownersRecord['num'] ?>" 
				 class="btn btn-sm btn-dark-blue" 
				 role="button" target="_blank">
        Edit Record
      </a>
			<?php endif ?>
    </span>
  </header>
  <div class="row">
    <div class="col-md-12">
      <div class="row">
        <div class="col-lg-4 col-xl-3 mt-4 mb-4 mb-xl-0">
          <?php include ("/home/$user/public_html/includes/owners/owner-info.php"); ?>
        </div>
        <div class="col-lg-8 col-xl-6">
	<?php if($isCurrentUserProfile || @$CURRENT_USER['admin_access']): ?>
          <div class="tabs">
            <?php include ("/home/$user/public_html/includes/owners/tab-nav.php"); ?>
            <div class="tab-content">
            <?php include ("/home/$user/public_html/includes/owners/tab-notes.php"); ?>
            <?php include ("/home/$user/public_html/includes/owners/tab-docs.php"); ?>
							<?php include ("/home/$user/public_html/includes/owners/tab-milestones.php"); ?>
							<?php include ("/home/$user/public_html/includes/owners/tab-photos.php"); ?>
            </div>
          </div>
					<?php endif ?>
        </div>
        <div class="col-xl-3">
					<?php if($isCurrentUserProfile || @$CURRENT_USER['admin_access']): ?>
          <?php include ("/home/$user/public_html/includes/owners/status-info-bars.php"); ?>
					<?php endif ?>
        </div>
      </div>
    </div>
  </div>
</section>
<?php else: ?>
<section role="main" class="content-body">
  <header class="page-header">
    <h2 class="text-uppercase text-primary">
      Not Authorized
    </h2>
  </header>
</section>	
<?php endif ?>

By Dave - November 17

Hi Kenny,

Can you try this? I added a check at the top to make sure the user is logged in and some temporary debug code at the bottom to see what $CURRENT_USER is actually set to.

if (!@$CURRENT_USER['num']) {
  die("Not logged in"); 
} else if (@$CURRENT_USER['admin_access']) {
    // Admin can access any record
    $userAccessCondition = "1"; // Always true condition
} else if (@$CURRENT_USER['owner_access']) {
    // Regular owner can only access their own record
    $userAccessCondition = sprintf("createdByUserNum = '%s'", mysql_escapef($CURRENT_USER['num']));
} else {
    // Debug code
    echo "has owner_access: "; 
    echo @$CURRENT_USER['owner_access'] ? "true\n" : "false\n"; 
    showme($CURRENT_USER);

    // No access if neither admin nor owner
    die("Access Denied");
}

The code looks correct at first glance, so we want to check all the variable names match up and that $CURRENT_USER is defined.

Let me know what you find out.

Dave Edis - Senior Developer
interactivetools.com