1. 首頁
  2. 問答
  3. 模塊權限類錯誤

模塊權限類錯誤

2011-10-03 94 views
0

我在我的用戶類中創建了CheckModulePermission函數,該函數檢查模塊表以確保用戶有權查看頁面。以下是功能模塊權限類錯誤

public function CheckModulePermissions($moduleId) { 

     if(isset($_SESSION['userId'])) { 

      // If the user is admin, allow regardless 

      if($this->IsAdmin()) { 

       return true; 

      } 

      $sql = "SELECT `userModuleId` 

        FROM `userModules` 

        WHERE `userId` = " . $_SESSION['userId'] . " 

        AND `moduleId` = " . $moduleId . ";"; 

      mysql_select_db(DB_USER_DATABASE_NAME, $this->conn); 

      $result = mysql_query($sql, $this->conn); 

      $x = mysql_fetch_row($result); 

      if($x[0] == 1) { 

       return true; 

      } else { 

       return false; 

      } 

     } else { 

      return false; 

     } 

    } 

}

這工作正常在我的所有頁面,除了一個頁面失敗。我有一個下拉框和一個文本框,將根據用戶的權限進行更新。我登錄的用戶具有權限,但不顯示下拉框。

if(isset($_GET['orderNumber'])) { 

    // If post is set then update the prima reference and order status 

    // Only if user has sufficient privileges 

    if(isset($_POST['orderStatus'])) { 

     if($user->CheckModulePermissions(11)) { 

      $cid->UpdateOrderStatus($_GET['orderNumber'], $_POST['orderStatus']); 

      $cid->UpdateOrderReference($_GET['orderNumber'], $_POST['PReference']); 

     } 

    } 




if($user->CheckModulePermissions(11)) { 

          $content .= "<select name='orderStatus'> 

          <option value='1'"; 

          if($orderDetails['status'] == 1) $content .= " selected='selected'"; 

          $content .= ">Incomplete</option> 

          <option value='2'"; 

          if($orderDetails['status'] == 2) $content .= " selected='selected'"; 

          $content .= ">Submitted</option> 

          <option value='3'"; 

          if($orderDetails['status'] == 3) $content .= " selected='selected'"; 

          $content .= ">Processed</option> 

         </select>"; 

        } else { 

         if($orderDetails['status'] == 1) $content .= "Incomplete"; 

         if($orderDetails['status'] == 2) $content .= "Submitted"; 

         if($orderDetails['status'] == 3) $content .= "Processed"; 

        } 

        $content .= "</td> 

        </tr> 

        <tr> 

         <th>Prima Order Number</th> 

         <td>"; 

         if($user->CheckModulePermissions(11)) { 

          $content .= "<input type='text' name='pReference' value='" . $orderDetails['PReference'] . "' /></td> 

          </tr> 

          <tr> 

           <td colspan='2'><input type='submit' /></td> 

          </tr>"; 

         } else { 

          $content .= $orderDetails['PrimaReference'] . "</td></tr>"; 

         } 

         $content .= "</table> 

       </form> 

      </td>

它是下拉框失敗的邏輯嗎?

來源

2011-10-03 AJ_17

回答

0

這是你CheckModulePermissions()方法更有效的/可讀的版本...

public function CheckModulePermissions ($moduleId) { 

    // Deny immmediately if no userId is set 
    if (!isset($_SESSION['userId'])) return FALSE; 

    // If the user is admin, allow regardless 
    if ($this->IsAdmin()) return TRUE; 

    // Generate an SQL statement - does this need sanitising? 
    $sql = "SELECT `userModuleId` 
      FROM `userModules` 
      WHERE `userId` = '{$_SESSION['userId']}' 
      AND `moduleId` = '$moduleId' 
      LIMIT 1"; 
    // Is this line really necessary? Are you actually working with more than one database? 
    // Even if you are, it's probably better to do it in the query, like this: 
    // SELECT whatever FROM DB_USER_DATABASE_NAME.tablename WHERE... 
    mysql_select_db(DB_USER_DATABASE_NAME, $this->conn); 
    // Since you only want one row, it's slightly more resource efficient 
    // to abandon the $result variable 
    $x = mysql_fetch_row(mysql_query($sql, $this->conn)); 
    // This means the same thing as your if ... else 
    return $x[0] == 1; 

}

...這裏是的HTML生成代碼重寫的版本。

// Get this once, at the beginning, to minimise SQL traffic 
$hasPermissions = $user->CheckModulePermissions(11); 

// Uncomment this line to make sure that $user->CheckModulePermissions is returning the value you expect 
//var_dump($hasPermissions); 

if (isset($_GET['orderNumber'])) { 
    // If post is set then update the prima reference and order status 
    // Only if user has sufficient privileges 
    if (isset($_POST['orderStatus']) && $hasPermissions) { 
    $cid->UpdateOrderStatus($_GET['orderNumber'], $_POST['orderStatus']); 
    $cid->UpdateOrderReference($_GET['orderNumber'], $_POST['PReference']); 
    } 

    // Map of status numbers to string descriptions 
    $statusStrs = array(1 => 'Incomplete','Submitted','Processed'); 

    if ($hasPermissions) { 
    // Generate a <select> 
    $content .= "<select name='orderStatus'>"; 
    foreach ($statusStrs as $val => $str) { 
     $content .= "\n<option value='$val'".(($orderDetails['status'] == $val) ? " selected='selected'" : '').">$str</option>"; 
    } 
    $content .= "\n</select>"; 
    } else { 
    // Print the current status string 
    $content .= $statusStrs[$orderDetails['status']]; 
    } 

    // Close the table cell (layout tables are nasty nasty) 
    $content .= "</td> 
    </tr> 
    <tr> 
    <th>Prima Order Number</th> 
    <td>"; 

    if ($hasPermissions) { 
    // add an input for changing the reference number 
    $content .= "<input type='text' name='pReference' value='{$orderDetails['PReference']}' /></td> 
    </tr> 
    <tr> 
    <td colspan='2'><input type='submit' /></td> 
    </tr>"; 
    } else { 
    // Display the current reference number 
    $content .= $orderDetails['PrimaReference'] . "</td></tr>"; 
    } 
    $content .= "</table> 
    </form> 
</td>

我認爲你的問題的最可能的原因是CheckModulePermissions()正在恢復FALSE當你希望它返回TRUE。取消註釋var_dump()行來驗證這一點,我們會從那裏採取。

來源

2011-10-03 16:28:31 DaveRandom

+0

謝謝你。是的,這是我的功能,它在任何用戶以外的任何用戶都返回false,儘管他們有權利。我不太確定如何解決這個問題。 –

+0

你需要找出*哪裏*它返回false - 它是在第一次檢查(即'$ _SESSION ['userId']'沒有設置)還是在末尾(其中'$ x [0] = = 1')。改變'if(!isset($ _ SESSION ['userId']))返回FALSE;'如果(!isset($ _ SESSION ['userId']))返回-1;'和調用'var_dump'你可以看看你是否遇到了'$ _SESSION'問題,或者你的數據庫查詢有問題。它可以像忘記調用'session_start()'一樣簡單嗎? – DaveRandom

相關問題

 相關問題