Php 模块权限类错误
我在我的用户类中创建了一个CheckModulePermission函数,该函数检查模块表以确保用户具有查看页面的权限。下面是函数Php 模块权限类错误,php,Php,我在我的用户类中创建了一个CheckModulePermission函数,该函数检查模块表以确保用户具有查看页面的权限。下面是函数 public function CheckModulePermissions($moduleId) { if(isset($_SESSION['userId'])) { // If the user is admin, allow regardless if($this->IsAdmin(
public function CheckModulePermissions($moduleId) {
if(isset($_SESSION['userId'])) {
// If the user is admin, allow regardless
if($this->IsAdmin()) {
return true;
}
$sql = "SELECT `userModuleId`
FROM `userModules`
WHERE `userId` = " . $_SESSION['userId'] . "
AND `moduleId` = " . $moduleId . ";";
mysql_select_db(DB_USER_DATABASE_NAME, $this->conn);
$result = mysql_query($sql, $this->conn);
$x = mysql_fetch_row($result);
if($x[0] == 1) {
return true;
} else {
return false;
}
} else {
return false;
}
}
}
这在我所有的页面上都很好,只有一个页面失败了。我有一个下拉框和一个文本框,将根据用户权限进行更新。我登录的用户具有权限,但下拉框不显示
if(isset($_GET['orderNumber'])) {
// If post is set then update the prima reference and order status
// Only if user has sufficient privileges
if(isset($_POST['orderStatus'])) {
if($user->CheckModulePermissions(11)) {
$cid->UpdateOrderStatus($_GET['orderNumber'], $_POST['orderStatus']);
$cid->UpdateOrderReference($_GET['orderNumber'], $_POST['PReference']);
}
}
if($user->CheckModulePermissions(11)) {
$content .= "<select name='orderStatus'>
<option value='1'";
if($orderDetails['status'] == 1) $content .= " selected='selected'";
$content .= ">Incomplete</option>
<option value='2'";
if($orderDetails['status'] == 2) $content .= " selected='selected'";
$content .= ">Submitted</option>
<option value='3'";
if($orderDetails['status'] == 3) $content .= " selected='selected'";
$content .= ">Processed</option>
</select>";
} else {
if($orderDetails['status'] == 1) $content .= "Incomplete";
if($orderDetails['status'] == 2) $content .= "Submitted";
if($orderDetails['status'] == 3) $content .= "Processed";
}
$content .= "</td>
</tr>
<tr>
<th>Prima Order Number</th>
<td>";
if($user->CheckModulePermissions(11)) {
$content .= "<input type='text' name='pReference' value='" . $orderDetails['PReference'] . "' /></td>
</tr>
<tr>
<td colspan='2'><input type='submit' /></td>
</tr>";
} else {
$content .= $orderDetails['PrimaReference'] . "</td></tr>";
}
$content .= "</table>
</form>
</td>
if(isset($\u GET['orderNumber'])){
//如果设置了post,则更新prima参考和订单状态
//仅当用户具有足够的权限时
如果(isset($\u POST['orderStatus'])){
如果($user->CheckModulePermissions(11)){
$cid->UpdateOrderStatus($\u GET['orderNumber',$\u POST['orderStatus');
$cid->UpdateOrderReference($\u GET['orderNumber',$\u POST['PReference');
}
}
如果($user->CheckModulePermissions(11)){
$content.=”
残缺的
提交
处理
";
}否则{
如果($orderDetails['status']==1)$content.=“未完成”;
如果($orderDetails['status']==2)$content.=“已提交”;
如果($orderDetails['status']==3)$content.=“已处理”;
}
$content.=”
主序数
";
如果($user->CheckModulePermissions(11)){
$content.=”
";
}否则{
$content.=$orderDetails['PrimaReference']。“”;
}
$content.=”
这是下拉框失败的逻辑吗?这是您的
CheckModulePermissions()
方法的一个更有效/可读的版本
public function CheckModulePermissions ($moduleId) {
// Deny immmediately if no userId is set
if (!isset($_SESSION['userId'])) return FALSE;
// If the user is admin, allow regardless
if ($this->IsAdmin()) return TRUE;
// Generate an SQL statement - does this need sanitising?
$sql = "SELECT `userModuleId`
FROM `userModules`
WHERE `userId` = '{$_SESSION['userId']}'
AND `moduleId` = '$moduleId'
LIMIT 1";
// Is this line really necessary? Are you actually working with more than one database?
// Even if you are, it's probably better to do it in the query, like this:
// SELECT whatever FROM DB_USER_DATABASE_NAME.tablename WHERE...
mysql_select_db(DB_USER_DATABASE_NAME, $this->conn);
// Since you only want one row, it's slightly more resource efficient
// to abandon the $result variable
$x = mysql_fetch_row(mysql_query($sql, $this->conn));
// This means the same thing as your if ... else
return $x[0] == 1;
}
…这里是HTML生成代码的重写版本
// Get this once, at the beginning, to minimise SQL traffic
$hasPermissions = $user->CheckModulePermissions(11);
// Uncomment this line to make sure that $user->CheckModulePermissions is returning the value you expect
//var_dump($hasPermissions);
if (isset($_GET['orderNumber'])) {
// If post is set then update the prima reference and order status
// Only if user has sufficient privileges
if (isset($_POST['orderStatus']) && $hasPermissions) {
$cid->UpdateOrderStatus($_GET['orderNumber'], $_POST['orderStatus']);
$cid->UpdateOrderReference($_GET['orderNumber'], $_POST['PReference']);
}
// Map of status numbers to string descriptions
$statusStrs = array(1 => 'Incomplete','Submitted','Processed');
if ($hasPermissions) {
// Generate a <select>
$content .= "<select name='orderStatus'>";
foreach ($statusStrs as $val => $str) {
$content .= "\n<option value='$val'".(($orderDetails['status'] == $val) ? " selected='selected'" : '').">$str</option>";
}
$content .= "\n</select>";
} else {
// Print the current status string
$content .= $statusStrs[$orderDetails['status']];
}
// Close the table cell (layout tables are nasty nasty)
$content .= "</td>
</tr>
<tr>
<th>Prima Order Number</th>
<td>";
if ($hasPermissions) {
// add an input for changing the reference number
$content .= "<input type='text' name='pReference' value='{$orderDetails['PReference']}' /></td>
</tr>
<tr>
<td colspan='2'><input type='submit' /></td>
</tr>";
} else {
// Display the current reference number
$content .= $orderDetails['PrimaReference'] . "</td></tr>";
}
$content .= "</table>
</form>
</td>
//在开始时获取一次,以最小化SQL流量
$hasPermissions=$user->CheckModulePermissions(11);
//取消对此行的注释,以确保$user->CheckModulePermissions返回您期望的值
//var_dump($hasPermissions);
如果(isset($\u GET['orderNumber'])){
//如果设置了post,则更新prima参考和订单状态
//仅当用户具有足够的权限时
如果(isset($\u POST['orderStatus'])&&&$hasPermissions){
$cid->UpdateOrderStatus($\u GET['orderNumber',$\u POST['orderStatus');
$cid->UpdateOrderReference($\u GET['orderNumber',$\u POST['PReference');
}
//状态号到字符串描述的映射
$statusStrs=数组(1=>“未完成”、“已提交”、“已处理”);
如果($hasPermissions){
//产生
$content.=”;
foreach($statusStrs为$val=>$str){
$content.=“\n$str”;
}
$content.=“\n”;
}否则{
//打印当前状态字符串
$content.=$statusStrs[$orderDetails['status']];
}
//关闭表格单元格(布局表格非常讨厌)
$content.=”
主序数
";
如果($hasPermissions){
//添加用于更改参考号的输入
$content.=”
";
}否则{
//显示当前参考号
$content.=$orderDetails['PrimaReference']。“”;
}
$content.=”
我认为问题最可能的原因是
CheckModulePermissions()
在您希望它返回TRUE
时返回了FALSE
。请取消对var\u dump()的注释
行来验证这一点,我们将从那里开始。谢谢你。是的,这是我的功能,它在除管理员之外的任何用户身上返回false,尽管他们拥有权限。我不太确定如何解决这个问题。你需要找出它返回false的位置-是在第一次检查时(即$\u会话['userId']
未设置)或位于末尾(其中$x[0]==1
)。更改if(!isset($\u会话['userId'))返回FALSE;
为if(!isset($\u会话['userId'))返回-1;
并像以前一样调用var\u dump
,然后您可以查看会话是否有问题,或者DB查询是否有问题。是否会像忘记调用会话启动()一样简单?