Modifying the App to Handle the User Logout The last step you need to take before users can successfully log out is to add another array element to the $actions array in process.inc.php.
Trang 1Modifying the App to Handle the User Logout
The last step you need to take before users can successfully log out is to add another array element to the
$actions array in process.inc.php Insert the following bold code into process.inc.php to complete the
logout process:
<?php
/*
* Enable sessions
*/
session_start();
/*
* Include necessary files
*/
include_once ' / / /sys/config/db-cred.inc.php';
/*
* Define constants for config info
*/
foreach ( $C as $name => $val )
{
define($name, $val);
}
/*
* Create a lookup array for form actions
*/
$actions = array(
'event_edit' => array(
'object' => 'Calendar',
'method' => 'processForm',
'header' => 'Location: / /'
),
'user_login' => array(
'object' => 'Admin',
'method' => 'processLoginForm',
Trang 2if ( $_POST['token']==$_SESSION['token']
&& isset($actions[$_POST['action']]) )
{
$use_array = $actions[$_POST['action']];
$obj = new $use_array['object']($dbo);
if ( TRUE === $msg=$obj->$use_array['method']() )
{
header($use_array['header']);
exit;
}
else
{
// If an error occured, output it and end execution
die ( $msg );
}
}
else
{
// Redirect to the main index if the token/action is invalid
header("Location: / /");
exit;
}
function autoload($class_name)
{
$filename = ' / / /sys/class/class.'
strtolower($class_name) '.inc.php';
if ( file_exists($filename) )
{
include_once $filename;
}
}
?>
Save this file, then navigate to http://localhost/, and click the Log Out button at the bottom of the
calendar Clicking this button causes the message below the calendar to now read, “Logged Out!” (see Figure 6-8)
Trang 3Figure 6-8 Clicking the Log Out button removes the user data from the session
■ Note Now that you know the login is working, remove the Logged In!/Logged Out! message logic and the
paragraph tags that enclose it from index.php
Displaying Admin Tools Only to Administrators
Trang 4Modifying the General Admin Options Method
Now let’s take a look at the calendar’s general options If the user is logged in, you want to show her the options to create a new entry and to log out
However, if the user is logged out, she should see a link to log in Perform this check by making the
modifications shown in bold to the _adminGeneralOptions() method in the Calendar class:
<?php
class Calendar extends DB_Connect
{
private $_useDate;
private $_m;
private $_y;
private $_daysInMonth;
private $_startDay;
public function construct($dbo=NULL, $useDate=NULL) { }
public function buildCalendar() { }
public function displayForm() { }
public function processForm() { }
public function confirmDelete($id) { }
private function _loadEventData($id=NULL) { }
private function _createEventObj() { }
private function _loadEventById($id) { }
private function _adminGeneralOptions()
{
/*
* If the user is logged in, display admin controls
*/
if ( isset($_SESSION['user']) )
{
return <<<ADMIN_OPTIONS
<a href="admin.php" class="admin">+ Add a New Event</a>
<form action="assets/inc/process.inc.php" method="post">
<div>
Trang 5<input type="hidden" name="token"
value="$_SESSION[token]" />
<input type="hidden" name="action"
value="user_logout" />
</div>
</form>
ADMIN_OPTIONS;
}
else
{
return <<<ADMIN_OPTIONS
<a href="login.php">Log In</a>
ADMIN_OPTIONS;
}
}
private function _adminEntryOptions($id) { }
}
?>
After saving the changes, reload http://localhost/ while logged out to see the administrative
options replaced with a simple Log In link (see Figure 6-9)
Trang 6Figure 6-9 While a user is logged out, only a Log In link is displayed
Modifying the Event Options Method
Next, you want add code to prevent the editing and deletion of events by unauthorized users; you do this
by modifying _adminEventOptions() in the Calendar class with the following bold code:
<?php
class Calendar extends DB_Connect
{
private $_useDate;
private $_m;
private $_y;
Trang 7private $_daysInMonth;
private $_startDay;
public function construct($dbo=NULL, $useDate=NULL) { }
public function buildCalendar() { }
public function displayForm() { }
public function processForm() { }
public function confirmDelete($id) { }
private function _loadEventData($id=NULL) { }
private function _createEventObj() { }
private function _loadEventById($id) { }
private function _adminGeneralOptions() { }
private function _adminEntryOptions($id)
{
if ( isset($_SESSION['user']) )
{
return <<<ADMIN_OPTIONS
<div class="admin-options">
<form action="admin.php" method="post">
<p>
<input type="submit" name="edit_event"
value="Edit This Event" />
<input type="hidden" name="event_id"
value="$id" />
</p>
</form>
<form action="confirmdelete.php" method="post">
<p>
Trang 8}
}
}
?>
After inserting these changes, navigate to http://localhost/ while logged out and click an event to
bring up its full view; the administrative options will not be displayed (see Figure 6-10)
Figure 6-10 The full event view while logged out
Limiting Access to Administrative Pages
As an additional security precaution, you should ensure that any pages that only authorized users should have access to, such as the event creation/editing form, check for proper authorization before executing Disallowing Access to the Event Creation Form Without Login
You can prevent a mischievous user from finding the event creation form while logged out by
performing a simple check that you add to the file If the user is not logged in, he’ll be sent to the main calendar view before the script has the chance to execute
To implement this change, open admin.php and insert the code shown in bold:
<?php
/*
* Include necessary files
*/
include_once ' /sys/core/init.inc.php';
/*
* If the user is not logged in, send them to the main file
Trang 9if ( !isset($_SESSION['user']) )
{
header("Location: /");
exit;
}
/*
* Output the header
*/
$page_title = "Add/Edit Event";
$css_files = array("style.css", "admin.css");
include_once 'assets/common/header.inc.php';
/*
* Load the calendar
*/
$cal = new Calendar($dbo);
?>
<div id="content">
<?php echo $cal->displayForm(); ?>
</div><! end #content >
<?php
/*
* Output the footer
*/
include_once 'assets/common/footer.inc.php';
?>
After saving this file, attempt to navigate to http://localhost/admin.php while logged out You’ll
automatically be sent to http://localhost/
Ensuring Only Logged In Users Can Delete Events
Trang 10* Make sure an event ID was passed and the user is logged in */
if ( isset($_POST['event_id']) && isset($_SESSION['user']) )
{
/*
* Collect the event ID from the URL string
*/
$id = (int) $_POST['event_id'];
}
else
{
/*
* Send the user to the main page if no ID is supplied
* or the user is not logged in
*/
header("Location: /");
exit;
}
/*
* Include necessary files
*/
include_once ' /sys/core/init.inc.php';
/*
* Load the calendar
*/
$cal = new Calendar($dbo);
$markup = $cal->confirmDelete($id);
/*
* Output the header
*/
$page_title = "View Event";
$css_files = array("style.css", "admin.css");
include_once 'assets/common/header.inc.php';
?>
<div id="content">
<?php echo $markup; ?>
</div><! end #content >
<?php
/*
* Output the footer
*/