Forum Tutorial - User Levels #3 - Admin Privileges, Banning Users & Logging Out

Submitted by Yorkiebar on Wednesday, March 5, 2014 - 06:44.
Introduction: This tutorial is the third and final episode to the User Levels section of my Forum Creation Tutorial series. In this part, we are going to be adding banning functionality and giving the admins their privileges. Admin Privileges: This part is essentially the same as the moderator privileges part found the previous tutorial. Once the user has logged in using our login form found in login.php we check if the user level of that user is 3 (admin), if it is we set the isAdmin session variable...
  1. if ($info['level'] == 3)
  2.         $_SESSION['isAdmin'] = 'yes';
Next, we go to the checks for moderators and add the exception for admins so admins too can delete posts by other users. So add:
  1.  || isSet($_SESSION['isAdmin'])
to threadPage.php replies, and forumTutorial.php (index/thread list page)...
  1. echo '<tr><td><a href="threadPage.php?tid='.$row["id"].'">'.$row["title"].'</td><td>'.$content.'...</td>';
  2. if (isSet($_SESSION['isMod']) || isSet($_SESSION['isAdmin']))
  3.         echo '<td><a href="threadPage.php?act=delete&type=thread&id='.$row["id"].'">Delete</td>';
  4. echo '</tr>';
  1. if ($delType == 'reply') {
  2.         $delAuthorQ = mysqli_query($con, "SELECT * FROM `replies` WHERE `id`='$delID'");
  3.         $delAuthorInfo = mysqli_fetch_array($delAuthorQ);
  4.         $delAuthor = $delAuthorInfo['author'];
  5.         if (strtolower($delAuthor) == strtolower($_SESSION['username']) || isSet($_SESSION['isMod']) || isSet($_SESSION['isAdmin'])) {
  6.                 $delq = mysqli_query($con, "DELETE FROM `replies` WHERE `id`='$delID'");
  7.         }else
  8.                 echo 'You do not have permission to do that!';
  9. }else if ($delType == 'thread') {
  10.         $delAuthorQ = mysqli_query($con, "SELECT * FROM `threads` WHERE `id`='$delID'");
  11.         $delAuthorInfo = mysqli_fetch_array($delAuthorQ);
  12.         $delAuthor = $delAuthorInfo['author'];
  13.         if (strtolower($delAuthor) == strtolower($_SESSION['username']) || isSet($_SESSION['isMod']) || isSet($_SESSION['isAdmin'])) {
  14.                 $delq = mysqli_query($con, "DELETE FROM `threads` WHERE `id`='$delID'");
  15.         }else
  16.                 echo 'You do not have permission to do that!';
  17. }
  18.                        
  19.                        
  20. $replies .= '<tr><td>'.$row["content"].'</td><td>'.$author.'</td><td>'.$repliedUser["signature"].'</td>';
  21. if (isSet($_SESSION['username']) && $author == $_SESSION['username'] || isSet($_SESSION['isMod']) || isSet($_SESSION['isAdmin']))
  22.         $replies .= '<td><a href="threadPage.php?act=delete&type=reply&id='.$row["id"].'">Delete</a></td>';
  23. $replies .= '</tr>';
Finally we want to add a check just under where we continue our session and connect to our database on the admin panel page to check that the user accessing the page is an admin...
  1. if (!isSet($_SESSION['isAdmin'])) {
  2.         header("Location:forumTutorial.php"); //Redirect to main/index/thread listing page.
  3.         exit();
  4.         echo 'You\'re not an admin! Redirecting to main page...';
  5. }
Banning Users: Next we want to add the ability for admins to ban users. We could add a new column in to our database to hold their current ban status (0 or 1, false or true, unbanned or banned) but instead we are going to use their level as 0 if they are banned. First we add another option next to the change level option for every user within the admin panel...
  1. <td><form action="admin.php?act=ban&uID='.$row["id"].'" method="POST"><input type="submit" value="Ban User!" /></form></td>
Next we need to process when the get parameter of act is ban, we grab the user id from the url as well (through PHP GET statements) then we set their user level to 0... (Appending on to the end of the if statement script which checks for the act level parameters):
  1. else if(isSet($_GET['act']) && $_GET['act'] == 'ban' && isSet($_GET['uID'])) {
  2.         $uID = $_GET['uID'];
  3.         $checkUserExists = mysqli_query($con, "SELECT * FROM `users` WHERE `id`='$uID'");
  4.         if (mysqli_num_rows($checkUserExists) > 0) {
  5.                 //User exists, set level to 0 and ban them.
  6.                 $banUserQuery = mysqli_query($con, "UPDATE `users` SET `level`='0' WHERE `id`='$uID'");
  7.                 if ($banUserQuery) {
  8.                         echo 'Banned user.';
  9.                 }else
  10.                         echo 'Failed to ban user...';
  11.                 header("Location:admin.php");
  12.                 exit();
  13.         }
  14. }
Finally we need to check on login if the user is banned, if they are then we give an error otherwise we allow them to login as normal...
  1. $con = mysqli_connect('localhost', 'root', '', 'forumTutorial');
  2. if (isSet($_POST['login']) && isSet($_POST['user']) && isSet($_POST['pass']) && $_POST['user'] != '' && $_POST['pass'] != '') {
  3.         $pass = $_POST['pass'];
  4.         $passMD5 = md5($pass);
  5.         $user = $_POST['user'];
  6.         $q = mysqli_query($con, "SELECT * FROM `users` WHERE `username`='$user'");
  7.         if (mysqli_num_rows($q) > 0) {
  8.                 $info = mysqli_fetch_array($q);
  9.                 if ($info['level'] != '0') {
  10.                         $storedPassword = $info['password'];
  11.                         if ($storedPassword == $passMD5) {
  12.                                 $_SESSION['username'] = $user;
  13.                                 if ($info['level'] == 2)
  14.                                         $_SESSION['isMod'] = 'yes';
  15.                                 if ($info['level'] == 3)
  16.                                         $_SESSION['isAdmin'] = 'yes';
  17.                                 header("Location:forumTutorial.php");
  18.                                 exit();
  19.                                 echo 'Logged in!';
  20.                         }else
  21.                                 echo 'Password was incorrect. Please try again.';
  22.                 }else
  23.                         echo 'That account is banned!';
  24.         }else
  25.                 echo 'That username was not found. Please try again.';
  26. }
We might want an option to unban users as well so we simply do the opposite...
  1. <td><form action="admin.php?act=unban&uID='.$row["id"].'" method="POST"><input type="submit" value="Unban User!" /></form></td>
  1. else if(isSet($_GET['act']) && $_GET['act'] == 'unban' && isSet($_GET['uID'])) {
  2.         $uID = $_GET['uID'];
  3.         $checkUserExists = mysqli_query($con, "SELECT * FROM `users` WHERE `id`='$uID'");
  4.         if (mysqli_num_rows($checkUserExists) > 0) {
  5.                 //User exists, set level to 1 and unban them.
  6.                 $banUserQuery = mysqli_query($con, "UPDATE `users` SET `level`='1' WHERE `id`='$uID'");
  7.                 if ($banUserQuery) {
  8.                         echo 'Unbanned user.';
  9.                 }else
  10.                         echo 'Failed to unban user...';
  11.                 header("Location:admin.php");
  12.                 exit();
  13.         }
  14. }
Logout Script: I thought I had already covered logging out scripts, but I don't seem to have a logout page in my directory. The script is a simple two line php script and simply connects to the session then destroys it ready for a new one the next time another script connects...
  1. <?php
  2.         session_start();
  3.         session_destroy();
  4. ?>
Tags
php
MYSQL
MySQLi
Forum
Logging
out
admin
Banning
Users

Comments

Submitted by Chris Yawi (not verified) on Wed, 03/05/2014 - 13:20

Thanks alot, will test the codes.

Submitted by Charlotte (not verified) on Wed, 08/06/2014 - 17:38

Hi - the logout script doesn't seem to work ? I used your login script for my site as well, and when I clicked on 'Logout' (Which was linked to logout.php) nothing happened

Add new comment

About text formats