commit bb5610b82609bab7845102007ea185ca85998643
parent c9cf09f6d632e8fb9a3a3276771b52761d08f27b
Author: Gerco van Woudenbergh <[email protected]>
Date: Mon, 27 Mar 2023 20:30:05 +0200
more robust login system
Diffstat:
5 files changed, 217 insertions(+), 78 deletions(-)
diff --git a/crud_user.php b/crud_user.php
@@ -17,12 +17,13 @@
<b>Wachtwoord</b> <input type="password" name="password" id="password" placeholder="******">
<br>
<p>Please select the user permissions:</p>
- <input type="radio" id="Admin" name="permissions" value="1">
+ <input type="checkbox" id="Admin" name="permissions[]" value="1">
<label for="html">Admin</label><br>
- <input type="radio" id="Administratief medewerker" name="permissions" value="2">
+ <input type="checkbox" id="Administratief medewerker" name="permissions[]" value="2">
<label for="Administratief medewerker">Administratief medewerker</label><br>
- <input type="radio" id="Wetenschappelijk medewerker" name="permissions" value="3">
- <label for="Wetenschappelijk medewerker">Wetenschappelijk medewerker</label>
+ <input type="checkbox" id="Wetenschappelijk medewerker" name="permissions[]" value="3">
+ <label for="Wetenschappelijk medewerker">Wetenschappelijk medewerker</label>
+
</p>
<p><input type="submit" name="submit" value="Voeg toe"></p>
@@ -41,20 +42,69 @@
}
if ($_SERVER["REQUEST_METHOD"] == "POST") {
- // collect value of input field
- $vname = $_POST['voornaam'];
- $aname = $_POST['achternaam'];
- $email = $_POST['email'];
- $password = $_POST['password'];
- $permissions = $_POST['permissions'];
- }
- $hash = password_hash($password, PASSWORD_DEFAULT);
-
- $sql = "INSERT INTO medewerkers (voornaam, achternaam, email, wachtwoord, permissie_niveau) VALUES(?, ?, ?, ?, ?);";
- $stmt= $conn->prepare($sql);
- $stmt->bind_param("sssss", $vname, $aname, $email, $hash, $permissions);
- $stmt->execute();
+ $errors = array(); // initialize an empty array to store errors
+
+ // Check if voornaam is set and not empty
+ if (isset($_POST['voornaam']) && !empty($_POST['voornaam'])) {
+ $fname = $_POST['voornaam'];
+ } else {
+ $errors[] = "Voornaam is required";
+ }
+
+ // Check if achternaam is set and not empty
+ if (isset($_POST['achternaam']) && !empty($_POST['achternaam'])) {
+ $lname = $_POST['achternaam'];
+ } else {
+ $errors[] = "Achternaam is required";
+ }
+
+ // Check if email is set and not empty
+ if (isset($_POST['email']) && !empty($_POST['email'])) {
+ $email = $_POST['email'];
+ } else {
+ $errors[] = "E-mail is required";
+ }
+
+ // Check if password is set and not empty
+ if (isset($_POST['password']) && !empty($_POST['password'])) {
+ $password = $_POST['password'];
+ } else {
+ $errors[] = "Wachtwoord is required";
+ }
+
+ // Check if permissions is set
+ if (isset($_POST['permissions'])) {
+ $permissions = $_POST['permissions'];
+ } else {
+ $errors[] = "Permissies zijn vereist";
+ }
+
+ // Check if there are any errors
+ if (count($errors) > 0) {
+ // Print out the errors
+ foreach ($errors as $error) {
+ echo $error . "<br>";
+ }
+ } else {
+ // Pass the password through a hashing function
+ $hash = password_hash($password, PASSWORD_DEFAULT);
+
+ // Making a sql statement to add user to the database, preparing it and excuting
+ $sql = "INSERT INTO medewerkers (email, voornaam, achternaam, wachtwoord) VALUES(?, ?, ?, ?)";
+ $stmt= $conn->prepare($sql);
+ $stmt->bind_param("ssss", $email, $fname, $lname, $hash);
+ $stmt->execute();
+ //Excecuting a sql statement for all the user permissions
+ foreach($permissions as $perm){
+ $sql = "INSERT INTO medewerkers_permissie (email, permissie_id) VALUES (?, ?);";
+ $stmt= $conn->prepare($sql);
+ $stmt->bind_param("si", $email, $perm);
+ $stmt->execute();
+ }
+ }
+ }
+ // closing the connection
mysqli_close($conn);
?>
</body>
diff --git a/dashboard.php b/dashboard.php
@@ -2,55 +2,99 @@
session_start();
// Check if user is logged in and has permission level set
-if(!isset($_SESSION['permissions'])) {
+if(!isset($_SESSION['email'])) {
// Redirect to login page if permission level is not set
header('Location: login.php');
exit;
}
-
// Get the permission level of the user
-$permission_level = $_SESSION['permissions'];
+$permission_levels= $_SESSION['permissions'];
+
+// Assume $permission_levels is an array containing the user's permission levels
+
+$links = array();
// Define the links for each type of employee
-if($permission_level == 1) {
+if (in_array(1, $permission_levels)) {
// Admin links
- $links = array(
+ $admin_links = array(
array('url' => 'admin_page_1.php', 'title' => 'Admin Page 1'),
array('url' => 'admin_page_2.php', 'title' => 'Admin Page 2'),
array('url' => 'admin_page_3.php', 'title' => 'Admin Page 3')
);
-} else if($permission_level == 2) {
+ $links[] = array('name' => 'Admin', 'links' => $admin_links);
+}
+
+if (in_array(2, $permission_levels)) {
// Administrative employee links
- $links = array(
+ $admin_employee_links = array(
array('url' => 'admin_employee_page_1.php', 'title' => 'Admin Employee Page 1'),
array('url' => 'admin_employee_page_2.php', 'title' => 'Admin Employee Page 2'),
array('url' => 'admin_employee_page_3.php', 'title' => 'Admin Employee Page 3')
);
-} else if($permission_level == 3) {
+ $links[] = array('name' => 'Administrative Employee', 'links' => $admin_employee_links);
+}
+
+if (in_array(3, $permission_levels)) {
// Scientific employee links
- $links = array(
+ $scientific_employee_links = array(
array('url' => 'scientific_employee_page_1.php', 'title' => 'Scientific Employee Page 1'),
array('url' => 'scientific_employee_page_2.php', 'title' => 'Scientific Employee Page 2'),
array('url' => 'scientific_employee_page_3.php', 'title' => 'Scientific Employee Page 3')
);
-} else {
- // Redirect to login page if permission level is invalid
- header('Location: login.php');
- exit;
+ $links[] = array('name' => 'Scientific Employee', 'links' => $scientific_employee_links);
}
-?>
+if (empty($links)) {
+ // Guest links
+ $guest_links = array(
+ array('url' => 'guest_page_1.php', 'title' => 'Guest Page 1')
+ );
+ $links[] = array('name' => 'Guest', 'links' => $guest_links);
+}
+?>
<!DOCTYPE html>
<html>
<head>
<title>Dashboard</title>
+ <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css">
</head>
<body>
- <h1>Dashboard</h1>
- <ul>
- <?php foreach($links as $link) { ?>
- <li><a href="<?php echo $link['url']; ?>"><?php echo $link['title']; ?></a></li>
- <?php } ?>
- </ul>
+ <nav class="navbar navbar-expand-lg navbar-light bg-light">
+ <a class="navbar-brand" href="#">Dashboard</a>
+ <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarNavDropdown" aria-controls="navbarNavDropdown" aria-expanded="false" aria-label="Toggle navigation">
+ <span class="navbar-toggler-icon"></span>
+ </button>
+ <div class="collapse navbar-collapse" id="navbarNavDropdown">
+ <ul class="navbar-nav">
+ <?php foreach($links as $employee) { ?>
+ <li class="nav-item dropdown">
+ <a class="nav-link dropdown-toggle" href="#" id="navbarDropdownMenuLink<?php echo $employee['id']; ?>" role="button" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
+ <?php echo $employee['name']; ?>
+ </a>
+ <ul class="dropdown-menu" aria-labelledby="navbarDropdownMenuLink<?php echo $employee['id']; ?>">
+ <?php foreach ($employee['links'] as $link) { ?>
+ <li><a class="dropdown-item" href="<?php echo $link['url']; ?>"><?php echo $link['title']; ?></a></li>
+ <?php } ?>
+ </ul>
+ </li>
+ <?php } ?>
+ </ul>
+ </div>
+ </nav>
+
+ <script src="https://code.jquery.com/jquery-3.5.1.slim.min.js"></script>
+ <script src="https://cdn.jsdelivr.net/npm/@popperjs/[email protected]/dist/umd/popper.min.js"></script>
+ <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.min.js"></script>
+ <script>
+ $(document).ready(function() {
+ var dropdownMenuList = [].slice.call(document.querySelectorAll('.dropdown-menu'));
+ dropdownMenuList.map(function (dropdownMenu) {
+ return new bootstrap.Dropdown(dropdownMenu);
+ });
+ });
+ </script>
</body>
</html>
+
+
diff --git a/login.php b/login.php
@@ -1,60 +1,94 @@
<!DOCTYPE html>
<html>
- <head>
- <title>Login Page</title>
- </head>
- <body>
- <h2>Login</h2>
- <form method="POST" action="login.php">
- <label>Username:</label>
- <input type="text" name="username"><br><br>
- <label>Password:</label>
- <input type="password" name="password"><br><br>
-
- <input type="submit" name="login" value="Login">
- </form>
+<head>
+ <title>Login Page</title>
+ <!-- Add the Bootstrap CSS stylesheet -->
+ <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">
+</head>
+<body>
+ <div class="container mt-5">
+ <div class="row justify-content-center">
+ <div class="col-md-6">
+ <div class="card">
+ <div class="card-header">Login</div>
+ <div class="card-body">
+ <form method="POST" action="login.php">
+ <div class="form-group">
+ <label for="email">Email:</label>
+ <input type="email" class="form-control" id="email" name="email" placeholder="Enter email">
+ </div>
+ <div class="form-group">
+ <label for="password">Password:</label>
+ <input type="password" class="form-control" id="password" name="password" placeholder="Enter password">
+ </div>
+ <button type="submit" class="btn btn-primary">Login</button>
+ </form>
+ </div>
+ </div>
+ </div>
+ </div>
+ </div>
+ <!-- Add the Bootstrap JavaScript library (optional) -->
+ <script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script>
+ <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js" integrity="sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q" crossorigin="anonymous"></script>
+ <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl" crossorigin="anonymous"></script>
<?php
+ $servername = "86.92.67.21";
+ $username = "friedel";
+ $password = "hailiwa";
+ $dbname = "wap2";
+ $conn = mysqli_connect($servername, $username, $password, $dbname);
+ // perform validation and authentication
+ if (!$conn) {
+ die("Connection failed: " . mysqli_connect_error());
+ }
+
+ // check if a post request was sent
+ if ($_SERVER["REQUEST_METHOD"] == "POST") {
// fetch data from the form
- if(isset($_POST['username']) && isset($_POST['password'])){
- $gebruikersnaam = $_POST['username'];
- $wachtwoord = $_POST['password'];
- }else{
+ if(isset($_POST['email']) && isset($_POST['password'])){
+ $email = $_POST['email'];
+ $pwd = $_POST['password'];
+ } else {
echo "One of the forms was empty";
}
- // perform validation and authentication
- $servername = "86.92.67.21";
- $username = "friedel";
- $password = "hailiwa";
- $dbname = "wap2";
- $conn = mysqli_connect($servername, $username, $password, $dbname);
-
// create, prepare sql statement and execute sql statement
- if($conn){
- $sql = "select medewerker_id, wachtwoord, permissie_niveau from medewerkers where medewerker_id = ?;";
- $stmt= $conn->prepare($sql);
- $stmt->bind_param("i", $gebruikersnaam);
- $stmt->execute();
-
- $result = $stmt->get_result();
- $row = $result->fetch_assoc();
- }
+ $sql = "select m.email, m.wachtwoord, pm.permissie_id, pm.permissie_naam
+ from medewerkers m
+ join medewerkers_permissie mp on mp.email = m.email
+ join permissie pm on pm.permissie_id = mp.permissie_id
+ where m.email = ?";
+ $stmt= $conn->prepare($sql);
+ $stmt->bind_param("s", $email);
+ $stmt->execute();
+ $result = $stmt->get_result();
- //verification logic and $_SESSION start
- if($row > 0){
- if($gebruikersnaam == $row['medewerker_id'] && password_verify($wachtwoord, $row['wachtwoord']))
- {
+ // verification logic and $_SESSION start
+ if(count($row = $result->fetch_assoc()) > 0){
+ if($email == $row['email'] && password_verify($pwd, $row['wachtwoord'])) {
session_start();
- $_SESSION['gebruikers_id'] = $row['medewerker_id'];
- $_SESSION['permissions'] = $row['permissie_niveau'];
+ $_SESSION['email'] = $row['email'];
+ mysqli_data_seek($result, 0);
+ $permissions = array();
+ $permissions_names = array();
+ while($row = mysqli_fetch_assoc($result)){
+ array_push($permissions, $row['permissie_id']);
+ array_push($permissions_names, $row['permissie_naam']);
+ }
+ $_SESSION['permissions'] = $permissions;
+ $_SESSION['permissions_names'] = $permissions_names;
+ foreach($_SESSION['permissions'] as $bullshit){
+ echo $bullshit . "<br>";
+ }
header('Location: dashboard.php');
- echo"gebruikers id". $_SESSION['gebruikers_id'] ."permissie niveau " . $_SESSION['permissie_niveau'];
} else {
echo '<p style="color:red">Invalid username or password.</p>';
}
} else {
echo '<p style="color:red">Invalid username or password.</p>';
}
- ?>
+ }
+ ?>
</body>
</html>
\ No newline at end of file
diff --git a/sql_files/insertpermissions.sql b/sql_files/insertpermissions.sql
@@ -0,0 +1,4 @@
+insert into permissie (permissie_id, permissie_naam) values (0, "default");
+insert into permissie (permissie_id, permissie_naam) values (1, "admininistrator");
+insert into permissie (permissie_id, permissie_naam) values (2, "administratief medewerker");
+insert into permissie (permissie_id, permissie_naam) values (3, "wetenschappelijk medewerker");
+\ No newline at end of file
diff --git a/sql_files/loginsql.sql b/sql_files/loginsql.sql
@@ -0,0 +1,5 @@
+select m.email, m.wachtwoord, pm.permissie_id
+ from medewerkers m
+ join medewerkers_permissie mp on mp.email = m.email
+ join permissie pm on pm.permissie_id = mp.permissie_id
+ where m.email = "[email protected]";
+\ No newline at end of file
