CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS

221
Modifying the App to Handle the User Logout
The last step you need to take before users can successfully log out is to add another array element to the
$actions array in process.inc.php. Insert the following bold code into process.inc.php to complete the
logout process:

<?php

/*
* Enable sessions
*/
session_start();

/*
* Include necessary files
*/
include_once ' / / /sys/config/db-cred.inc.php';

/*
* Define constants for config info
*/
foreach ( $C as $name => $val )
{
define($name, $val);
}

/*
* Create a lookup array for form actions
*/

$actions = array(
'event_edit' => array(
'object' => 'Calendar',
'method' => 'processForm',
'header' => 'Location: / /'
),
'user_login' => array(
'object' => 'Admin',
'method' => 'processLoginForm',
'header' => 'Location: / /'
),
'user_logout' => array(
'object' => 'Admin',
'method' => 'processLogout',
'header' => 'Location: / /'
)
);

/*
* Make sure the anti-CSRF token was passed and that the
* requested action exists in the lookup array
*/
CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS

222
if ( $_POST['token']==$_SESSION['token']
&& isset($actions[$_POST['action']]) )
{
$use_array = $actions[$_POST['action']];
$obj = new $use_array['object']($dbo);

if ( TRUE === $msg=$obj->$use_array['method']() )
{
header($use_array['header']);
exit;
}
else
{
// If an error occured, output it and end execution
die ( $msg );
}
}
else
{
// Redirect to the main index if the token/action is invalid
header("Location: / /");
exit;
}

function __autoload($class_name)
{
$filename = ' / / /sys/class/class.'
. strtolower($class_name) . '.inc.php';
if ( file_exists($filename) )
{
include_once $filename;
}
}

?>


Save this file, then navigate to http://localhost/, and click the Log Out button at the bottom of the
calendar. Clicking this button causes the message below the calendar to now read, “Logged Out!” (see
Figure 6-8).
CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS

223

Figure 6-8. Clicking the Log Out button removes the user data from the session
■ Note Now that you know the login is working, remove the Logged In!/Logged Out! message logic and the
paragraph tags that enclose it from index.php.
Displaying Admin Tools Only to Administrators
Your users can log in and log out; the last steps you need to take are to make sure that all actions and
options that require administrative access are only shown to users who are logged in.
Showing Admin Options to Administrators
The buttons for adding and editing events should not be displayed unless a user is logged in. To perform
this check, you need to modify both the _adminGeneralOptions() and _adminEntryOptions() methods in
the Calendar class.
CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS

224
Modifying the General Admin Options Method
Now let’s take a look at the calendar’s general options. If the user is logged in, you want to show her the
options to create a new entry and to log out.
However, if the user is logged out, she should see a link to log in. Perform this check by making the
modifications shown in bold to the _adminGeneralOptions() method in the Calendar class:

<?php

class Calendar extends DB_Connect
{


private $_useDate;

private $_m;

private $_y;

private $_daysInMonth;

private $_startDay;

public function __construct($dbo=NULL, $useDate=NULL) { }

public function buildCalendar() { }

public function displayForm() { }

public function processForm() { }

public function confirmDelete($id) { }

private function _loadEventData($id=NULL) { }

private function _createEventObj() { }

private function _loadEventById($id) { }

private function _adminGeneralOptions()
{
/*

* If the user is logged in, display admin controls
*/
if ( isset($_SESSION['user']) )
{
return <<<ADMIN_OPTIONS

<a href="admin.php" class="admin">+ Add a New Event</a>
<form action="assets/inc/process.inc.php" method="post">
<div>
<input type="submit" value="Log Out" class="admin" />
CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS

225
<input type="hidden" name="token"
value="$_SESSION[token]" />
<input type="hidden" name="action"
value="user_logout" />
</div>
</form>
ADMIN_OPTIONS;
}
else
{
return <<<ADMIN_OPTIONS

<a href="login.php">Log In</a>
ADMIN_OPTIONS;
}
}


private function _adminEntryOptions($id) { }

}

?>

After saving the changes, reload http://localhost/ while logged out to see the administrative
options replaced with a simple Log In link (see Figure 6-9).
CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS

226

Figure 6-9. While a user is logged out, only a Log In link is displayed
Modifying the Event Options Method
Next, you want add code to prevent the editing and deletion of events by unauthorized users; you do this
by modifying _adminEventOptions() in the Calendar class with the following bold code:

<?php

class Calendar extends DB_Connect
{

private $_useDate;

private $_m;

private $_y;

CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS


227
private $_daysInMonth;

private $_startDay;

public function __construct($dbo=NULL, $useDate=NULL) { }

public function buildCalendar() { }

public function displayForm() { }

public function processForm() { }

public function confirmDelete($id) { }

private function _loadEventData($id=NULL) { }

private function _createEventObj() { }

private function _loadEventById($id) { }

private function _adminGeneralOptions() { }

private function _adminEntryOptions($id)
{
if ( isset($_SESSION['user']) )
{
return <<<ADMIN_OPTIONS

<div class="admin-options">

<form action="admin.php" method="post">
<p>
<input type="submit" name="edit_event"
value="Edit This Event" />
<input type="hidden" name="event_id"
value="$id" />
</p>
</form>
<form action="confirmdelete.php" method="post">
<p>
<input type="submit" name="delete_event"
value="Delete This Event" />
<input type="hidden" name="event_id"
value="$id" />
</p>
</form>
</div><! end .admin-options >
ADMIN_OPTIONS;
}
else
{
return NULL;
CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS

228
}
}

}


?>

After inserting these changes, navigate to http://localhost/ while logged out and click an event to
bring up its full view; the administrative options will not be displayed (see Figure 6-10).


Figure 6-10. The full event view while logged out
Limiting Access to Administrative Pages
As an additional security precaution, you should ensure that any pages that only authorized users should
have access to, such as the event creation/editing form, check for proper authorization before executing.
Disallowing Access to the Event Creation Form Without Login
You can prevent a mischievous user from finding the event creation form while logged out by
performing a simple check that you add to the file. If the user is not logged in, he’ll be sent to the main
calendar view before the script has the chance to execute.
To implement this change, open admin.php and insert the code shown in bold:

<?php

/*
* Include necessary files
*/
include_once ' /sys/core/init.inc.php';

/*
* If the user is not logged in, send them to the main file
*/
CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS

229
if ( !isset($_SESSION['user']) )

{
header("Location: ./");
exit;
}

/*
* Output the header
*/
$page_title = "Add/Edit Event";
$css_files = array("style.css", "admin.css");
include_once 'assets/common/header.inc.php';

/*
* Load the calendar
*/
$cal = new Calendar($dbo);

?>

<div id="content">
<?php echo $cal->displayForm(); ?>

</div><! end #content >

<?php

/*
* Output the footer
*/
include_once 'assets/common/footer.inc.php';


?>

After saving this file, attempt to navigate to http://localhost/admin.php while logged out. You’ll
automatically be sent to http://localhost/.
Ensuring Only Logged In Users Can Delete Events
Also, to keep unauthorized users from deleting events, insert a check for a valid user session in the
confirmdelete.php file:

<?php

/*
* Enable sessions
*/
session_start();

/*
CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS

230
* Make sure an event ID was passed and the user is logged in
*/
if ( isset($_POST['event_id']) && isset($_SESSION['user']) )
{
/*
* Collect the event ID from the URL string
*/
$id = (int) $_POST['event_id'];
}
else

{
/*
* Send the user to the main page if no ID is supplied
* or the user is not logged in
*/
header("Location: ./");
exit;
}

/*
* Include necessary files
*/
include_once ' /sys/core/init.inc.php';

/*
* Load the calendar
*/
$cal = new Calendar($dbo);
$markup = $cal->confirmDelete($id);

/*
* Output the header
*/
$page_title = "View Event";
$css_files = array("style.css", "admin.css");
include_once 'assets/common/header.inc.php';

?>

<div id="content">

<?php echo $markup; ?>

</div><! end #content >

<?php

/*
* Output the footer
*/