You can use sessions to keep track of which users are authorized to view administrative links on your blog. A session allows the user to log in once, then navigate anywhere on the site without losing his administrative privileges.
Your first task is to wrap all administrative links in an if block; this ensures that a session variable is set for the current user. Call your session variable loggedin and store it in the $_SESSION['loggedin'] string.
Your next task is to hide all the admin links in index.php from unauthorized users. You need to enable sessions, which you can accomplish in a couple steps: call session_start(), then wrap all the admin links in your check for the $_SESSION['loggedin'] variable. Now modify index.php with the code in bold to make your changes:
<?php session_start(); /* * Include the necessary files */ include_once 'inc/functions.inc.php'; include_once 'inc/db.inc.php'; // Open a database connection $db = new PDO(DB_INFO, DB_USER, DB_PASS); // Figure out what page is being requested (default is blog) if(isset($_GET['page'])) { $page = htmlentities(strip_tags($_GET['page'])); } else { $page = 'blog'; }
// Determine if an entry URL was passed $url = (isset($_GET['url'])) ? $_GET['url'] : NULL; // Load the entries $e = retrieveEntries($db, $page, $url); // Get the fulldisp flag and remove it from the array $fulldisp = array_pop($e); // Sanitize the entry data $e = sanitizeData($e); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf-8" /> <link rel="stylesheet" href="/simple_blog/css/default.css" type="text/css" /> <link rel="alternate" type="application/rss+xml" title="My Simple Blog - RSS 2.0" href="http://localhost/simple_blog/feeds/rss.xml" /> <title> Simple Blog </title> </head> <body> <h1> Simple Blog Application </h1> <ul id="menu"> <li><a href="/simple_blog/blog/">Blog</a></li> <li><a href="/simple_blog/about/">About the Author</a></li> </ul> <div id="entries"> <?php
// If the full display flag is set, show the entry if($fulldisp==1) { // Get the URL if one wasn't passed $url = (isset($url)) ? $url : $e['url']; if(isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == 1) { // Build the admin links $admin = adminLinks($page, $url); } else { $admin = array('edit'=>NULL, 'delete'=>NULL); } // Format the image if one exists $img = formatImage($e['image'], $e['title']); if($page=='blog') { // Load the comment object include_once 'inc/comments.inc.php'; $comments = new Comments(); $comment_disp = $comments->showComments($e['id']); $comment_form = $comments->showCommentForm($e['id']); } else { $comment_form = NULL; } ?> <h2> <?php echo $e['title'] ?> </h2> <p> <?php echo $img, $e['entry'] ?> </p> <p> <?php echo $admin['edit'] ?> <?php if($page=='blog') echo $admin['delete'] ?> </p>
<?php if($page=='blog'): ?> <p class="backlink"> <a href="./">Back to Latest Entries</a> </p> <h3> Comments for This Entry </h3> <?php echo $comment_disp, $comment_form; endif; ?> <?php } // End the if statement // If the full display flag is 0, format linked entry titles else { // Loop through each entry foreach($e as $entry) { ?> <p> <a href="/simple_blog/<?php echo $entry['page'] ?> /<?php echo $entry['url'] ?>"> <?php echo $entry['title'] ?> </a> </p> <?php } // End the foreach loop } // End the else ?> <p class="backlink"> <?php if($page=='blog' && isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == 1): ?>
<a href="/simple_blog/admin/<?php echo $page ?>"> Post a New Entry </a> <?php endif; ?> </p> <p> <a href="/simple_blog/feeds/rss.xml"> Subscribe via RSS! </a> </p> </div> </body> </html>
When we navigate to http://localhost/simple_blog/ in your browser, the admin links no longer appear (see Figure 11-3).
Next, you want to hide the delete link from unauthorized users on any posted comments. You can do this by modifying the Comments class in comments.inc.php.
The only method you need to modify in the Comments class is showComments(). Add your session check by inserting the code in bold to showComments():
// Generates HTML markup for displaying comments public function showComments($blog_id) { // Initialize the variable in case no comments exist $display = NULL; // Load the comments for the entry $this->retrieveComments($blog_id); // Loop through the stored comments foreach($this->comments as $c) { // Prevent empty fields if no comments exist if(!empty($c['date']) && !empty($c['name'])) { // Outputs similar to: July 8, 2009 at 4:39PM $format = "F j, Y a\t g:iA"; // Convert $c['date'] to a timestamp, then format $date = date($format, strtotime($c['date'])); // Generate a byline for the comment $byline = "<span><strong>$c[name]</strong> [Posted on $date]</span>"; if(isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == 1) { // Generate delete link for the comment display $admin = "<a href="/simple_blog/inc/update.inc.php" . "?action=comment_delete&id=$c[id]"" . " class="admin">delete</a>"; } else { $admin = NULL; } }
else { // If no comments exist, set $byline & $admin to NULL $byline = NULL; $admin = NULL; } // Assemble the pieces into a formatted comment $display .= " <p class="comment">$byline$c[comment]$admin</p>"; } // Return all the formatted comments as a string return $display; }
Now you can navigate to an entry with a comment in your blog to see that the delete link is no longer visible (see Figure 11-4).
None of the actions performed by this page should be available to unauthorized users, so you want to require authorization before any of the functionality of admin.php can be accessed. Doing this is as simple as wrapping the entire page in a conditional statement.
Modify admin.php by adding the code in bold:
<?php session_start(); // If the user is logged in, we can continue if(isset($_SESSION['loggedin']) && $_SESSION['loggedin']==1): /* * Include the necessary files */ include_once 'inc/functions.inc.php'; include_once 'inc/db.inc.php'; // Open a database connection $db = new PDO(DB_INFO, DB_USER, DB_PASS); if(isset($_GET['page'])) { $page = htmlentities(strip_tags($_GET['page'])); } else { $page = 'blog'; } if(isset($_POST['action']) && $_POST['action'] == 'delete') { if($_POST['submit'] == 'Yes') { $url = htmlentities(strip_tags($_POST['url'])); if(deleteEntry($db, $url)) { header("Location: /simple_blog/"); exit; }
else { exit("Error deleting the entry!"); } } else { header("Location: /simple_blog/blog/$_POST[url]"); } } if(isset($_GET['url'])) { $url = htmlentities(strip_tags($_GET['url'])); // Check if the entry should be deleted if($page == 'delete') { $confirm = confirmDelete($db, $url); } // Set the legend of the form $legend = "Edit This Entry"; $e = retrieveEntries($db, $page, $url); $id = $e['id']; $title = $e['title']; $img = $e['image']; $entry = $e['entry']; } else { // Check if we're creating a new user if($page == 'createuser') { $create = createUserForm(); }
// Set the legend $legend = "New Entry Submission"; // Set the variables to null if not editing $id = NULL; $title = NULL; $img = NULL; $entry = NULL; } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf-8" /> <link rel="stylesheet" href="/simple_blog/css/default.css" type="text/css" /> <title> Simple Blog </title> </head> <body> <h1> Simple Blog Application </h1> <?php if($page == 'delete'): { echo $confirm; } elseif($page == 'createuser'): { echo $create; } else: ?>
<form method="post" action="/simple_blog/inc/update.inc.php" enctype="multipart/form-data"> <fieldset> <legend><?php echo $legend ?></legend> <label>Title <input type="text" name="title" maxlength="150" value="<?php echo $title ?>" /> </label> <label>Image <input type="file" name="image" /> </label> <label>Entry <textarea name="entry" cols="45" rows="10"><?php echo $entry ?></textarea> </label> <input type="hidden" name="id" value="<?php echo $id ?>" /> <input type="hidden" name="page" value="<?php echo $page ?>" /> <input type="submit" name="submit" value="Save Entry" /> <input type="submit" name="submit" value="Cancel" /> </fieldset> </form> <?php endif; ?> </body> </html> <?php endif; // Ends the section available to logged in users ?>
At this point, you've barred anyone who isn't logged in from seeing administrative links and performing administrative tasks such as creating, editing, and deleting entries.
18.116.21.152