CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS 221 Modifying the App to Handle the User Logout The last step you need to take before users can successfully log out is to add another array element to the $actions array in process.inc.php. Insert the following bold code into process.inc.php to complete the logout process: <?php /* * Enable sessions */ session_start(); /* * Include necessary files */ include_once ' / / /sys/config/db-cred.inc.php'; /* * Define constants for config info */ foreach ( $C as $name => $val ) { define($name, $val); } /* * Create a lookup array for form actions */ $actions = array( 'event_edit' => array( 'object' => 'Calendar', 'method' => 'processForm', 'header' => 'Location: / /' ), 'user_login' => array( 'object' => 'Admin', 'method' => 'processLoginForm', 'header' => 'Location: / /' ), 'user_logout' => array( 'object' => 'Admin', 'method' => 'processLogout', 'header' => 'Location: / /' ) ); /* * Make sure the anti-CSRF token was passed and that the * requested action exists in the lookup array */ CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS 222 if ( $_POST['token']==$_SESSION['token'] && isset($actions[$_POST['action']]) ) { $use_array = $actions[$_POST['action']]; $obj = new $use_array['object']($dbo); if ( TRUE === $msg=$obj->$use_array['method']() ) { header($use_array['header']); exit; } else { // If an error occured, output it and end execution die ( $msg ); } } else { // Redirect to the main index if the token/action is invalid header("Location: / /"); exit; } function __autoload($class_name) { $filename = ' / / /sys/class/class.' . strtolower($class_name) . '.inc.php'; if ( file_exists($filename) ) { include_once $filename; } } ?> Save this file, then navigate to http://localhost/, and click the Log Out button at the bottom of the calendar. Clicking this button causes the message below the calendar to now read, “Logged Out!” (see Figure 6-8). CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS 223 Figure 6-8. Clicking the Log Out button removes the user data from the session ■ Note Now that you know the login is working, remove the Logged In!/Logged Out! message logic and the paragraph tags that enclose it from index.php. Displaying Admin Tools Only to Administrators Your users can log in and log out; the last steps you need to take are to make sure that all actions and options that require administrative access are only shown to users who are logged in. Showing Admin Options to Administrators The buttons for adding and editing events should not be displayed unless a user is logged in. To perform this check, you need to modify both the _adminGeneralOptions() and _adminEntryOptions() methods in the Calendar class. CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS 224 Modifying the General Admin Options Method Now let’s take a look at the calendar’s general options. If the user is logged in, you want to show her the options to create a new entry and to log out. However, if the user is logged out, she should see a link to log in. Perform this check by making the modifications shown in bold to the _adminGeneralOptions() method in the Calendar class: <?php class Calendar extends DB_Connect { private $_useDate; private $_m; private $_y; private $_daysInMonth; private $_startDay; public function __construct($dbo=NULL, $useDate=NULL) { } public function buildCalendar() { } public function displayForm() { } public function processForm() { } public function confirmDelete($id) { } private function _loadEventData($id=NULL) { } private function _createEventObj() { } private function _loadEventById($id) { } private function _adminGeneralOptions() { /* * If the user is logged in, display admin controls */ if ( isset($_SESSION['user']) ) { return <<<ADMIN_OPTIONS <a href="admin.php" class="admin">+ Add a New Event</a> <form action="assets/inc/process.inc.php" method="post"> <div> <input type="submit" value="Log Out" class="admin" /> CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS 225 <input type="hidden" name="token" value="$_SESSION[token]" /> <input type="hidden" name="action" value="user_logout" /> </div> </form> ADMIN_OPTIONS; } else { return <<<ADMIN_OPTIONS <a href="login.php">Log In</a> ADMIN_OPTIONS; } } private function _adminEntryOptions($id) { } } ?> After saving the changes, reload http://localhost/ while logged out to see the administrative options replaced with a simple Log In link (see Figure 6-9). CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS 226 Figure 6-9. While a user is logged out, only a Log In link is displayed Modifying the Event Options Method Next, you want add code to prevent the editing and deletion of events by unauthorized users; you do this by modifying _adminEventOptions() in the Calendar class with the following bold code: <?php class Calendar extends DB_Connect { private $_useDate; private $_m; private $_y; CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS 227 private $_daysInMonth; private $_startDay; public function __construct($dbo=NULL, $useDate=NULL) { } public function buildCalendar() { } public function displayForm() { } public function processForm() { } public function confirmDelete($id) { } private function _loadEventData($id=NULL) { } private function _createEventObj() { } private function _loadEventById($id) { } private function _adminGeneralOptions() { } private function _adminEntryOptions($id) { if ( isset($_SESSION['user']) ) { return <<<ADMIN_OPTIONS <div class="admin-options"> <form action="admin.php" method="post"> <p> <input type="submit" name="edit_event" value="Edit This Event" /> <input type="hidden" name="event_id" value="$id" /> </p> </form> <form action="confirmdelete.php" method="post"> <p> <input type="submit" name="delete_event" value="Delete This Event" /> <input type="hidden" name="event_id" value="$id" /> </p> </form> </div><! end .admin-options > ADMIN_OPTIONS; } else { return NULL; CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS 228 } } } ?> After inserting these changes, navigate to http://localhost/ while logged out and click an event to bring up its full view; the administrative options will not be displayed (see Figure 6-10). Figure 6-10. The full event view while logged out Limiting Access to Administrative Pages As an additional security precaution, you should ensure that any pages that only authorized users should have access to, such as the event creation/editing form, check for proper authorization before executing. Disallowing Access to the Event Creation Form Without Login You can prevent a mischievous user from finding the event creation form while logged out by performing a simple check that you add to the file. If the user is not logged in, he’ll be sent to the main calendar view before the script has the chance to execute. To implement this change, open admin.php and insert the code shown in bold: <?php /* * Include necessary files */ include_once ' /sys/core/init.inc.php'; /* * If the user is not logged in, send them to the main file */ CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS 229 if ( !isset($_SESSION['user']) ) { header("Location: ./"); exit; } /* * Output the header */ $page_title = "Add/Edit Event"; $css_files = array("style.css", "admin.css"); include_once 'assets/common/header.inc.php'; /* * Load the calendar */ $cal = new Calendar($dbo); ?> <div id="content"> <?php echo $cal->displayForm(); ?> </div><! end #content > <?php /* * Output the footer */ include_once 'assets/common/footer.inc.php'; ?> After saving this file, attempt to navigate to http://localhost/admin.php while logged out. You’ll automatically be sent to http://localhost/. Ensuring Only Logged In Users Can Delete Events Also, to keep unauthorized users from deleting events, insert a check for a valid user session in the confirmdelete.php file: <?php /* * Enable sessions */ session_start(); /* CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS 230 * Make sure an event ID was passed and the user is logged in */ if ( isset($_POST['event_id']) && isset($_SESSION['user']) ) { /* * Collect the event ID from the URL string */ $id = (int) $_POST['event_id']; } else { /* * Send the user to the main page if no ID is supplied * or the user is not logged in */ header("Location: ./"); exit; } /* * Include necessary files */ include_once ' /sys/core/init.inc.php'; /* * Load the calendar */ $cal = new Calendar($dbo); $markup = $cal->confirmDelete($id); /* * Output the header */ $page_title = "View Event"; $css_files = array("style.css", "admin.css"); include_once 'assets/common/header.inc.php'; ?> <div id="content"> <?php echo $markup; ?> </div><! end #content > <?php /* * Output the footer */ . element to the $actions array in process.inc .php. Insert the following bold code into process.inc .php to complete the logout process: < ?php /* * Enable sessions */ session_start();. the calendar to now read, “Logged Out!” (see Figure 6-8 ). CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS 223 Figure 6-8 . Clicking the Log Out button removes the user data. implement this change, open admin .php and insert the code shown in bold: < ?php /* * Include necessary files */ include_once ' /sys/core/init.inc .php& apos;; /* * If the user