added session verification and admin check

2024-03-29 12:06:56 +05:30 · 2024-03-29 12:06:56 +05:30 · a834ee565c
commit a834ee565c
parent 78f117e7d7
13 changed files with 68 additions and 38 deletions
--- a/admin/add-category-logic.php
+++ b/admin/add-category-logic.php
@ -1,7 +1,11 @@
 <?php

 require 'config/database.php';
-
+if(!isset($_SESSION['user_is_admin'])){
+    header("location: " . ROOT_URL . "logout.php");
+    //destroy all sessions and redirect user to login page
+    session_destroy();
+}
 if(isset($_POST['submit'])){
    //get form data
    $title =filter_var($_POST['title'],FILTER_SANITIZE_FULL_SPECIAL_CHARS);
--- a/admin/add-category.php
+++ b/admin/add-category.php
@ -1,5 +1,10 @@
 <?php
 include "partials/header.php";
+if(!isset($_SESSION['user_is_admin'])){
+    header("location: " . ROOT_URL . "logout.php");
+    //destroy all sessions and redirect user to login page
+    session_destroy();
+}
 $title = $_SESSION["add-category-data"]['title'] ?? null;
 $description = $_SESSION["add-category-data"]['description'] ?? null;

--- a/admin/add-user-logic.php
+++ b/admin/add-user-logic.php
@ -1,7 +1,10 @@
 <?php
 require "config/database.php";
-session_start();
-
+if(!isset($_SESSION['user_is_admin'])){
+    header("location: " . ROOT_URL . "logout.php");
+    //destroy all sessions and redirect user to login page
+    session_destroy();
+}
 //get add-user form data if sbmit button is clicked

 if(isset($_POST["submit"])){
--- a/admin/add-user.php
+++ b/admin/add-user.php
@ -1,6 +1,10 @@
 <?php
 include "partials/header.php";
-
+if(!isset($_SESSION['user_is_admin'])){
+    header("location: " . ROOT_URL . "logout.php");
+    //destroy all sessions and redirect user to login page
+    session_destroy();
+}
 //get beck form DATA IF THERE IS A REGISTRATION ERROR
 $firstname=$_SESSION['add-user-data']['firstname'] ?? null;
 $lastname=$_SESSION['add-user-data']['lastname'] ?? null;
--- a/admin/config/constants.php
+++ b/admin/config/constants.php
@ -5,3 +5,10 @@ define('DB_HOST', 'localhost');
 define('DB_USER', 'underemployed');
 define('DB_PASS', 'admin1234');
 define('DB_NAME', 'blog');
+if (!isset($_SESSION['user-id'])) {
+    header("location: " . ROOT_URL . "logout.php");
+    //destroy all sessions and redirect user to login page
+    session_destroy();
+    die();
+    header("location: " . ROOT_URL . "signin.php");
+}
--- a/admin/delete-category.php
+++ b/admin/delete-category.php
@ -1,5 +1,10 @@
 <?php
 include "config/database.php";
+if(!isset($_SESSION['user_is_admin'])){
+    header("location: " . ROOT_URL . "logout.php");
+    //destroy all sessions and redirect user to login page
+    session_destroy();
+}
 if(isset($_GET['id'])){
    $id=filter_var($_GET['id'],FILTER_SANITIZE_NUMBER_INT);

--- a/admin/edit-category-logic.php
+++ b/admin/edit-category-logic.php
@ -1,6 +1,10 @@
 <?php
 require "config/database.php";
-
+if(!isset($_SESSION['user_is_admin'])){
+    header("location: " . ROOT_URL . "logout.php");
+    //destroy all sessions and redirect user to login page
+    session_destroy();
+}
 if(isset($_POST['submit'])){    
    $id = filter_var($_POST['id'], FILTER_SANITIZE_NUMBER_INT);
    $title=filter_var($_POST['title'],FILTER_SANITIZE_FULL_SPECIAL_CHARS);
--- a/admin/edit-category.php
+++ b/admin/edit-category.php
@ -1,5 +1,10 @@
 <?php
 include "partials/header.php";
+if(!isset($_SESSION['user_is_admin'])){
+    header("location: " . ROOT_URL . "logout.php");
+    //destroy all sessions and redirect user to login page
+    session_destroy();
+}
 if(isset($_GET['id'])){
    $id=filter_var($_GET['id'],FILTER_SANITIZE_NUMBER_INT);

--- a/admin/edit-post-logic.php
+++ b/admin/edit-post-logic.php
@ -1,5 +1,6 @@
 <?php
 require 'config/database.php';
+
 if(isset($_POST['submit'])){
    $id=filter_var($_POST['id'],FILTER_SANITIZE_NUMBER_INT);
    $is_featured=filter_var($_POST['is_featured'],FILTER_SANITIZE_NUMBER_INT);
--- a/admin/manage-categories.php
+++ b/admin/manage-categories.php
@ -1,6 +1,10 @@
 <?php
 include "partials/header.php";
-
+if(!isset($_SESSION['user_is_admin'])){
+    header("location: " . ROOT_URL . "logout.php");
+    //destroy all sessions and redirect user to login page
+    session_destroy();
+}
 //fetch categories from database
 $query = "SELECT * FROM categories ORDER BY title";
 $categories=mysqli_query($connection,$query)
--- a/admin/manage-users.php
+++ b/admin/manage-users.php
@ -3,7 +3,11 @@ include "partials/header.php";


 $current_admin_id = $_SESSION['user-id'];
-
+if(!isset($_SESSION['user_is_admin'])){
+    header("location: " . ROOT_URL . "logout.php");
+    //destroy all sessions and redirect user to login page
+    session_destroy();
+}
 $query="SELECT id,firstname,lastname,username,is_admin FROM users WHERE NOT id='$current_admin_id'";
 $users=mysqli_query($connection,$query);
 ?>
--- a/signin-logic.php
+++ b/signin-logic.php
@ -60,3 +60,4 @@ if(isset($_POST['submit'])){
    header('location: ' . ROOT_URL . "signin.php");
    die();
 }
+// error_log();
--- a/signin.php
+++ b/signin.php
@ -1,11 +1,10 @@
 <?php
 include 'config/constants.php';

-$username_email = $_SESSION['signin-data']['username_email'] ??null ;
-$password = $_SESSION['signin-data']['password'] ??  null;
+$username_email = $_SESSION['signin-data']['username_email'] ?? null;
+$password = $_SESSION['signin-data']['password'] ?? null;

 unset($_SESSION['signin-data']);
-
 ?>
 <!DOCTYPE html>
 <html lang="en">
@ -22,10 +21,7 @@ unset($_SESSION['signin-data']);
    <link href="https://fonts.googleapis.com/css2?family=Montserrat:ital,wght@0,300;0,400;0,500;0,600;0,800;1,700&display=swap" rel="stylesheet"> 
 </head>
 <body>
-
-
 <section class="form__section">
-
    <div class="container form__section-container">
        <h2>Sign In</h2> 
        <?php
@ -37,36 +33,23 @@ unset($_SESSION['signin-data']);
                unset($_SESSION['signup-success']);
                ?>
            </p>
-            
            </div>
-        
-        
-        
        <?php elseif(isset($_SESSION['signin'])): ?>
-        
-        <div class="alert__message error">
-            <p>
-                <?=$_SESSION['signin'];
-                unset($_SESSION['signin']); 
-                ?>
-            </p>
-        </div>
-
-        <?php endif ?>
-
-
-
+            <div class="alert__message error">
+                <p>
+                    <?=$_SESSION['signin'];
+                    unset($_SESSION['signin']); 
+                    ?>
+                </p>
+            </div>
+        <?php endif; ?>
        <form action="<?= ROOT_URL ?>signin-logic.php" method="POST">
-            <input type="text"     name="username_email"  value = '<?= $username_email ?>' placeholder="Username or Email">
-            <input type="password" name="password"        value = '<?= $password ?>' placeholder=" Password">
-
-            <button type="submit" class="btn"  name ="submit"   >Sign in</button>
+            <input type="text" name="username_email" value='<?= $username_email ?>' placeholder="Username or Email">
+            <input type="password" name="password" value='<?= $password ?>' placeholder=" Password">
+            <button type="submit" class="btn" name="submit">Sign in</button>
            <small>Don't have an account? <a href="signup.php">Sign up</a></small>
        </form>
    </div>
-
 </section>
-
-
 </body>
 </html>