Restricting options to specific user level

Beginners - Learning PHP
#1

This script is a part of the mod cp, mods are level 4. This script allows to change the level of members.
I want to restrict level 4 members i.e mods to only be able to change level of members below level 4.
This is the script, but it allows to edit the level of members above level 4 also.
[php]
function update_user($POST, $change) {

if(isset($change)) {

$username = $POST['username'];
$level = $POST['level'];

	$this->query("UPDATE ".DBTBLE." SET user_level = '$level' WHERE username = '$username'");

	return  $username." .User level was changed to ".$level;

}	
}

[/php]

How can Restrict the $POST['username'] to only display username below level 4?

#2

Change this:

[php]$this->query(“UPDATE “.DBTBLE.” SET user_level = ‘$level’ WHERE username = ‘$username’”);
[/php]

To this:
[php]$this->query("UPDATE “.DBTBLE.” SET user_level = ‘$level’ WHERE username = ‘$username’ AND user_level < ".((int)$_POST[‘level’]));[/php]

This does a bit better than what you wanted. An user will only be able to change other users whose level is below them. This prevents mods from de-modding other mods, or admins from de-modding other admins, but allows admins (I assume lv>4) to still be able to de-mod mods.

Side note: it’s $_POST, not $POST. Also, you need to validate the user’s level - $_POST variables are submitted by the user and can easily be modified.

#3

Yes, this works, I also found a solution, not the best though,

  1. Make a table(the cp is linked to another file with all functions):
<select name="level" id="level">
                                  <option value="1">1</option>
                                  <option value="2">2</option>
                                </select>

note: I only want them to be able to promote users to level one, but can demote level 3 users

  1. Make a function:(This file includes the codes to connect to db, this is just the necessary part)
    [php]
    function list_users() {

    $q = "SELECT * FROM ".DBTBLE." WHERE user_level <= 3";

//note I restricted it to get details of userlevel less than or equal to 3.

   $result = mysql_query($q);
   $num_rows = mysql_numrows($result);

echo "<select name=\"username\">";	

for($i=0; $i<$num_rows; $i++){
	
	$name=mysql_result($result,$i,"username");
	echo "<option value=\"$name\">$name</option>"; 

}

echo "</select>";

}

[/php]

3.Function you want to perform, here I want to give a feature of editing user level:
[php]
function update_user($POST, $change) {

if(isset($change)) {

$username = $POST['username'];
$level = $POST['level'];

	$this->query("UPDATE ".DBTBLE." SET user_level = '$level' WHERE username = '$username'");

	return  $username."'s User level was changed to ".$level;

}	
}

[/php]

Well this a longer way to do, but I guess it gives a lit bit more flexibility, anyway thanks :slight_smile:

Sponsor our Newsletter | Privacy Policy | Terms of Service