In general, there is a DB with users, it has an admin column, which in turn is associated with a table of these symbols, 1 - admin, 2 - moder, 3 - user, 4 - banned. Actually, what's the problem: There is a personal account page that displays functions depending on the status. Here is an authorization check:

<?php if(isset($_SESSION['logged_user'])){ ?> <p>Обычный юзер видит это</p> <?php if($_SESSION['logged_user'] -> admin === 1){ ?> <p>Админ видит это</p> <? } } ?>

If we allow I change admin === 1 to 3 (user by default), then again I change to 1, then the user status changes from 3 to 1. That is, he is assigned admin rights. Please explain why this is happening? And is it safe to use it if you do not mess around with a change of 1 to 3, and so on.

  • 1. It seems obvious. 2. It seems yes. - Qwertiy
  • Obviously?) Then I would not ask a question, that's obvious. And "It seems yes" Is this the answer to what is it safe? - Senbonzakuraa
  • Obviously. You will get the test result according to the value you assign. The second is yes, about security. As far as I know, the session is stored on the server, so the user cannot replace it (well, if there are no other jambs in the code). That is, all such data should be stored on the server and you should not trust the data received from the user. If this is done, then it is safe. - Qwertiy
  • Thanks for the detailed answer, it was just very strange that assigning admin rights at the session level, when everything is in its base in the database. - Senbonzakuraa
  • Strictly speaking, it is unsafe for the simple reason that no one except the user himself can remove the admin privilege. it hangs in its session (we do not consider the option of forced session session) - etki

0