Content Access

2 posts by 2 authors in: Forums > CMS Builder
Last Post: November 17, 2023   (RSS)

By KennyH - November 16, 2023

Hoping for some help adjusting this code. I have designed a dashboard for a group of property owners.

  • Their user accounts have a custom field called 'owner_access' that is either checked or not checked. 
  • If checked, they can click on their property and see everything on the detail page.
  • If they click on another property owner's profile, most of the information should be hidden.
  • Any user that has 'admin_access' checked on their user account, can see all profiles and content. (custom field created on accounts.ini.php)

I have tried several ways of getting this done, but can't seem to make it work. Admins can see everything with this method, but owner accounts get NOT AUTHORIZED on all records, even their own. What am I missing here?

Here's what I have now:

<?php require_once "/home/$user/public_html/webadmin/lib/viewer_functions.php";

if (!$CURRENT_USER) { websiteLogin_redirectToLogin(); }

// Determine the user's access level and modify the query accordingly
$userAccessCondition = '';
if (@$CURRENT_USER['admin_access']) {
    // Admin can access any record
    $userAccessCondition = "1"; // Always true condition
} else if (@$CURRENT_USER['owner_access']) {
    // Regular owner can only access their own record
    $userAccessCondition = sprintf("createdByUserNum = '%s'", mysql_escapef($CURRENT_USER['num']));
} else {
    // No access if neither admin nor owner
    die("Access Denied");
}

list($ownersRecords, $ownersMetaData) = getRecords(array(
    'tableName'   => 'owners',
    'where'       => $userAccessCondition,
    'loadUploads' => true,
    'allowSearch' => false,
    'limit'       => '1',
));

// Now that $ownersRecords is fetched, check if the current user is viewing their own profile
$isCurrentUserProfile = false;
if (isset($CURRENT_USER['lot_number']) && isset($ownersRecords[0]['lot_number'])) {
    $isCurrentUserProfile = $CURRENT_USER['lot_number'] === $ownersRecords[0]['lot_number'];
}
?>

<?php if($isCurrentUserProfile || @$CURRENT_USER['admin_access']): ?>
<section role="main" class="content-body">
  <header class="page-header">
    <h2 class="text-uppercase text-primary">
      <a href="<?= $ownersMetaData['_listPage'] ?>" class="text-primary text-decoration-none text-hover-primary">
        Owners
      </a>
    </h2>
    <span class="float-end p-2 d-none d-sm-block">
      <a href="<?= $ownersMetaData['_listPage'] ?>" class="btn btn-sm btn-dark-blue" role="button">
        <i class="fa-duotone fa-chevrons-left me-2"></i>All Owners
      </a>
<?php if($isCurrentUserProfile || @$CURRENT_USER['admin_access']): ?>
      <a href="<?= $domain; ?>/webadmin/admin.php?menu=owners&action=edit&num=<?= $ownersRecord['num'] ?>" 
				 class="btn btn-sm btn-dark-blue" 
				 role="button" target="_blank">
        Edit Record
      </a>
			<?php endif ?>
    </span>
  </header>
  <div class="row">
    <div class="col-md-12">
      <div class="row">
        <div class="col-lg-4 col-xl-3 mt-4 mb-4 mb-xl-0">
          <?php include ("/home/$user/public_html/includes/owners/owner-info.php"); ?>
        </div>
        <div class="col-lg-8 col-xl-6">
	<?php if($isCurrentUserProfile || @$CURRENT_USER['admin_access']): ?>
          <div class="tabs">
            <?php include ("/home/$user/public_html/includes/owners/tab-nav.php"); ?>
            <div class="tab-content">
            <?php include ("/home/$user/public_html/includes/owners/tab-notes.php"); ?>
            <?php include ("/home/$user/public_html/includes/owners/tab-docs.php"); ?>
							<?php include ("/home/$user/public_html/includes/owners/tab-milestones.php"); ?>
							<?php include ("/home/$user/public_html/includes/owners/tab-photos.php"); ?>
            </div>
          </div>
					<?php endif ?>
        </div>
        <div class="col-xl-3">
					<?php if($isCurrentUserProfile || @$CURRENT_USER['admin_access']): ?>
          <?php include ("/home/$user/public_html/includes/owners/status-info-bars.php"); ?>
					<?php endif ?>
        </div>
      </div>
    </div>
  </div>
</section>
<?php else: ?>
<section role="main" class="content-body">
  <header class="page-header">
    <h2 class="text-uppercase text-primary">
      Not Authorized
    </h2>
  </header>
</section>	
<?php endif ?>