Displaying options specific to the admin

Smack715 · June 22nd, 2004, 11:32 AM

Ok here is my situation....
I have a site that multiple users can login to and add, edit, or delete plant outages. What I need to do is enable the admin to be able to add, edit or delete the users who can input the outage information.
Currently what happens is the user logs in and it takes them to the page where they select whether they want to add, edit or delete an outage. What I want to do is make it so that when the username=admin and they are directed to the add, edit or delete page, I want the link that will take the admin to the Account Outages Maintenance page to display. If the username isn't admin then the link simply wouldn't appear and they would procede as usual.
Here is the code I have so far and its not working, I even tried Response.Write and that didn't work either so I am at a loss right now *sigh*:(......

<%
strusername=Request.Form("username")
strpassword=Request.Form("pass")

session("username")=strusername
session("pass")=strpassword
%>

<%If strusername = "admin" Then
%>
    <a href="default.asp?Action=viewall">Accounts Maintenance</A>
<%
End If
%>

<HTML>
<HEAD>
<META NAME="GENERATOR" Content="Microsoft Visual Studio 6.0">
</HEAD>
<BODY link="#FF6633" alink="#FF6633" vlink="#FF6633">
<form method="post" action="default.asp?Action=select">
<center>
<h2>Please choose from the following:</h2>
Please note that only one location's information can be manipulated at a time

<br>
<center>
<table>
<tr>
    <td>I would like to:</td>
    <td><input type="radio" name="pref" value="add" checked>Add an outage</td>
    <td><input type="radio" name="pref" value="edit">Edit an outage</td>
    <td><input type="radio" name="pref" value="delete">Delete an outage</td>
</tr>
<tr>
    <td colspan="4"> </td>
</tr>
<tr>
    <td>For which location?</td>
    <td><input type="radio" name="loc" value="Springfield" checked>Springfield<br>
    <input type="radio" name="loc" value="Conway">Conway</td>
    <td><input type="radio" name="loc" value="Tulsa">Tulsa<br>

    <input type="radio" name="loc" value="Garland">Garland</td>
    <td><input type="radio" name="loc" value="Chatham">Chatham<br>
    <input type="radio" name="loc" value="Escobedo">Escobedo</td>
    <td><input type="radio" name="loc" value="Cantera">Cantera</td>
</tr>
<tr>
    <td> </td>
</tr>
<tr>
    <td colspan="4" align="center"><input type="submit" value="Submit"><input type="reset" value="Reset"></td>
</tr>
</table>
</form>
</BODY>
</HTML>

bmains · June 22nd, 2004, 12:59 PM

Hello,

Do you have a login page, or is this an intranet app with windows authentication specified? Could the administrator be entering "Admin" and it's throwing that off? Maybe you want to do a lower(Session("username")) when comparing.

Brian

happygv · June 23rd, 2004, 04:11 AM

Can you do a response.write before this code to see what is there in session's strusername? Then you can use that value in the if condition to compare.

Code:

response.write strusername & "<BR>"
<%If strusername = "admin" Then %>

It is better to do a LCASE or UCASE on both values when comparing, as Brian suggested.

Code:

<%If UCASE(strusername) = UCASE("admin") Then %>

Hope that helps.
Cheers!

_________________________
-Vijay G

Strive for Perfection

madhukp · June 23rd, 2004, 05:18 AM

You may trim the username also. i.e. like below.

<%If ucase(trim(strusername)) = ucase("admin") Then %>

happygv · June 23rd, 2004, 05:25 AM

Hi madhukp,

I have a doubt if one has to trim that at all, because when I try logging in as " admin ", I shouldn't be allowed to login, saying "username invalid". So there shouldn't be a necessity to TRIM that at all, as what was used while logging in is stored in session("strusername")

Cheers!

_________________________
-Vijay G

Strive for Perfection

madhukp · June 23rd, 2004, 06:37 AM

That is personal, I think. I usually permit white spaces in the usernames and passwords. I will trim username and password before checking equality.

While adding usernames to db also, I will trim them. So there won't be two users madhu and madhu<space>. It is a policy decision whether to treat madhu and madhu<space> as two different users, I think.

Imar · June 23rd, 2004, 06:49 AM

I agree this is a policy issue, as most programming languages don't really bother about a space. However, IMO, every policy should forbid usernames to start or end with a space. The fact that you needed to type madhu<space> instead of madhu illustrates the fact that for the average human it is pretty hard to see that the username starts or ends with a space. This will cause a lot of problems when users try to register, or logon to your system.

The same applies to passwords, but to a lesser extend. It's not uncommon to communicate usernames and passwords through paper (bank accounts, new ISP subscriptions etc etc come to mind). A leading or trailing space will not be visible on paper, unless you know what you're looking for. So, also in these cases, the policy should prevent leading and trailing spaces.

I can imagine a few circumstances where they wouldn't matter, but personally I would stay far away from using them.

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
While typing this post, I was listening to: Pistola by Incubus (Track 7 from the album: A Crow Left To The Murder) What's This?

happygv · June 23rd, 2004, 07:01 AM

Hi Madhukp,

Yes you are right, there cannot be 2 users that way.

IMO that is bad practice of allowing users to think that you accept space in usernames/passwords. In general spaces are not allowed for such things. This might let the user think that his userid is "hisname<space>", as you are manipulating it by trimming the space programatically, which the user is not aware of. And this might lead the user to think of using space inbetween too, like "his<space>name".

So IMO it is a good practice to let the user know that spaces are not allowed with the userid or pwd.

Cheers!

_________________________
-Vijay G

Strive for Perfection

madhukp · June 23rd, 2004, 07:04 AM

I agree with you Imar. That is why I am trimming username and password before putting into DB. I am against using whitespaces at the head/tail of username / password.

What I mean is When user types in usernames/passwords in the login form, I permit white spaces (Sorry for not wording it properly). I am doing it with specific intention that if by chance any space gets introduced at the end, it should not prevent him from getting in. Anyway there won't be any usernames with trailing / leading blanks.

Imar · June 23rd, 2004, 07:08 AM

Yeah, I already understood that from your previous message. I think that's good practice. I had no intention to disagree with you or to proof you wrong; I just wanted to respond on the "policy" part.....

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
While typing this post, I was listening to: Made For TV Movie by Incubus (Track 11 from the album: A Crow Left To The Murder) What's This?