Add/Register Users

stacy · January 22nd, 2004, 01:41 AM

Does anyone know a way for me to login as "admin" and add users to the database from my management area? I don't want anyone to be able to register unless I am logged in as "admin". PLEASE HELP. I can't figure it out!!!

rodmcleay · January 22nd, 2004, 01:54 AM

You simply need to protect the "AddUsers" page in your site.
So when a user loggs in set a session variable with a secutiry level, eg.
session("UserLevel") = 9
or 8, or 7,etc. depending on who is logging in, for your admin set
session("UserLevel") = 0.

So at the beginning of your "addusers" page test a session variable to assess whether the user is admin or not.
eg.

if Session("UserLevel") > 0 then
   'the security level is to high redirect them to another page
   response.redirect("Youdonthaveaccess.asp")
end if

PS. The numbers are irrelevant you could count up with a security level of 10 being the best, or even use words "ADMIN","USER","GUEST"

if Session("UserLevel") <> "ADMIN" then
   'the security level is to high redirect them to another page
   response.redirect("Youdonthaveaccess.asp")
end if

======================================
They say, best men are moulded out of faults,
And, for the most, become much more the better
For being a little bad.
======================================

stacy · January 22nd, 2004, 10:47 AM

By doing this, Will the other users be able to go in and edit their own information after the "admin" has set up their account?

(I want the user to only have access to editing their own information - and not be able to add anyone else.

"Admin" can do all of it.)

rodmcleay · January 22nd, 2004, 09:45 PM

This all really depends on how you have structured you page, the session variable can be used anywhere in you site to validate the user and the operations they can perform.
For example you will have a link somewhere for users that says something like "Edit My Profile" and another link that the admin can see that says "Add New User".
When the links are pressed they both go to the same page in either an 'edit' mode or an 'add' mode based on your code. to prevent a user going to the page in 'add' mode hide the link from them based on the session variable and again test on the page itself.

eg

Code:

if (session("UserLevel") = "ADMIN") then
 'show the link
 response.write("<A HREF=""AddEditUser.asp?=MODE=ADD"">Add New User</A>")
end if
response.write("<A HREF=""AddEditUser.asp?=MODE=EDIT"">Edit My Profile</A>")

then on the AddEditUser.asp Page you can test again to ensure that the user does not just type in the URL into the browser to get the page in add mode.
eg.

Code:

IF (request("MODE") = "ADD") then
 'Test to ensure the user is admin
 if Session("UserLevel") <> "ADMIN" then 
   'the security level is to high redirect them to another page
   response.redirect("Youdonthaveaccess.asp")
 end if
end if

IN SHORT
You can use the session variables to make anything in you site available (or not) to anyone how you wish.

======================================
They say, best men are moulded out of faults,
And, for the most, become much more the better
For being a little bad.
======================================