How to block a link comparing data from 2 tables

Question

I'm just trying to make this, but I don't even have any idea of how to do it, here's the case: I have 3 tables

**

• admin_users , admin_permissions & admin_modules

**

I'm passing the "iduser" via get to the page, and I'm generating a type of menu from the table "admin_modules"... Now I want to dissable the links that the user doesn't has permissions to access...... I think that I can make it via css, but I don't know in which place of my "menu generator" I have to place the code to do it...*

include ("connector.php");
$con = conectar();
$tbl = "admin_modules";
$i=0;
$query = "SELECT * FROM $tbl";
$resultado = mysqli_query($con,$query) or die(mysqli_error());  
while($dato=mysqli_fetch_array($resultado)){
    echo "<td width='25%'><a href=../" . 
        $dato['RootDirectory']  . "/" . $dato['InitialMenu'] . "><img src=./images/icons/" . 
        $dato['IconName'] . "></a><p>" . $dato['ModuleName'] . "</p></td>";

    $i=$i+1;
    if ($i==4) {
        echo"</tr>";
        echo"<tr>";
        $i=0;
    }

}
mysqli_close($con);//cerrar conexion

Extra info:

On the admin_permissions I have two columns "idadmin_users[FK]" and "idadmin_module[FK]" So, if a user has a registry on that table he has access to the module.

Example:

the user John has access to the rejects module and to the invoices module... So he has 2 entries in admin_permissions with his unique user id and with each of the unique module ids

Answer 1

First, you'll want an additional query to get the list of modules that this user can access. Then you can use that information in your existing loop:

include ("connector.php");
$con = conectar();

// Get permissions
$perms = array();
$result1 = mysqli_query($con, "SELECT * FROM admin_permissions WHERE idadmin_users = $_GET['iduser']");
while ($row = mysqli_fetch_array($result1)) {
    $perms[] = $row['idadmin_module'];
}

// Get modules and loop
$i = 0;
$result2 = mysqli_query($con, "SELECT * FROM admin_modules") or die(mysqli_error());
while($dato = mysqli_fetch_array($result2)){
    echo '<td width="25%">';

    // Only echo the <a> tags if user has permission
    // I'm assuming the $dato row has an 'id'
    // that matches admin_permissions.idadmin_module
    if (in_array($dato['id'], $perms)
        echo '<a href="../' . $dato['RootDirectory']  . '/' . $dato['InitialMenu'] . '">';

    echo '<img src="./images/icons/' . $dato['IconName'] . '">';

    // Only echo the <a> tags if user has permission
    if (in_array($dato['id'], $perms))
        echo '</a>';

    echo '<p>' . $dato['ModuleName'] . '</p></td>';

    $i++;
    if ($i == 4) {
        echo '</tr>';
        echo '<tr>';
        $i=0;
    }
}

mysqli_close($con); // cerrar conexion

IMPORTANT:

Using a GET param in this query is a major vulnerability:

SELECT * FROM admin_permissions WHERE idadmin_users = $_GET['iduser']

It would be much better to use mysqli's parameterized queries for this, but that would probably involve changes to connector.php as well (which I can't see as of this writing). So use the main concepts of this answer to get where you're going, then update your queries to be more secure.

Answer 2

I think you may be going about this backwards. Instead of disabling links that people don't have access to, why not use the query to generate the appropriate links. Also you will want to be careful passing the user via a get variable, it is very easy for someone to change it.