Project Management: Administration

If you’ve followed along as we’ve built the core and authentication sections of a project management application, you can guess what this article is all about. It will walk you through the scripts you need to employ to add an administration section to the application. It will enable administrators to complete tasks that you may not want to allow all of your application’s users to do.

The administration section of the project management application can only be accessed by users that have admin rights. The main page of the application contains a link to the admin section. The moment that link is clicked, the user will automatically be checked to see if he or she is admin or not. This section has ten scripts as listed below:

  • Login.php – Verifies whether or not the logged-in user has admin rights.
  • Add_user.php – Adds new users.
  • Add_project.php – Adds new projects to the project list.
  • Edit_user.php – Enables you to make changes to a user’s profile.
  • Edit_project.php – Enables you to make changes to a project.
  • Del_project.php – Removes a project from the project list.
  • Del_user.php – Removes a project from the project list.
  • Index.php – Gives a list of options from which to choose.
  • List_projects.php – Displays a list of projects.
  • List_users.php – Displays a list of users.

The main aim of the admin section is to give the administrators overall control of the entire project management application. It also serves as a maintenance tool, in the sense that redundant projects and users are all removed from the application. This ensures that the application runs smoothly and does not get slower.

The two most important scripts here are the login and index pages. These provide access (login) to the entire admin section. The front page (index.php) provides the easy-to-use user interface for smooth navigation. So let’s look at the code that makes up these two pages.

{mospagebreak title=The Admin Login Script}

When a user uses the project management application, they have to log in to be given access to the application. This access will be granted if the user is in the database. The code for this verification process is something like this:


<?php

include "dbcon.php";

include "functions.php";

//initialise variables

$err="";

$errmsg=false;


//is form submitted?

if(isset($_POST['submit'])){

//check that the form values are not empty, if so, set errormsg value

if(empty($_POST['uname'])){

$errmsg="The username field is empty, please enter a username<br>";

$err=true;

}

if(empty($_POST['upass'])){

$err=true;

$errmsg .="The password field is empty, please enter password<br>";

}


//check that the username is in correct format

if(!checkformat($_POST['uname'])){

$err=true;

$errmsg .="The username that you entered has a incorrect format.<br>";

}



//if there is no errors above, then clean the form values before using in query.

if(!$err){

$cleanuname = mysql_escape_string($_POST['uname']);

$cleanupass = mysql_escape_string($_POST['upass']);


$checkuser = "SELECT * from users WHERE uname = ‘".$cleanuname."’ AND upass = ‘".$cleanupass."’";

$checkuser_res = mysql_query($checkuser);

$checkuser_num = mysql_num_rows($checkuser_res);


if($checkuser_num > 0){

//if user exists and passes authentication

//setup session variables and redirect to index page

$row = mysql_fetch_assoc($checkuser_res);

$_SESSION['name'] = $row['name']." ".$row['sname'];

$_SESSION['uid'] = $row['uid'];

$_SESSION['level'] = $row['level'];


//redirect

header("location:main.php");

}else{

//if values do not match set errmsg

$err=true;

$errmsg .="The username or password you entered does not match.<br> MYSQL ERROR ".mysql_error();

}//else


}//end $err check


} //end form submit check


?>

This is verification stage one. The important part in this code is the one listed below:

if($checkuser_num > 0){

//if user exists and passes authentication

//setup session variables and redirect to index page

$row = mysql_fetch_assoc($checkuser_res);

$_SESSION['name'] = $row['name']." ".$row['sname'];

$_SESSION['uid'] = $row['uid'];

$_SESSION['level'] = $row['level'];


//redirect

header("location:main.php");

Take a closer look at where the authentication process successfully verifies the user. It is at this point that the user’s details are transferred into session variables, i.e:

$_SESSION['level'] = $row['level'];

These are the login variables that the secondary admin login script uses to determine if a user has the right to access the admin section:

<?php

ob_start();

session_start();

if(isset($_SESSION['level'])){

$level = $_SESSION['level'];

//if the access level is admin, then grant access to user

if($level == "admin"){

header("location:index.php");

As you can see from the above code snippet, the user access level information is stored in the $_SESSION['level'], which is then transferred to a local variable called "$level."

$level = $_SESSION['level'];

The value of the local variable is then compared against a string called "admin":

if($level == "admin"){

If the value that is contained in the $level variable is admin, then the user is granted access to the admin section. Otherwise the user is redirected to the main login page:

}else{//level does not contain admin, redirect user to login page

header("location:../login.php");

}

If the session variable is not set, it means that this user is trying to access the page without going through any of the login checks that are required. The script simply redirects them to the main login page:

}else{

//send user to login

header("location:../login.php");


}//end session check


ob_end_flush();

?>

The ob_end_flush() function is then used to "flush" out any unsent headers to avoid the "headers already sent" error message.

{mospagebreak title=The Index Page}

The index page acts as the front page for the admin section. It offers navigation options to the user. It has the following code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"><!– InstanceBegin template="/Templates/admin.dwt.php" codeOutsideHTMLIsLocked="false" –>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!– InstanceBeginEditable name="doctitle" –>

<title>Untitled Document</title>

<!– InstanceEndEditable –>

<!– InstanceBeginEditable name="head" –><!– InstanceEndEditable –>

<link href="../Templates/main.css" rel="stylesheet" type="text/css" />

</head>


<body>

<table width="100%" border="0">

<tr>

<td width="38%">&nbsp;</td>

<td width="22%">&nbsp;</td>

<td width="40%">Logged in:<!– InstanceBeginEditable name="EditRegion4" –><? echo $_SESSION['name'];?> | <a href="../logout.php">Logout</a><!– InstanceEndEditable –></td>

</tr>

You will note that this script does not check to see if the user has admin rights. This is because the admin login script does that job before sending the user to the index page. The rest of the code on the page looks like this:

<tr>

<td colspan="3" bgcolor="#6699CC"><span class="headertxt">Project Management Software -Administration </span></td>

</tr>

<tr>

<td colspan="3"><!– InstanceBeginEditable name="EditRegion3" –>&nbsp;

<table width="100%" border="0">

<tr>

<td class="loginheader">Welcome to the Project Management Administration Section. </td>

</tr>

<tr>

<td><div align="center"><strong>Please select from the following: </strong></div></td>

</tr>

<tr>

<td> -&gt;<a href="list_users.php">User Management </a></td>

</tr>

<tr>

<td>-&gt;<a href="list_projects.php">Project Management </a></td>

</tr>

<tr>

<td>&nbsp;</td>

</tr>

</table>

<!– InstanceEndEditable –></td>

</tr>

<tr>

<td colspan="3"><!– InstanceBeginEditable name="EditRegion5" –><!– InstanceEndEditable –></td>

</tr>

<tr>

<td colspan="3" class="cright"><div align="right">copyright &copy; 2007 PM</div></td>

</tr>

</table>

</body>

<!– InstanceEnd –></html>


and the result of this code looks like this:



{mospagebreak title=The Other Scripts}

Of the remaining scripts, we will look at the list users/projects ones. These basically open the doors to deleting and updating users and projects. Let’s start by looking at the code for the list projects script:

<?php

ob_start();

include "../dbcon.php";

include "../functions.php";


//make sure that the user that is logged on has the right access

if(isset($_SESSION['level'])){

$level = $_SESSION['level'];

//if the access level is admin, then grant access to user

if(!$level == "admin"){

header("location:../login.php");

}

}else{

//session var is not set, user should not be on this page, redirect

header("location:../login.php");

}//end session check

The first part of the script simply checks to see if the logged-in user is or is not an admin, by comparing the session variable to a string as explained before. The second part of the code then retrieves a list of all the projects from the database:

//otherwise extract only the projects belonging to the currently logged in user

$getprojects = "SELECT pid,title FROM projects ORDER BY pid";

$results=mysql_query($getprojects);

if(!$results){

echo mysql_error();

}else{

$num_projects = mysql_num_rows($results);


}

If you look closely you will note that the results are not actually displayed here. They will be shown in the main HTML section of the page. The number of rows returned are stored in a variable called $num, which will later be used to build a dynamic HTML table with the MySQL results:

<?php

if($num_projects > 0){

while($rowprojects = mysql_fetch_assoc($results)){

?>

<tr>

<td><?php echo $rowprojects['title'];?></td>

<td><a href="edit_project.php?pid=<?php echo $rowprojects['pid']?>">Change</a> | <a href="del_project.php?pid=<?php echo $rowprojects['pid']?>">Delete</a> </td>

 

 

</tr>

<?php

}

}else{ ?>

<tr>

<td colspan="3"><p>There are no projects in the table, click on &quot;&quot;Add project&quot; to add new ones.</p></td>

</tr>

<?php

}?>

To built a dynamic table the $num/$result variables are used. First the $num variable is used to see if any rows are returned from the database table; if so, the $results variable is used to retrieve those records and build the table rows.



The list users script follows the same pattern. First it checks to see if the logged- in user has admin rights:


<?php

ob_start();

include "../dbcon.php";

include "../functions.php";


//make sure that the user that is logged on has the right access

if(isset($_SESSION['level'])){

$level = $_SESSION['level'];

//if the access level is admin, then grant access to user

if(!$level == "admin"){

header("location:../login.php");

}

}else{

//session var is not set, user should not be on this page, redirect

header("location:../login.php");

}//end session check

Then it retrieves the users from the database:

//otherwise extract all users from users table

$getusers = "SELECT uid,uname FROM users ORDER BY uid";

$result=mysql_query($getusers);

if(!$result){

echo mysql_error();

}else{

$num_users = mysql_num_rows($result);

}


?>

The exact same pattern is followed; the query results are stored in the $results variable and the number of rows retrieved is stored in the $num variable. Both of these will be used to build a dynamic table as the script is parsed:

<?php

if($num_users > 0){

while($rowusers = mysql_fetch_assoc($result)){

?>

<tr>

<td><?php echo $rowusers['uname'];?></td>

<td><a href="edit_user.php?uid=<?php echo $rowusers['uid']?>">Change</a> | <a href="del_user.php?uid=<?php echo $rowusers['uid']?>">Delete</a> </td>

 

 

</tr>

<?php

}

}else{ ?>

<tr>

<td colspan="3"><p>There are no users in the table, click on &quot;&quot;Add user&quot; to add new ones.</p></td>

</tr>

<?php

}?>


[gp-comments width="770" linklove="off" ]

chat