Dreamweaver's native Log In User server behavior combined with the Restrict Access to Page server behavior can help you protect your pages from prying eyes. However, when it comes for more fine-grained control of content on pages viewable by users from multiple access levels, Dreamweaver doesn't have anything built in to offer any assistance to you.

Imagine you want to build a content management system (CMS) for your client. They could have three, or more, access levels defined for logged-in users of their site. There may be a systemAdmin user (probably you), a few admin users that perform basic administration work of the site such as approve new content, then you have several author users that create the content that the admin users approve, and finally you have a bunch of subscriber users that can view articles and also change and modify their own account info.

As part of the CMS that you're building, you might have a control panel page that contains the main navigation links for common tasks performed by all users, such as updating the user password and contact information. All of this is easily handled by the Restrict Access to Page server behavior so that all logged in users can see your common content. If you have links to pages that have special significance only, for example, the admin users such as approving articles, you'd probably rather not create a special log in just for admin users, and you'd rather not show links that user access levels shouldn't see, and probably can't even visit if you're properly restricting access to those pages using the Restrict Access To page server behavior.

Note: To read up on using the server behaviors mentioned above, take a look at Using the Log in Server Behavior (www.communitymx.com/content/article.cfm?cid=A222302CBCA928EB) and Access Level and Login for PHP (www.communitymx.com/abstract.cfm?cid=78EEB) and ASP (www.communitymx.com/abstract.cfm?cid=DFB68).

Or check out our Liverpool JumpStart (www.communitymx.com/abstract.cfm?cid=3777A), which contains a page set design that includes password-protected pages. So how do you balance the two competing needs: a main control panel page that displays common links and also displays links that only specified users can access? One way to do this would be to analyze the code Dreamweaver uses to determine if a user can log in, or check out the code that is used to determine if a logged-in user can access a restricted page. We've taken a close look at these server behaviors for you and determined that Dreamweaver's Log In User and Restrict Access To Page server behaviors write code to your page that use session variables to maintain information about a user if they are logged in, and what access level they have assigned to them when logged in.

Note: CF users make sure you have sessionmanagement turned on in your Application.cfm to enable sessions.

For an article on doing this, check out: "Enabling Session Variables in ColdFusion" (www.communitymx.com/content/article.cfm?cid=62595). ASP and ColdFusion use a session variable named MM_UserAuthorization and PHP uses a session variable named MM_UserGroup to identify the access level for a logged-in user. So checking that a user's MM_UserAuthorization, or MM_UserGroup, value is part of a list of valid access levels (or alternately checking that their access level is not part of the list) will help you determine if you need to show or hide a particular piece of content. In the sample code, we're using Access levels for our users where 1 = System Admin, 2= Admin, 3= Users. ASP VBScript does things a little differently than ColdFusion and PHP, so we'll tackle PHP and ColdFusion together and then get on to VBScript further down the article. The sample pages within the support files contain pages written in ColdFusion, PHP and ASP VBScript that show content based upon the access level examples. You can use the included Access MDB file to test with the .sql file to create your own MySQL table.

Showing Content for ColdFusion and PHP
To show content when a user is a System Admin (1), use the following to wrap around your content:

ColdFusion:
<cfif ListContains("1", Session.MM_UserAuthorization)>
Content to show if user in proper access level.
</cfif>

PHP:
<?php
$accessLevels = array("1");
$validLevel = $_SESSION['MM_UserGroup'];
if(array_search($validLevel, $accessLevels)>-1){
?>
<p>System Admin users (1)</p>
<?php
}
?>

If you want to show content to System Admins (1) and to Admin (2) users, wrap your content with the following:

ColdFusion:
<cfif ListContains("1,2", Session.MM_UserAuthorization)>
Content to show if user in proper access level.
</cfif>

PHP:
<?php
$accessLevels = array("1","2");
$validLevel = $_SESSION['MM_UserGroup'];
if(array_search($validLevel, $accessLevels)>-1){
?>
Content to show if user in proper access level
<?php
}
?>

Please note that in the code being used here Coldfusion uses a quotes comma separated string such as "1,2" and PHP uses comma-separated quotes strings as in "1","2".

Hiding Content for ColdFusion and PHP
To hide content when a user is not part of the System Admins (1), use the following:

ColdFusion:
<cfif Not ListContains("1", Session.MM_UserAuthorization)>
Content to show if user *not* in proper access level.
</cfif>

PHP:
<?php
$accessLevels = array("1");
$validLevel = $_SESSION['MM_UserGroup'];
if(array_search($validLevel, $accessLevels)===FALSE){
?>
Content to show if user *not* in proper access level.
<?php
}
?>

Please note: The hiding for PHP is handled a little differently than the showing is. The array_search function returns the key of the item if it exists in the array of values, however, it returns FALSE when it doesn't find the value. As such, when checking for a value to not be within the array, you have to use the Identical operator (===) to check that the value is FALSE. If you just used the equal operator as in if(array_search($validLevel, $accessLevels)==FALSE), that could equate to a true statement if the value *is* found within the array at the zeroth element in the array. This is because 0 is equivalent to FALSE, however, the Identical operator can handle the difference between 0 and FALSE

To hide content when a user is System Admins (1) or a Admin (2) users, wrap your content with the following:

ColdFusion:
<cfif Not ListContains("1,2", Session.MM_UserAuthorization)>
Content to show if user *not* in proper access level.
</cfif>

PHP:
<?php
$accessLevels = array("1", "2");
$validLevel = $_SESSION['MM_UserGroup'];
if(array_search($validLevel, $accessLevels)===FALSE){
?>
Content to show if user *not* in proper access level.
<?php
}
?>

ASP VBScript and Searching Arrays
As mentioned earlier, VBScript handles things a little differently. The big difference is that it doesn't have built-in such useful functionality as the ListContains function in ColdFusion, or the array_search function from PHP. Because of this, the code needed to show content in VBScript is slightly more complicated. There are two pieces of code that need to be inserted: a function that determines if an item is within an array, and the code that runs the function to check if a user-access level belongs to a list of access levels.

InArray Function
Place the following code above any content that you wish to be able to show or hide. The function takes two parameters: an array a and a string str. The code loops over the array and determines the 0 based index within the array the string matches, and returns that index if found. If the string isn't present:

-1.
<%
Dim accessLevels
Function InArray(a, str)
Dim idx
For idx = 0 to UBound(a)
If CStr(a(idx)) = CStr(str) Then InArray = idx : Exit Function
Next
InArray = -1 'Not found, set to -1
End Function
%>

Tip: Place the InArray function into an include that contains your commonly used functions.

Showing Content for ASP VBScript
To show content when a user is a System Admin (1), use the following to wrap around your content:

<%
accessLevels = Array("1")
If InArray(accessLevels, Session("MM_UserAuthorization")) > -1 Then
%>
Content to show if user in proper access level
<%
End If
%>

If you want to show content to System Admins (1) and to Admin (2) users, wrap your content with the following:

<%
accessLevels = Array("1", "2")
If InArray(accessLevels, Session("MM_UserAuthorization")) > -1 Then
%>
Content to show if user in proper access level
<%
End If
%>

Hiding Content for ASP VBScript
To hide content when a user is not part of the System Admins (1), use the following:

<%
accessLevels = Array("1")
If InArray(accessLevels, Session("MM_UserAuthorization")) = -1 Then
%>
Content to show if user in proper access level
<%
End If
%>

To hide content when a user is System Admins (1) or a Admin (2) users, wrap your content with the following:

<%
accessLevels = Array("1", "2")
If InArray(accessLevels, Session("MM_UserAuthorization")) = -1 Then
%>
Content to show if user in proper access level
<%
End If
%>

Conclusion
Dreamweaver does a great job of protecting pages with its Log In User and Restrict Access To Page server behaviors. This article has shown you how to take the information stored as part of the log in process and use it to allow you to show and hide content in ColdFusion, PHP and ASP VBscript pages so that you can have fine-grained control over content that is displayed to visitors of all types to your pages.

Tip: Add these short bits of code to your Snippets panel for easy access to your access level show hide code. For more info on using the Snippets panel, check out: Exploring the Snippets Panel in Dreamweaver (www.communitymx.com/abstract.cfm?cid=AB7D1).

Happy Coding!