4 replies to this topic

[steefking]

I use the module Secure Admin Login-Logout. I would like to use the following code in the header of my admin, so that other users handle orders only and can't go to tools or other places they don't belong.

if ( ($PHP_AUTH_USER=='admin1') || ($PHP_AUTH_USER=='admin2') ||
		   ($_SERVER[REMOTE_USER]==admin1) || ($_SERVER[REMOTE_USER]==admin2) )
   {;
   } else {
		  if ( ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN  . "orders.php") &&
				   ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN  . "invoice.php") &&
		 ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN  . "index.php") &&
		  ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN  . "login.php") &&
				   ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN  . "packing_slip.php") &&
				   ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN  . "customers.php") )
				{ die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
   }

But it doesn't work for Secure Admin Login-Logout, because it looks to something else for users. So does someone know what i have to change in Secure Admin Login-Logout so it will work. Because it works, but blocks now all users for all other options like tools.

Steven

[Taipo]

Try this Steven and let me know if it works:

 
	$PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );
	if ( defined( 'DIR_WS_ADMIN' ) ) {
		$allowedpages = preg_match('/(?:orders|invoice|index|login|packing_slip|customers).php/i', $PHP_SELF );
		if ( ( $admin['username'] == 'admin1' ) || ( $admin['username'] == 'admin2' ) ) $allowedpages = true;
		if ( false === ( bool )$allowedpages ) die( "<br><br><center><font face=verdana size=1>You are not authorized to view this page.<br />\n[<a href=./index.php>Click here</a>] to return to admin</font><br />\n</center>" );
	}

Assumes that the username is determined via $admin['username'].

To make sure $PHP_SELF is reporting correctly I included the $PHP_SELF code from 2.3.1

Also added a link back to the admin page if the error is called.

A better method would be to restrict the options in the left column to specific users.

This way above is a bit clunky but it might work.

[Taipo]

In the addon 'Secure Admin Login-Logout' it seems they are using $psName as the admin username. But it seems that $psName can be set by merely making the form post operation and the authenticated username is set via a cookie session so it may not be safe to just add in $psName into the legitimate username list

if ( ( $psName == 'admin1' ) || ( $psName == 'admin2' ) ) $allowedpages = true;

That would be rather unsafe I would think.
In my first example, $admin['username'] is taken from the 2.2rc2 Administration Tool

So might need to think about this a bit more I think.

Edited by Taipo, 05 November 2011 - 04:29 PM.

[steefking]

Taipo, on 05 November 2011 - 04:25 PM, said:

In the addon 'Secure Admin Login-Logout' it seems they are using $psName as the admin username. But it seems that $psName can be set by merely making the form post operation and the authenticated username is set via a cookie session so it may not be safe to just add in $psName into the legitimate username list

if ( ( $psName == 'admin1' ) || ( $psName == 'admin2' ) ) $allowedpages = true;

That would be rather unsafe I would think.
In my first example, $admin['username'] is taken from the 2.2rc2 Administration Tool

So might need to think about this a bit more I think.

First of all many thanks. Little bit late with my reaction. Unfortunally it didn't work yet.

Maybe it doesn't know what $psName means in the header?

Is it maybe a solution the i use 2 portals for securing the admin. So this one and the htaccess security?

Greets,

Steven

Edited by steefking, 11 December 2011 - 11:18 AM.

[Taipo]

It would probably be better use of time to develop an actual addon that has an admin section that allows for the main admin to assign accessible sections to other admins. The allowed pages list might be better set from an added table in the database. That sort of thing.

Yes certainly use htpasswd basic authentication protection to protect the admin section, but that above would be my suggestion for you. Perhaps there is a developer here that might want to look at this sort of thing (assuming someone hasn't already done one - to be honest I haven't really looked around).