Simple Admin Access Control

[Guest]

Simple Admin Access Control 1.0

Dec 07, 2004

Authors: Jared Call

 

 

What this contrib does:

========================

 

This contribution very simply adds the ability to limit sub-admin users to access only certain areas of the osCommerce administrative area. It assumes that you have already created these users in your host's control panel, requiring login to the /admin area with one of these usernames.

 

Disclaimer: This contrib has been designed for and tested with osCommerce 2.2 MS2. While it should easily work, perhaps with minor modifications, with other versions of osCommerce, it has not been tested as such.

 

If you find this contribution useful, please support the osCommerce project by becoming an osCommerce Community Sponsor. At the time of this writing, details of Community Sponsorship can be found at http://www.oscommerce.com/about/news,111 .

 

Downloadable from: http://www.oscommerce.com/community/contributions,2701

Edited December 8, 2004 by jcall

[Stewart Gilray]

Hi,

Ok using what you've said I've got the following users setup in my htaccess file...

 

admin

test

 

admin, is to have total rights, whilst test is to have limited rights, well using what you've said, I changed the script so only ONE user, admin, is listed at the top.

 

using this rule you say that admin will have total access and test, only limited

 

Guess what, it doens't work...

 

All users are limited.

[Guest]

Please post your modified code here so that I can have a look.

 

-jared

[Stewart Gilray]

Please post your modified code here so that I can have a look.

 

-jared

<{POST_SNAPBACK}>

 

 

Actually I put it back the way it was, and still nothing, here's the code...

 

  if ($messageStack->size > 0) {
   echo $messageStack->output();
 }

 if ( ($PHP_AUTH_USER!=admin) && ($PHP_AUTH_USER!=admin) )
    {  if ( ($PHP_SELF != "/admin/orders.php") && 
            ($PHP_SELF != "/admin/invoice.php") && 
            ($PHP_SELF != "/admin/packing_slip.php") &&
     ($PHP_SELF != "/admin/customers.php") )
         { die("<br><Br><center>You are not authorized to view this page.\n\n</center>"); }
    }


?>

[Guest]

Ahh, there's the problem. If you have only one user, change the first line from:

if ( ($PHP_AUTH_USER!=admin) && ($PHP_AUTH_USER!=admin) )

 

to:

if ($PHP_AUTH_USER!=admin)

 

Edit: On second thought - - that's probably not the problem. Back in a few minutes.

 

-jared

Edited December 9, 2004 by jcall

[Guest]

Ok - - I just copied-n-pasted from your post into my includes/admin/header.php, then changed the username from admin to one of my admin usernames. It worked for me with no other changes.

 

As a troubleshooting step, change this line:

    <td><?php echo tep_image(DIR_WS_IMAGES . STORE_LOGO, STORE_NAME); ?></td>

 

to this:

    <td><?php echo $PHP_AUTH_USER; echo tep_image(DIR_WS_IMAGES . STORE_LOGO, STORE_NAME); ?></td>

.

 

Log in to the admin area, then click on Customers or one of the other "allowed" areas. Your username, as recorded by $PHP_SELF, should show up in the top left corner of the screen. Is it correct?

 

-jared

[TCwho]

Hmm ... Didnt work for me ....

 

There is only 1 Admin (myself) and now the client...

 

I tried every which way I can think of....

 

I added my name .... took off my name... nothing...

 

the only thing I can get to is the main admin page....then I cant access anything.

 

right now I left it at this:

<?php
/*
 $Id: header.php,v 1.19 2002/04/13 16:11:52 hpdl Exp $

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2002 osCommerce

 Released under the GNU General Public License
*/

 if ($messageStack->size > 0) {
   echo $messageStack->output();
 }

 if ( ($PHP_AUTH_USER!=adminuser1) && ($PHP_AUTH_USER!=secondusernotused) )
      {  if ( ($PHP_SELF != "/admin/orders.php") &&
              ($PHP_SELF != "/admin/invoice.php") &&
              ($PHP_SELF != "/admin/packing_slip.php") &&
       ($PHP_SELF != "/admin/customers.php") )
           { die("You are not authorized to view this page.\n\n"); }
    }

 ?>

 

for adminuser1 I had put my actual username .... I never did use the second user name so I had changed it to what you see above...as I was just trying to test...

 

Im under the impression anyone not in $PHP_AUTH_USER!= will get to access everything...everyone else will be limited to the above pages? right?

 

:::Edited::::

oh didnt use htaccess ... only using control panel.... using firefox..and then tried using IE

Edited December 9, 2004 by TCwho

[TCwho]

Ok. I closed out my browsers...which i had not done before...

 

loaded it up..... got to the admin page....click on stuff and kept getting this:

Parse error: parse error, unexpected '{' in /homepages/15/d113630270/htdocs/catalog/admin/includes/header.php on line 18

 

Here is my code:

  if ($messageStack->size > 0) {
   echo $messageStack->output();
 }

 if ( ($PHP_AUTH_USER!=abdurrahman)
      {  if ( ($PHP_SELF != "/catalog/admin/orders.php") &&
              ($PHP_SELF != "/admin/invoice.php") &&
              ($PHP_SELF != "/admin/packing_slip.php") &&
       ($PHP_SELF != "/admin/customers.php") )
           { die("You are not authorized to view this page.\n\n"); }
    }

 

:::Edited:::

oh btw..before (this time after closing my browsers) I was getting the statement under for die in the top left corner....

Edited December 9, 2004 by TCwho

[TCwho]

:::Edited::: Again :blush:

 

I added the missing ) in the first if statement.... and got back to the same error as before...can get to admin>>>but everything I click on shows me>>

You are not authorized to view this page.

[TCwho]

hmm I just check my server info and I cannot find support for $PHP_SELF and $PHP_AUTH_USER

 

PHP Version 4.3.8

 

guess thats why its not working

 

but very nice ... good idea for something this simple

[Guest]

Im under the impression anyone not in $PHP_AUTH_USER!= will get to access everything...everyone else will be limited to the above pages? right?

 

Quite the opposite. You list the "superusers" in the file, and everyone else gets rights to only the files listed. The logic is something like this:

If you're NOT one of those users listed, you ONLY get access to the files listed.

 

In retrospect, I imagine it's a bit convoluted. <shrug>

 

-jared

[TCwho]

In retrospect, I imagine it's a bit convoluted. <shrug>

 

Good Simple Idea though

 

Glad I could do my part by testing it

[Guest]

I am also running PHP 4.3.8. If you search the /admin/server_info.php page for PHP_SELF (as opposed to $PHP_SELF) you should see it.

 

I guess it'd be easier to read if it were like this:

  
 if ( ($PHP_AUTH_USER==admin1) || ($PHP_AUTH_USER==admin2) )
   {;
   } else {
      if ( ($PHP_SELF != "/admin/orders.php") &&
           ($PHP_SELF != "/admin/invoice.php") &&
           ($PHP_SELF != "/admin/packing_slip.php") &&
           ($PHP_SELF != "/admin/customers.php") )
        { die("<br><Br><center>You are not authorized to view this page.\n\n</center>"); }
   }

 

I just tested that and it works the same way. I'll resubmit in a couple of days with the easier-to-read code.

 

Sorry for the confusion. It *still* should work for you, though - - do you see PHP_SELF on the server_info.php page?

 

-jared

[TCwho]

Doh!

 

I do have PHP_SELF

 

hmm must have been spending too much time lookin at monitor :lol:

 

but I dont see PHP_AUTH_USER

 

I will try it again ...be back in a few

[TCwho]

Alright still doesnt work...

 

but I gather as much info as I could.

 

You can take a look HERE

[Guest]

Let's get some debug output.

 

Change the die statement to read as follows:

         { die("<br>PHP_AUTH_USER: $PHP_AUTH_USER <br>PHP_SELF: $PHP_SELF<Br><center>You are not authorized to view this page.\n\n</center>"); }

Then tell me what you see.

 

-jared

[TCwho]

I got this:

PHP_AUTH_USER:
PHP_SELF: /catalog/admin/orders.php
You are not authorized to view this page.

 

after I changed per your instructions to :

if ($messageStack->size > 0) {
   echo $messageStack->output();
 }
   if ( ($PHP_AUTH_USER==UserNameHere) || ($PHP_AUTH_USER==admin2) )
    {;
    } else {
       if ( ($PHP_SELF != "/admin/orders.php") &&
            ($PHP_SELF != "/admin/invoice.php") &&
            ($PHP_SELF != "/admin/packing_slip.php") &&
            ($PHP_SELF != "/admin/customers.php") )
{ die("<br>PHP_AUTH_USER: $PHP_AUTH_USER <br>PHP_SELF: $PHP_SELF<Br><center>You are not authorized to view this page.\n\n</center>"); }   }
?>

Edited December 10, 2004 by TCwho

[Guest]

Well, that's it then. PHP_AUTH_USER has no value. How did you set up the username/password again? Are they in .htaccess and an .htpassword directory? Did you do them yourself or with a control panel of some sort?

 

As an alternate to PHP_AUTH_USER, we could try _SERVER["PHP_AUTH_USER"] or _SERVER["REMOTE_USER"] - - I haven't tried either of those before, but I think it's the same syntax.

 

If you wanted to similarly restrict to a users from a certain IP address, we could use _SERVER["REMOTE_ADDR"].

 

I'll hack at it for a bit - - you do the same.

 

-jared

[TCwho]

I have only set it up from my domain control panel...

 

As an alternate to PHP_AUTH_USER, we could try _SERVER["PHP_AUTH_USER"] or _SERVER["REMOTE_USER"]

 

Ok I will try those

[Guest]

Try this, for debug output:

  if ( ($PHP_AUTH_USER==admin1) || ($PHP_AUTH_USER==admin2) )
   {;
   } else {
    echo "<br>PHP_AUTH_USER:  " . $PHP_AUTH_USER;
    echo "<br>PHP_SELF:  " . $PHP_SELF;
    echo "<br>_SERVER[PHP_AUTH_USER]:  " . $_SERVER['PHP_AUTH_USER'];
    echo "<br>_SERVER[REMOTE_USER]:  " . $_SERVER['REMOTE_USER'];
    echo "<br>_SERVER[REMOTE_ADDR]:  " . $_SERVER['REMOTE_ADDR'];
       if ( ($PHP_SELF != "/admin/orders.php") &&
           ($PHP_SELF != "/admin/invoice.php") &&
           ($PHP_SELF != "/admin/packing_slip.php") &&
           ($PHP_SELF != "/admin/customers.php") )
        { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
   }

 

Let me know if you get results for any of those variables.

 

-jared

Edited December 11, 2004 by jcall

[TCwho]

Got it working thanks to your debugging code above...

 

btw...only starting touching php a little over a month ago...when I installed x**ps...then few days later installed osc

 

gonna put it all together for you to see and send you PM

[Guest]

I had no idea Xoops had an e-commerce module. I guess that only makes sense, but it shows you what I know. :)

 

I'm glad you got it working!

 

For anyone following along, the $_SERVER[REMOTE_USER] variable was what worked in this case to get the username.

 

He also noted that the original instructions (to be amended in the next rev) do not account for a non-root (i.e. /catalog or /shop or ecommerce/shop , etc) installation. The easy workaround should be just modify the file paths in the instructions to fit your installation.

 

Thanks, Danilov!

 

-jared

Edited December 11, 2004 by jcall

[TCwho]

:D

 

Glad to help

 

and Thanks to you for a Great Simple Admin Access Control Contribution

 

oh and I dont know if xoops had osc module....first tried xoops...then mambo...then found osc....

 

and havent looked back....well for this type of application :thumbsup:

[kaos9889]

ok im using your simple admin cont and here is my problem, there is two user names, the first admin1 will be my username and needs to have access to everything and the second is admin2 which is the one i need to constrict.

 

if ( ($PHP_AUTH_USER==admin1) || ($PHP_AUTH_USER==admin2) )
  {;
  } else {
     if ( ($PHP_SELF != "/admin/orders.php") &&
          ($PHP_SELF != "/admin/invoice.php") &&
          ($PHP_SELF != "/admin/packing_slip.php") &&
          ($PHP_SELF != "/admin/customers.php") )
       { die("<br><Br><center>You are not authorized to view this page.\n\n</center>"); }
  }

 

that is what i am using and am having everything blocked on both accounts, any ideas?

[Guest]

sorry for the delay - - things have been very hectic. :(

 

Everything is being blocked? Even orders.php, invoice.php, and the other two?

 

Have you tried the troubleshooting steps earlier in the thread about using $_SERVER[REMOTE_USER] insteaf of $PHP_AUTH_USER ?

 

-jared