Guest Posted April 8, 2005 Share Posted April 8, 2005 Sure! Let's assume that you have 3 users: fulladmin, orderadmin, and productadmin. Try this: // give user "fulladmin" full rights if ($PHP_AUTH_USER==fulladmin) {; } else { // give user "orderadmin" rights to just the "order" pages if ($PHP_AUTH_USER==orderadmin) { if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") && ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") && ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") && ($PHP_SELF != DIR_WS_ADMIN . "customers.php") ) { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); } } else { // give user "productadmin" rights to just the "product" pages if ($PHP_AUTH_USER==productadmin) { if ( ($PHP_SELF != DIR_WS_ADMIN . "categories.php") && ($PHP_SELF != DIR_WS_ADMIN . "products_attributes.php") && ($PHP_SELF != DIR_WS_ADMIN . "manufacturers.php") && ($PHP_SELF != DIR_WS_ADMIN . "specials.php") ) { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); } } } { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); } } I didn't test this, but I think that all of the brackets are in the right place. :) If you want any more users we'd be better off using a case statement instead of so many if statements. -jared Quote Link to comment Share on other sites More sharing options...
TCwho Posted April 8, 2005 Share Posted April 8, 2005 wow ! that looks good question: do you really need the \n\n ? You had already used the <br> so the \n\n confuses me... Quote Drop_Shadow How Did You Hear About Us Email HTML Order Link ---- GMT -5:00 Link to comment Share on other sites More sharing options...
Guest Posted April 9, 2005 Share Posted April 9, 2005 I don't really remember why I put the newlines in there. I suppose I was planning on writing something insulting to the user for trying to access pages they didn't have rights to. I'm always looking for upwards compatibility. :P The <br> ones were just to improve readability a touch. You could certainly use any of these ones instead: { die("<br><br><center><font size="10"><u>You</u></font> are <font size="10">NOT</font> authorized to view this page. Hrpmh.</center>"); } { die("<br><br><center>Move along. Nothing to see here, folks.</center>"); } { die("<br><br><center>You can\'t get there from here.</center>"); } { die("<br><br><center>Press any _other_ key to continue.</center>"); } { die("<br><br><center>Access denied.<br><br>You have failed to comply with one or more of the following restrictions: <ul> <li>You are not at least<u> THIS </u> tall.</li> <li>You are not accompanied by an adult.</li> <li>Since this is void where prohibited, and prohibited where you are, it is, well, void.</li> <li>This is not a participating location.</li> <li>You did not keep your arms and legs inside the ride at all times.</li> <li>Terms and Conditions have changed without notice.</li> <li>Batteries not included.</li> <li>Contents have settled during shipping.</li> <li>You are not a trained professional, and this is not a closed course.</li> <li>You do not appear to be wearing your safety goggles.</li> <li>No shirt, no shoes, well, you know.</li> <li>IANAL</li> <li>All your base are belong to ME!</li> <li>So this dog walks in to a bar . . .</li></ul></center>"); } -jared Quote Link to comment Share on other sites More sharing options...
jlevene Posted July 1, 2005 Share Posted July 1, 2005 Perfect contrib. Worked 2nd time (had to change the $PHP_AUTH_USER bit) Thanks Jeff Quote Link to comment Share on other sites More sharing options...
tammyblalock Posted August 31, 2005 Share Posted August 31, 2005 After hours of testing (MY first contribution installed), I also changed the $PHP_AUTH_USER to ($_SERVER[REMOTE_USER] and everything worked fine. I don't know if this info. will help determine when to use which, but I'm on a lynux server (red hat), with a plesk management system. Great Contribution, by the way! Now if I can just master a few others........ Quote Link to comment Share on other sites More sharing options...
Guest Posted September 1, 2005 Share Posted September 1, 2005 Tammy, I'm glad you got it working! Since you mention that this is your first installed contrib, have a look at the "Tools" box on the left side of my blog. There are some handy items there that can make installing contributions much easier. Thank you for your server details -- hopefully, if a few more people post that detail here, we can have a better understanding of which systems need which variables. -jared Quote Link to comment Share on other sites More sharing options...
jack4ya Posted September 23, 2005 Share Posted September 23, 2005 Sure! Let's assume that you have 3 users: fulladmin, orderadmin, and productadmin. Try this: // give user "fulladmin" full rights if ($PHP_AUTH_USER==fulladmin) {; } else { // give user "orderadmin" rights to just the "order" pages if ($PHP_AUTH_USER==orderadmin) { if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") && ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") && ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") && ($PHP_SELF != DIR_WS_ADMIN . "customers.php") ) { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); } } else { // give user "productadmin" rights to just the "product" pages if ($PHP_AUTH_USER==productadmin) { if ( ($PHP_SELF != DIR_WS_ADMIN . "categories.php") && ($PHP_SELF != DIR_WS_ADMIN . "products_attributes.php") && ($PHP_SELF != DIR_WS_ADMIN . "manufacturers.php") && ($PHP_SELF != DIR_WS_ADMIN . "specials.php") ) { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); } } } { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); } } I didn't test this, but I think that all of the brackets are in the right place. :) If you want any more users we'd be better off using a case statement instead of so many if statements. -jared <{POST_SNAPBACK}> This doesn't work (well it doesn't work when I try) I've tried the simpler version and that works without any modification. So no problems on the $PHP_AUTH_USER bit for me. I'll redo it and post the output. Quote Link to comment Share on other sites More sharing options...
Kenja Posted September 27, 2005 Share Posted September 27, 2005 Awesome contribution! Was going to write my own when I came across this one. Simple and very functional. It took me a while to figure out why $PHP_AUTH_USER wasn't working on my website. In case anyone is curious, it's because I'm running a CGIwrap version of PHP. That's probably why people are having troubles... If you run CGIwrap, you'll need to use the $_SERVER[REMOTE_USER] variable instead. Thanks! Ken Quote Link to comment Share on other sites More sharing options...
Guest Posted September 30, 2005 Share Posted September 30, 2005 Great find! Thanks, Ken! -jared Quote Link to comment Share on other sites More sharing options...
roedel Posted October 16, 2005 Share Posted October 16, 2005 Great contribution, worked immediately Thanxxxxxxxs :-) Quote Link to comment Share on other sites More sharing options...
theroo Posted October 18, 2005 Share Posted October 18, 2005 Hi there I've used $PHP_AUTH_USER and ($_SERVER[REMOTE_USER] with and without the ' ' and still i can't seem to access any of the admin files if i log in as the secondary admin I'm using the exact code if ($PHP_AUTH_USER==admin1) {; } else { if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") && ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") && ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") && ($PHP_SELF != DIR_WS_ADMIN . "customers.php") ) { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); } } and i have created a secondary user in cpanel. Unfortunately i still get the 'you are not authorized' message when trying to open any of the paths it is meant to be authorised. Is there something I'm missing somewhere? Thanks Joe Quote Link to comment Share on other sites More sharing options...
theroo Posted October 18, 2005 Share Posted October 18, 2005 Alright I found the problem the DIR_WS_ADMIN doesn't work for some reason, so I have to put /path/orders.php etc just for the record for anyone out there who has this issue too! Quote Link to comment Share on other sites More sharing options...
chooch Posted November 18, 2005 Share Posted November 18, 2005 hi this seems a really easy to use and install contribution.... ... can someone please tell me the biggest difference between this and the Admin Access Level contribution, apart from having to take ages installing that and ading extra SQl instructions for contributins added on! thanks Quote Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back! Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you? There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere. CHOOCH Link to comment Share on other sites More sharing options...
theroo Posted November 18, 2005 Share Posted November 18, 2005 hi this seems a really easy to use and install contribution.... ... can someone please tell me the biggest difference between this and the Admin Access Level contribution, apart from having to take ages installing that and ading extra SQl instructions for contributins added on! thanks i havent used the AAL contrib, but this IS really easy to mod...i suggest you use this one. Quote Link to comment Share on other sites More sharing options...
chooch Posted November 18, 2005 Share Posted November 18, 2005 if ($PHP_AUTH_USER==admin1) {; } else { if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") && ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") && ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") && ($PHP_SELF != DIR_WS_ADMIN . "customers.php") ) { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); } } hi is there a way to reverse the set-up so that the listed files are the ones that CANNOT be viewed (unless admin authorised?) thanks Quote Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back! Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you? There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere. CHOOCH Link to comment Share on other sites More sharing options...
theroo Posted November 18, 2005 Share Posted November 18, 2005 hi is there a way to reverse the set-up so that the listed files are the ones that CANNOT be viewed (unless admin authorised?) thanks to be honest, there arent that many files in admin anyway so im not sure why you'd want to do that. Quote Link to comment Share on other sites More sharing options...
Guest Posted November 18, 2005 Share Posted November 18, 2005 Aleem - Admin Access Levels has more features, but is a bit overkill, in my opinion, for what most people want. It includes: - create additional administrative users from osC Admin - new admin users get emailed their password - admin users can change their "user profile" (i.e. password / email address / name) from the osC admin - every time you add a new admin file, like a new report or something, you have to slightly modify the syntax (it's fairly obvious) of how you reference that file in admin/includes/boxes/reports.php (assuming it's a new report). Then, you have to go into the Admin area and "store" that new admin file in the proper menu. - new pretty admin login that doesn't rely on you having to create .htaccess / .htpasswd files. - admin user and admin access configuration is stored in the database - it's much more involved to install This contrib is really simple - - you create the users in your control panel, or manually using one of the many many web-based .htaccess / .htpassword creation tools, and then you put those usernames in admin/includes/header.php. Either they have access to the files you specify, or they don't. nothing fancy. After you create the users, you edit one file: admin/includes/header.php, pasting in a few lines. If you want to reverse the functionality, and specify which files to deny, rather than grant, then change this: if ( ($PHP_AUTH_USER==admin1) || ($PHP_AUTH_USER==admin2) || ($_SERVER[REMOTE_USER]==admin1) || ($_SERVER[REMOTE_USER]==admin2) ) {; } else { echo $_SERVER[REMOTE_USER]; if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") && ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") && ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") && ($PHP_SELF != DIR_WS_ADMIN . "customers.php") ) { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); } } to this: if ( ($PHP_AUTH_USER==admin1) || ($PHP_AUTH_USER==admin2) || ($_SERVER[REMOTE_USER]==admin1) || ($_SERVER[REMOTE_USER]==admin2) ) { if ( ($PHP_SELF == DIR_WS_ADMIN . "orders.php") && ($PHP_SELF == DIR_WS_ADMIN . "invoice.php") && ($PHP_SELF == DIR_WS_ADMIN . "packing_slip.php") && ($PHP_SELF == DIR_WS_ADMIN . "customers.php") ) { die($_SERVER[REMOTE_USER] . "<br><br><center>You are not authorized to view this page.\n\n</center>"); } else { ; } } That should deny the admin1 and admin2 users from orders.php, invoice.php, packing_slip.php, and customers.php. -jared Quote Link to comment Share on other sites More sharing options...
chooch Posted November 19, 2005 Share Posted November 19, 2005 (edited) Jared - thanks for the reply yes, this is far by an easier way to allow admin access levels thanks for the post, it is easier to keep it as it is. BTW, i have the following code: =============================================================== if ($PHP_AUTH_USER==USERNAME) {; } else { if ( ($PHP_SELF != DIR_WS_ADMIN . "mail.php") && ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") && ($PHP_SELF != DIR_WS_ADMIN . "customers.php") ) { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); } } =============================================================== is this the latest and best code to have? it differs from what you posted above. thanks Edited November 19, 2005 by chooch Quote Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back! Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you? There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere. CHOOCH Link to comment Share on other sites More sharing options...
Guest Posted November 23, 2005 Share Posted November 23, 2005 Aleem - - there is nothing wrong with your code. I've modified mine to allow for multiple admins, but also because some servers seem to work with $PHP_AUTH_USER, while other servers seem to ignore it completely and use $_SERVER[REMOTE_USER]. Since that code snippet now has both of them in there, it should work on both of those types of servers. HTH -jared Quote Link to comment Share on other sites More sharing options...
mtveten Posted January 9, 2006 Share Posted January 9, 2006 Has anybody gotten this contrib to work with SSL enabled on the admin side? Mark Quote Link to comment Share on other sites More sharing options...
Guest Posted January 19, 2006 Share Posted January 19, 2006 Hi, I am looking at installing this module but i have some questions: My oscommerce site is host on ipowerweb servers. How do i create other users since i do not have ssh access. I would like create mutiple users and assign them different access rights.... Has anyone done this using ipowerweb hosting? On ipowerweb control panel i can create email accounts and ftp users but i do not know how create users that are allowed to login to oscommerce admin section... Please help... Thanks in advance... Quote Link to comment Share on other sites More sharing options...
Guest Posted January 24, 2006 Share Posted January 24, 2006 Hi can anyone please help me with my questions.... see below... Thanks Hi,I am looking at installing this module but i have some questions: My oscommerce site is host on ipowerweb servers. How do i create other users since i do not have ssh access. I would like create mutiple users and assign them different access rights.... Has anyone done this using ipowerweb hosting? On ipowerweb control panel i can create email accounts and ftp users but i do not know how create users that are allowed to login to oscommerce admin section... Please help... Thanks in advance... Quote Link to comment Share on other sites More sharing options...
Guest Posted January 27, 2006 Share Posted January 27, 2006 You should be able to create new users using iPowerweb's control panel. It may be listed under "password protect directory" or something like that. -jared Quote Link to comment Share on other sites More sharing options...
BuddahBoy Posted March 21, 2006 Share Posted March 21, 2006 (edited) You should be able to create new users using iPowerweb's control panel. It may be listed under "password protect directory" or something like that. -jared Hi Jared - I tried everything mentioned previously - did create users and can login using "fulladmin" and use all functions; when login as "orderadmin" gets to admin page and then everything else is blocked. Tried: if ($_SERVER[REMOTE_USER]==fulladmin) {; } else { if ( ($PHP_SELF != DIR_WS_ADMIN . "/osCommerce2/catalog/admin/orders.php") && ($PHP_SELF != DIR_WS_ADMIN . "/osCommerce2/catalog/admin/packing_slip.php") && ($PHP_SELF != DIR_WS_ADMIN . "/osCommerce2/catalog/admin/customers.php") ) { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); } } Tried it with $PHP_AUTH_USER instead of $_SERVER, tried it without the directory path and withOUT the directory path Any help for me here? Thanks much in advance! Ron Edited March 21, 2006 by BuddahBoy Quote Link to comment Share on other sites More sharing options...
Guest Posted March 23, 2006 Share Posted March 23, 2006 try using statements like this to debug what's going on: die($PHP_SELF); or die($PHP_AUTH_USER); or die($_SERVER[REMOTE_USER]); the "die" command will halt execution of the script, and display whatever is in the (). -jared Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.