concorde44 Posted April 18, 2006 Share Posted April 18, 2006 Hi Jared. nice contrib Works well for me question : if I use your code : if ($PHP_AUTH_USER==admin) {; } else { if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") && ($PHP_SELF != DIR_WS_ADMIN . "orders.php") && ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") && ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") && ($PHP_SELF != DIR_WS_ADMIN . "customers.php") ) { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); } } is there a way for the limited users not to delete some orders ? If I grant the access to orders.php he is able to delete some orders. Here is the link of the delete button: http://127.0.0.1/catalog/admin/orders.php?selected_box=customers&page=1&oID=96&action=delete thanks for your answer. Quote Osc 2.2 MS2 Link to comment Share on other sites More sharing options...
Kenja Posted April 18, 2006 Share Posted April 18, 2006 Find: case 'deleteconfirm': in orders.php and add: if ($PHP_AUTH_USER==admin) { } Quote Link to comment Share on other sites More sharing options...
Kenja Posted April 18, 2006 Share Posted April 18, 2006 Sorry pressed reply by accident. Should now read: case 'deleteconfirm': if ($PHP_AUTH_USER==admin) { $oID = tep_db_prepare_input($HTTP_GET_VARS['oID']); tep_remove_order($oID, $HTTP_POST_VARS['restock']); tep_redirect(tep_href_link(FILENAME_ORDERS,tep_get_all_get_params(array('oID', 'action')))); } break; Quote Link to comment Share on other sites More sharing options...
concorde44 Posted April 28, 2006 Share Posted April 28, 2006 Hi Kenja, I haven't enabled email notifications! So i see your code only now ! sorry.. I've tested your solution. But that generate an error : Parse error: parse error, unexpected T_CASE in blablabla I'm not skilled in php, but seems that a "if" condition could not match with a "case" condition.... I hope you are better than me and could light my brain... Thanks :) Quote Osc 2.2 MS2 Link to comment Share on other sites More sharing options...
concorde44 Posted April 28, 2006 Share Posted April 28, 2006 :thumbsup: My fault... Your code works perfectly Kenja.... I've had tomatoes in my eyes >_< and typed not correctly your code. Ok it works : When i click an delete button; it asks me to confirm and when I click again on delete, nothing happens. But my best preference would be to hide the "delete" button if not logued as admin... I've a small idea. will try to apply it... thanks again and great contrib. Seb Quote Osc 2.2 MS2 Link to comment Share on other sites More sharing options...
kopietje Posted May 23, 2006 Share Posted May 23, 2006 Hi everyone, Can I use this contribution for this functionality?: - admin is allowed to do everything - user1 is allowed to do everything, except for pressing the update-button in orders.php I think I have to do some coding in the 'update_order' case, in orders.php, but I have no knowledge of PHP Can anyone help me out? Quote Link to comment Share on other sites More sharing options...
Proud Posted May 24, 2006 Share Posted May 24, 2006 K I think I may have lost my mind. Everyone keeps saying this is such an easy contribution and I'm sure it is if you understand this thread at all. I have OScommerce installed and I have added many contributions to it. I had AAC added in but it conflicted with another contribution I needed to have so now I have no security for my admin. Now I may just be going about this all wrong but to get to my admin panel when I'm at my website I add /admin to the end of my site name. Should I be logging into the store as admin and getting to the admin panel another way? Because when I add this contribution and I go to my admin panel there is no place for me to log in or anything so I am not sure how it can know who I am.....if someone could help me with this I'd really appreciate it. Quote Link to comment Share on other sites More sharing options...
Guest Posted May 30, 2006 Share Posted May 30, 2006 @Leon - - the best way to do disable the button based on the logged in user will not be a URL-based control, like this contribution. What you can do, though, is take this same code (or VERY similar) and put it around the code that generates the Update button. That way you can prevent the button from even showing up unless you're the the desired user. @Alison -- This does not cause you to login to your admin area. You should use your hosting control panel to do that, or use .htaccess (LOTS of tutorials online on this) to protect it. This contribution simply manages access based on the users you've already created. -jared Quote Link to comment Share on other sites More sharing options...
Proud Posted May 30, 2006 Share Posted May 30, 2006 @Alison -- This does not cause you to login to your admin area. You should use your hosting control panel to do that, or use .htaccess (LOTS of tutorials online on this) to protect it. This contribution simply manages access based on the users you've already created. -jared Ok thanks!!! Quote Link to comment Share on other sites More sharing options...
BuddahBoy Posted September 14, 2006 Share Posted September 14, 2006 Greetings I've been using this for quite some time and it was simple to set up and all but now I have a problem that I want to change the admin1 password and can't remember where admin1 user was set up! The documentation says to create it in cpanel but I don't find it there. I know, it's really a dumb question but maybe someone can stop laughing just long enough to give me a pointer? LOL!! Thanks much for this great contrib BTW, works super and was very easy to install - the proof is that I got it going! Thanks again Ron Quote Link to comment Share on other sites More sharing options...
nicmare Posted October 9, 2006 Share Posted October 9, 2006 same problem with me. i used your latest code and added two htaccess users via control panel of my webspaceprovider. everytime i want to go to /admin/ the login window of windows occurs. i log in myself(as nicadmin) to the admin area and cant access anything. just the examplefiles from your code. if ($PHP_AUTH_USER==nicadmin) {; } else { if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") && ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") && ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") && ($PHP_SELF != DIR_WS_ADMIN . "customers.php") ) { die("<br><Br><center>You are not authorized to view this page.\n\n</center>"); } } Quote Link to comment Share on other sites More sharing options...
nicmare Posted October 9, 2006 Share Posted October 9, 2006 ok, this is what i am now use: if ($PHP_AUTH_USER==nic) {; } else { if ( ($PHP_SELF != DIR_WS_ADMIN . "stats_products_viewed.php") && ($PHP_SELF != DIR_WS_ADMIN . "products_attributes.php") && ($PHP_SELF != DIR_WS_ADMIN . "reviews.php") && ($PHP_SELF != DIR_WS_ADMIN . "specials.php") && ($PHP_SELF != DIR_WS_ADMIN . "products_expected.php") && ($PHP_SELF != DIR_WS_ADMIN . "banner_manager.php") && ($PHP_SELF != DIR_WS_ADMIN . "file_manager.php") && ($PHP_SELF != DIR_WS_ADMIN . "configuration.php") && ($PHP_SELF != DIR_WS_ADMIN . "modules.php") && ($PHP_SELF != DIR_WS_ADMIN . "countries.php") && ($PHP_SELF != DIR_WS_ADMIN . "geo_zones.php") && ($PHP_SELF != DIR_WS_ADMIN . "currencies.php") && ($PHP_SELF != DIR_WS_ADMIN . "languages.php") && ($PHP_SELF != DIR_WS_ADMIN . "backup.php") && ($PHP_SELF != DIR_WS_ADMIN . "categories.php") && ($PHP_SELF != DIR_WS_ADMIN . "manufacturers.php") && ($PHP_SELF != DIR_WS_ADMIN . "birthday.php") && ($PHP_SELF != DIR_WS_ADMIN . "stats_products_purchased.php") && ($PHP_SELF != DIR_WS_ADMIN . "stats_customers.php") && ($PHP_SELF != DIR_WS_ADMIN . "orders.php") && ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") && ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") && ($PHP_SELF != DIR_WS_ADMIN . "customers.php") ) { die("<br><br><center>no access\n\n</center>"); } } if ($PHP_AUTH_USER==admin) {; } else { if ( ($PHP_SELF != DIR_WS_ADMIN . "stats_products_viewed.php") && ($PHP_SELF != DIR_WS_ADMIN . "products_attributes.php") && ($PHP_SELF != DIR_WS_ADMIN . "reviews.php") && ($PHP_SELF != DIR_WS_ADMIN . "specials.php") && ($PHP_SELF != DIR_WS_ADMIN . "products_expected.php") && ($PHP_SELF != DIR_WS_ADMIN . "categories.php") && ($PHP_SELF != DIR_WS_ADMIN . "manufacturers.php") && ($PHP_SELF != DIR_WS_ADMIN . "birthday.php") && ($PHP_SELF != DIR_WS_ADMIN . "stats_products_purchased.php") && ($PHP_SELF != DIR_WS_ADMIN . "stats_customers.php") && ($PHP_SELF != DIR_WS_ADMIN . "orders.php") && ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") && ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") && ($PHP_SELF != DIR_WS_ADMIN . "customers.php") ) { die("<br><br><center>no access\n\n</center>"); } } when i log in with "admin" i can acess the files listed below the function. but when i log in as "nic" (me, the master) i just can access the files from "admin" but i want to access the ones below the "nic-function". what is wrong? Quote Link to comment Share on other sites More sharing options...
Guest Posted October 22, 2006 Share Posted October 22, 2006 Nic - - when you put the code in there 2 times like that, you actually are granting and then immediately denying yourself access. Take it back to just one chunk of code, then change the line from:' if ($PHP_AUTH_USER==nic) to if ( ($PHP_AUTH_USER==nic) || ($PHP_AUTH_USER==admin) ) -jared Quote Link to comment Share on other sites More sharing options...
nicmare Posted October 22, 2006 Share Posted October 22, 2006 (edited) thanks for answer jcall. i did it the way you say but it still does not work: if ( ($PHP_AUTH_USER==nic) || ($PHP_AUTH_USER==admin) ) {; } else { if ( ($PHP_SELF != DIR_WS_ADMIN . "stats_products_viewed.php") && ($PHP_SELF != DIR_WS_ADMIN . "products_attributes.php") && ($PHP_SELF != DIR_WS_ADMIN . "reviews.php") && ($PHP_SELF != DIR_WS_ADMIN . "specials.php") && ($PHP_SELF != DIR_WS_ADMIN . "products_expected.php") && ($PHP_SELF != DIR_WS_ADMIN . "categories.php") && ($PHP_SELF != DIR_WS_ADMIN . "manufacturers.php") && ($PHP_SELF != DIR_WS_ADMIN . "birthday.php") && ($PHP_SELF != DIR_WS_ADMIN . "stats_products_purchased.php") && ($PHP_SELF != DIR_WS_ADMIN . "stats_customers.php") && ($PHP_SELF != DIR_WS_ADMIN . "orders.php") && ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") && ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") && ($PHP_SELF != DIR_WS_ADMIN . "customers.php") ) { die("<br><br><center>Sie besitzen nicht ?ber gen?gend Zugriffsrechte!\n\n</center>"); } } me, the superadmin (nic), wants complete access. But with this code i just can access the files listed above. (like the admin) so what is wrong? i really get sick with the thing :blink: phpinfo: http://www.wellness-lagoon.de/info.php Edited October 22, 2006 by nicmare Quote Link to comment Share on other sites More sharing options...
Guest Posted October 22, 2006 Share Posted October 22, 2006 Let's try a bit of troubleshooting. Look at this section of the thread and let me know what you find. -jared Quote Link to comment Share on other sites More sharing options...
mr_absinthe Posted May 12, 2007 Share Posted May 12, 2007 Hi, not sure if this thread is still being followed, but I'll try anyway. It doesn't seem to work for me. I've created users in my host's CP - they use Plesk. However $PHP_AUTH_USER and _SERVER[REMOTE_USER] don't work for me. The only option I have left is to use $_SERVER['REMOTE_ADDR'] which is obviously not quite handy (cannot use the admin the same way if logged from a different computer). This is my debug output: PHP_AUTH_USER: PHP_SELF: /admin/whos_online.php _SERVER[php_AUTH_USER]: _SERVER[REMOTE_USER]: _SERVER[REMOTE_ADDR]: 8x.xx.xxx.xxx Any ideas what could be done to make it work with user instead of IP? Thanks a lot. Quote Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
futurestar Posted October 27, 2007 Share Posted October 27, 2007 OK, got just about everything working. Here is the code I'm using... ----------------------------------------------------------------- if ($messageStack->size > 0) { echo $messageStack->output(); } if ($_SERVER[REMOTE_USER]==USERNAME1) {; } else { if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") && ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") && ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") && ($PHP_SELF != DIR_WS_ADMIN . "login.php") ) ----------------------------------------------------------------- The problem I am running into is that once a person enters in their user/pass, it directs to "login.php" where they have to enter their user/pass again in OSC's login page. Not a huge deal, but a little annoying. Anybody have a suggestion? Even if it was defaulted to go directly to the orders.php page would be fine, because the 2nd level admins do not have access to see the index.php page (which is where it goes to after OSC's login page) or the customers.php page, which is where they would have to go to in order to get the the orders.php page. Thanks for your time! Quote Link to comment Share on other sites More sharing options...
Becki Posted December 5, 2007 Share Posted December 5, 2007 Hi, I think i have the same problem as Mr.absinth... I've tried installing this contrib but i can't get it to work. Here is the de-bug: PHP_AUTH_USER: PHP_SELF: /stockroom/configuration.php _SERVER[php_AUTH_USER]: _SERVER[REMOTE_USER]: _SERVER[REMOTE_ADDR]: xxx.xxx.xxx.xxx I've created the usernames in ensim pro. However I have only ever been allowed into the stockroom using the master username and passwork (I have protected the HTML folder and all files with this username and password as my host advised via the cpanel.) Ok so thats one issue i need to get round, but even when i log into stockroom with the master the files allowed for the second user work but all other links don't. I should add the stockroom (formally admin) is all SLL protected. The master username seems to be in a .htgroup and .htpassword file. I can't find the other usernames i've created via the control panel..... Any advice greatly appreciated :) Thanks Becki Quote Link to comment Share on other sites More sharing options...
chrish123 Posted December 3, 2008 Share Posted December 3, 2008 Hi, I installed this and its great! Just a few lines of code! I am using a heavily modified rc1 installation which has had work constantly added 9am till 5pm Mon till friday for over a year! so this simple version has helped me out a lot! I am trying to add a check before the htaccess login check, so if im logging into the admin from work I can skip the 1st htaccess login check and only enter my details on the standard RC1 login.php page. Heres a snippet of my admin/includes/header.php if ($messageStack->size > 0) { echo $messageStack->output(); } //START OF ACCESS //pre check ip address of client ---- this should skip past the access control mod but it doesnt! $ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; // if the ip address is the one below bypass htacess login check and proceed to normal RC1 login page. if ($ip == "xx.xx.xx.xx.xx") { ///my work ip address } else { //start of simple access control mod ---- works fine //if ( ($PHP_AUTH_USER==admin1) || ($PHP_AUTH_USER==admin2) || // ($_SERVER[REMOTE_USER]==admin1) || ($_SERVER[REMOTE_USER]==admin2) ) if (($_SERVER['REMOTE_USER']=="admin1") || ($_SERVER['REMOTE_USER']=="admin2") || ($_SERVER['REMOTE_USER']=="admin3")){; } else { if (($PHP_SELF != DIR_WS_ADMIN . "index.php") && ($PHP_SELF != DIR_WS_ADMIN . "login.php") && ($PHP_SELF != DIR_WS_ADMIN . "orders.php") && ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") && // ($PHP_SELF != DIR_WS_ADMIN . "customers.php") && ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php")) { die("<center><br><h1>Forbidden!</h1><br><br><b>You are not authorized to view this page.</b><br><br> \n\n <b>If you do need access to a specific page please contact the sites administrator and quote the below page name.</b><br><br><br>Page name: $PHP_SELF<Br></center>"); } } } ///eof simple access control mod ////this code just prints the IP address on the admin/includes/header.php //print ip address and try to get the actual ip not a proxy ------------- works fine! if(isset($_SERVER['HTTP_X_FORWARDED_FOR']) || isset($_SERVER['HTTP_VIA'])) { echo "Your IP is " .$_SERVER['HTTP_X_FORWARDED_FOR']; } elseif(isset($_SERVER['HTTP_CLIENT_IP'])) { echo "Your IP is" .$_SERVER['HTTP_CLIENT_IP']; } else { echo "Your IP is" .$_SERVER['REMOTE_ADDR']; } //eof proxy detection ?> Can anyone see where im going wrong? , the brackets seem to be right? Kind regards Chris Quote Link to comment Share on other sites More sharing options...
Lucy Fox Posted December 23, 2009 Share Posted December 23, 2009 Hi All Read through this thread a few times now and have really tried to get it to work for my shop but with no success. I've realised I do not have the PHP_AUTH_USER or PHP_SELF in my server.info.php..... Does that mean I should just give up as my shop files aren't compatible? Or can I implement these variables somehow? Thanks - forever hopeful!! Quote Link to comment Share on other sites More sharing options...
gioyfa Posted April 11, 2010 Share Posted April 11, 2010 Please post or send me the results of the debug output from the following: if ( ($PHP_AUTH_USER==admin1) || ($PHP_AUTH_USER==admin2) ) {; } else { echo "<br>PHP_AUTH_USER: " . $PHP_AUTH_USER; echo "<br>PHP_SELF: " . $PHP_SELF; echo "<br>_SERVER[php_AUTH_USER]: " . $_SERVER['PHP_AUTH_USER']; echo "<br>_SERVER[REMOTE_USER]: " . $_SERVER['REMOTE_USER']; echo "<br>_SERVER[REMOTE_ADDR]: " . $_SERVER['REMOTE_ADDR']; if ( ($PHP_SELF != "/admin/orders.php") && ($PHP_SELF != "/admin/invoice.php") && ($PHP_SELF != "/admin/packing_slip.php") && ($PHP_SELF != "/admin/customers.php") ) { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); } } -jared Jared, I liked much your work!! it's very simple and practical as all we need... i had problem when i used this with my username, and i tried to follow your above advice to see what goes around.. i realised that PHP_AUTH_USER, _SERVER[php_AUTH_USER] and _SERVER[REMOTE_USER] don't return a value!!! what i have to do, and do you know maybe why this happens!?? thanks in advance, Giorgos! Quote Link to comment Share on other sites More sharing options...
mr_absinthe Posted June 13, 2010 Share Posted June 13, 2010 I can see that quite a few people were having similar problem, $PHP_AUTH_USER and _SERVER[REMOTE_USER] didn't work. It was same for me, I have therefore replaced it with _SERVER[REDIRECT_REMOTE_USER]. Also, on some servers, you cannot use DIR_WS_ADMIN, don't ask me why. You will have to keep the file name only. To give you an example, the whole, working piece of code would look like this: if ($_SERVER['REDIRECT_REMOTE_USER']==user1) {; } else { if ( ($PHP_SELF != "orders.php") && ($PHP_SELF != "index.php") && ($PHP_SELF != "invoice.php") && ($PHP_SELF != "server_info.php") ) { die("<br /><br /><br /><br /><center><b>You are not currently authorized to view this page.</b><br /><br />Please contact the store administrator for details. To return, click back on your browser.<br /><br /><br /><br />\n\n <i>If you do need access to a specific page please contact the site administrator and quote the below page name.</i><br><br>Page name: $PHP_SELF</center>"); } } And last but not least, you may need to add index.php in your list of permitted files, otherwise you would need to enter the permitted page via direct link - https://www.yourstore.com/admin/orders.php for example. I hope that helps. Quote Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
matchelo3 Posted July 23, 2010 Share Posted July 23, 2010 Someone can help me? I read all pages and tested every tips anda nothing :( all the same error (user "teste" and all other user can only acces on pages that was placed in code) exemples of i've tried: 1) if ($PHP_AUTH_USER==teste) {; } else { if ( ($PHP_SELF != DIR_WS_ADMIN . "index.php") && ($PHP_SELF != DIR_WS_ADMIN . "login.php") && ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") && ($PHP_SELF != DIR_WS_ADMIN . "customers.php") ) { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); } } 2) if ($PHP_AUTH_USER==test) {; } else { if ( ($PHP_SELF != "/admin/login.php") && ($PHP_SELF != "/admin/index.php") && ($PHP_SELF != "/admin/packing_slip.php") && ($PHP_SELF != "/admin/customers.php") ) { die("<br><Br><center>You are not authorized to view this page.\n\n</center>"); } } 3) if ($_SERVER[REMOTE_USER]==test) {; } else { if ( ($PHP_SELF != DIR_WS_ADMIN . "index.php") && ($PHP_SELF != DIR_WS_ADMIN . "administrators.php") && ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") && ($PHP_SELF != DIR_WS_ADMIN . "login.php") ) { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); } } 4) if ($_SERVER['REDIRECT_REMOTE_USER']==test) {; } else { if ( ($PHP_SELF != "login.php") && ($PHP_SELF != "index.php") && ($PHP_SELF != "invoice.php") && ($PHP_SELF != "server_info.php") ) { die("<br /><br /><br /><br /><center><b>You are not currently authorized to view this page.</b><br /><br />Please contact the store administrator for details. To return, click back on your browser.<br /><br /><br /><br />\n\n <i>If you do need access to a specific page please contact the site administrator and quote the below page name.</i><br><br>Page name: $PHP_SELF</center>"); } } Quote Link to comment Share on other sites More sharing options...
Guest Posted August 4, 2010 Share Posted August 4, 2010 if ($PHP_AUTH_USER==teste) should be if ($PHP_AUTH_USER=='teste') Note the quotes around the user name. -jared Quote Link to comment Share on other sites More sharing options...
popemarinaru Posted July 6, 2011 Share Posted July 6, 2011 For all you guys that the code is still not working. Replace: $PHP_SELF with $_SERVER['SCRIPT_NAME'] Simple reason being that $_SERVER['SCRIPT_NAME'] returns the script file name no matter there is any query string or directory trailing. Replace: ($PHP_SELF != DIR_WS_ADMIN . "orders.php") && etc. With: ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN . "orders.php") && etc. Script should work on osCommerce 2.3 too. Best, </nt> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.