Jump to content
jcall

Simple Admin Access Control

Recommended Posts

Sure! Let's assume that you have 3 users: fulladmin, orderadmin, and productadmin.

 

Try this:

// give user "fulladmin" full rights
 if ($PHP_AUTH_USER==fulladmin)
  {;

  } else {    // give user "orderadmin" rights to just the "order" pages
   if ($PHP_AUTH_USER==orderadmin) {
    if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&
         ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&
               ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&
               ($PHP_SELF != DIR_WS_ADMIN . "customers.php") )
          { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }              
       } 
       else {   // give user "productadmin" rights to just the "product" pages
        if ($PHP_AUTH_USER==productadmin) {
         if ( ($PHP_SELF != DIR_WS_ADMIN . "categories.php") &&
              ($PHP_SELF != DIR_WS_ADMIN . "products_attributes.php") &&
                    ($PHP_SELF != DIR_WS_ADMIN . "manufacturers.php") &&
                    ($PHP_SELF != DIR_WS_ADMIN . "specials.php") )
                  { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
           }
       }
       { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
   }

 

I didn't test this, but I think that all of the brackets are in the right place. :)

 

If you want any more users we'd be better off using a case statement instead of so many if statements.

 

-jared

Share this post


Link to post
Share on other sites

I don't really remember why I put the newlines in there. I suppose I was planning on writing something insulting to the user for trying to access pages they didn't have rights to. I'm always looking for upwards compatibility. :P

 

The <br> ones were just to improve readability a touch. You could certainly use any of these ones instead:

{ die("<br><br><center><font size="10"><u>You</u></font> are <font size="10">NOT</font> authorized to view this page. Hrpmh.</center>"); }

{ die("<br><br><center>Move along.  Nothing to see here, folks.</center>"); }

{ die("<br><br><center>You can\'t get there from here.</center>"); }

{ die("<br><br><center>Press any _other_ key to continue.</center>"); }

{ die("<br><br><center>Access denied.<br><br>You have failed to comply with one or more of the following restrictions:
<ul>
 <li>You are not at least<u>    THIS    </u> tall.</li>
 <li>You are not accompanied by an adult.</li>
 <li>Since this is void where prohibited, and prohibited where you are, it is, well, void.</li>  
 <li>This is not a participating location.</li>
 <li>You did not keep your arms and legs inside the ride at all times.</li>
 <li>Terms and Conditions have changed without notice.</li>
 <li>Batteries not included.</li>
 <li>Contents have settled during shipping.</li>
 <li>You are not a trained professional, and this is not a closed course.</li>
 <li>You do not appear to be wearing your safety goggles.</li>
 <li>No shirt, no shoes, well, you know.</li>
 <li>IANAL</li>
 <li>All your base are belong to ME!</li>
 <li>So this dog walks in to a bar . . .</li></ul></center>"); }

 

-jared

Share this post


Link to post
Share on other sites

Perfect contrib.

Worked 2nd time (had to change the $PHP_AUTH_USER bit)

Thanks

Jeff

Share this post


Link to post
Share on other sites

After hours of testing (MY first contribution installed), I also changed the $PHP_AUTH_USER to ($_SERVER[REMOTE_USER] and everything worked fine.

 

I don't know if this info. will help determine when to use which, but I'm on

 

a lynux server (red hat), with a plesk management system.

 

Great Contribution, by the way! Now if I can just master a few others........

Share this post


Link to post
Share on other sites

Tammy,

 

I'm glad you got it working! Since you mention that this is your first installed contrib, have a look at the "Tools" box on the left side of my blog. There are some handy items there that can make installing contributions much easier.

 

Thank you for your server details -- hopefully, if a few more people post that detail here, we can have a better understanding of which systems need which variables.

 

-jared

Share this post


Link to post
Share on other sites
Sure!  Let's assume that you have 3 users:  fulladmin, orderadmin, and productadmin.

 

Try this:

// give user "fulladmin" full rights
 if ($PHP_AUTH_USER==fulladmin)
  {;

  } else {    // give user "orderadmin" rights to just the "order" pages
   if ($PHP_AUTH_USER==orderadmin) {
    if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&
         ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&
               ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&
               ($PHP_SELF != DIR_WS_ADMIN . "customers.php") )
          { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }              
       } 
       else {   // give user "productadmin" rights to just the "product" pages
        if ($PHP_AUTH_USER==productadmin) {
         if ( ($PHP_SELF != DIR_WS_ADMIN . "categories.php") &&
              ($PHP_SELF != DIR_WS_ADMIN . "products_attributes.php") &&
                    ($PHP_SELF != DIR_WS_ADMIN . "manufacturers.php") &&
                    ($PHP_SELF != DIR_WS_ADMIN . "specials.php") )
                  { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
           }
       }
       { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
   }

 

I didn't test this, but I think that all of the brackets are in the right place.  :)

 

If you want any more users we'd be better off using a case statement instead of so many if statements.

 

-jared

 

This doesn't work (well it doesn't work when I try)

I've tried the simpler version and that works without any modification. So no problems on the $PHP_AUTH_USER bit for me.

 

I'll redo it and post the output.

Share this post


Link to post
Share on other sites

Awesome contribution! Was going to write my own when I came across this one. Simple and very functional. It took me a while to figure out why $PHP_AUTH_USER wasn't working on my website. In case anyone is curious, it's because I'm running a CGIwrap version of PHP. That's probably why people are having troubles... If you run CGIwrap, you'll need to use the $_SERVER[REMOTE_USER] variable instead.

 

Thanks!

 

Ken

Share this post


Link to post
Share on other sites

Hi there

 

I've used $PHP_AUTH_USER and ($_SERVER[REMOTE_USER] with and without the ' ' and still i can't seem to access any of the admin files if i log in as the secondary admin

 

I'm using the exact code

 

if ($PHP_AUTH_USER==admin1)
  {;
  } else {
  if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "customers.php") )
	{ die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
  }

 

and i have created a secondary user in cpanel. Unfortunately i still get the 'you are not authorized' message when trying to open any of the paths it is meant to be authorised.

 

Is there something I'm missing somewhere?

 

Thanks

 

Joe

Share this post


Link to post
Share on other sites

Alright I found the problem

 

the DIR_WS_ADMIN doesn't work for some reason, so I have to put /path/orders.php etc

 

just for the record for anyone out there who has this issue too!

Share this post


Link to post
Share on other sites

hi

 

this seems a really easy to use and install contribution....

 

... can someone please tell me the biggest difference between this and the Admin Access Level contribution, apart from having to take ages installing that and ading extra SQl instructions for contributins added on!

 

thanks


Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Share this post


Link to post
Share on other sites
hi

 

this seems a really easy to use and install contribution....

 

... can someone please tell me the biggest difference between this and the Admin Access Level contribution, apart from having to take ages installing that and ading extra SQl instructions for contributins added on!

 

thanks

 

i havent used the AAL contrib, but this IS really easy to mod...i suggest you use this one.

Share this post


Link to post
Share on other sites
if ($PHP_AUTH_USER==admin1)
  {;
  } else {
  if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "customers.php") )
	{ die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
  }

hi

 

is there a way to reverse the set-up so that the listed files are the ones that CANNOT be viewed (unless admin authorised?)

 

thanks


Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Share this post


Link to post
Share on other sites
hi

 

is there a way to reverse the set-up so that the listed files are the ones that CANNOT be viewed (unless admin authorised?)

 

thanks

 

to be honest, there arent that many files in admin anyway so im not sure why you'd want to do that.

Share this post


Link to post
Share on other sites

Aleem - Admin Access Levels has more features, but is a bit overkill, in my opinion, for what most people want. It includes:

- create additional administrative users from osC Admin

- new admin users get emailed their password

- admin users can change their "user profile" (i.e. password / email address / name) from the osC admin

- every time you add a new admin file, like a new report or something, you have to slightly modify the syntax (it's fairly obvious) of how you reference that file in admin/includes/boxes/reports.php (assuming it's a new report). Then, you have to go into the Admin area and "store" that new admin file in the proper menu.

- new pretty admin login that doesn't rely on you having to create .htaccess / .htpasswd files.

- admin user and admin access configuration is stored in the database

- it's much more involved to install

 

This contrib is really simple - - you create the users in your control panel, or manually using one of the many many web-based .htaccess / .htpassword creation tools, and then you put those usernames in admin/includes/header.php. Either they have access to the files you specify, or they don't. nothing fancy. After you create the users, you edit one file: admin/includes/header.php, pasting in a few lines.

 

If you want to reverse the functionality, and specify which files to deny, rather than grant, then change this:

  if (  ($PHP_AUTH_USER==admin1) || ($PHP_AUTH_USER==admin2) ||  
	($_SERVER[REMOTE_USER]==admin1) || ($_SERVER[REMOTE_USER]==admin2) )
  {;
  } else {
  echo $_SERVER[REMOTE_USER];
  if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "customers.php") )
	{ die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
  }

 

to this:

  if (  ($PHP_AUTH_USER==admin1) || ($PHP_AUTH_USER==admin2) ||  
	($_SERVER[REMOTE_USER]==admin1) || ($_SERVER[REMOTE_USER]==admin2) )
  { if ( ($PHP_SELF == DIR_WS_ADMIN . "orders.php") &&
	   ($PHP_SELF == DIR_WS_ADMIN . "invoice.php") &&
	   ($PHP_SELF == DIR_WS_ADMIN . "packing_slip.php") &&
	   ($PHP_SELF == DIR_WS_ADMIN . "customers.php") )
	{ die($_SERVER[REMOTE_USER] . "<br><br><center>You are not authorized to view this page.\n\n</center>"); 
  } else {
 ; }
  }

 

That should deny the admin1 and admin2 users from orders.php, invoice.php, packing_slip.php, and customers.php.

 

-jared

Share this post


Link to post
Share on other sites

Jared - thanks for the reply

 

yes, this is far by an easier way to allow admin access levels

 

thanks for the post, it is easier to keep it as it is.

 

BTW, i have the following code:

 

===============================================================

 

if ($PHP_AUTH_USER==USERNAME)

{;

} else {

if ( ($PHP_SELF != DIR_WS_ADMIN . "mail.php") &&

($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&

($PHP_SELF != DIR_WS_ADMIN . "customers.php") )

{ die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }

}

 

===============================================================

 

is this the latest and best code to have? it differs from what you posted above.

 

thanks

Edited by chooch

Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Share this post


Link to post
Share on other sites

Aleem - - there is nothing wrong with your code. I've modified mine to allow for multiple admins, but also because some servers seem to work with $PHP_AUTH_USER, while other servers seem to ignore it completely and use $_SERVER[REMOTE_USER].

 

Since that code snippet now has both of them in there, it should work on both of those types of servers.

 

HTH

 

-jared

Share this post


Link to post
Share on other sites

Hi,

I am looking at installing this module but i have some questions:

My oscommerce site is host on ipowerweb servers.

How do i create other users since i do not have ssh access.

I would like create mutiple users and assign them different access rights....

Has anyone done this using ipowerweb hosting?

 

On ipowerweb control panel i can create email accounts and ftp users but i do not know how create users that are allowed to login to oscommerce admin section...

 

Please help...

 

Thanks in advance...

Share this post


Link to post
Share on other sites

Hi can anyone please help me with my questions.... see below...

 

Thanks

 

Hi,

I am looking at installing this module but i have some questions:

My oscommerce site is host on ipowerweb servers.

How do i create other users since i do not have ssh access.

I would like create mutiple users and assign them different access rights....

Has anyone done this using ipowerweb hosting?

 

On ipowerweb control panel i can create email accounts and ftp users but i do not know how create users that are allowed to login to oscommerce admin section...

 

Please help...

 

Thanks in advance...

Share this post


Link to post
Share on other sites

You should be able to create new users using iPowerweb's control panel. It may be listed under "password protect directory" or something like that.

 

-jared

Share this post


Link to post
Share on other sites
You should be able to create new users using iPowerweb's control panel. It may be listed under "password protect directory" or something like that.

 

-jared

 

Hi Jared - I tried everything mentioned previously - did create users and can login using "fulladmin" and use all functions; when login as "orderadmin" gets to admin page and then everything else is blocked.

 

Tried:

 

if ($_SERVER[REMOTE_USER]==fulladmin)

{;

} else {

if ( ($PHP_SELF != DIR_WS_ADMIN . "/osCommerce2/catalog/admin/orders.php") &&

($PHP_SELF != DIR_WS_ADMIN . "/osCommerce2/catalog/admin/packing_slip.php") &&

($PHP_SELF != DIR_WS_ADMIN . "/osCommerce2/catalog/admin/customers.php") )

{ die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }

}

 

Tried it with $PHP_AUTH_USER instead of $_SERVER, tried it without the directory path and withOUT the directory path

 

Any help for me here? Thanks much in advance!

 

Ron

Edited by BuddahBoy

Share this post


Link to post
Share on other sites

try using statements like this to debug what's going on:

die($PHP_SELF);

or

die($PHP_AUTH_USER);

or

die($_SERVER[REMOTE_USER]);

 

the "die" command will halt execution of the script, and display whatever is in the ().

 

-jared

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×