Jump to content
jcall

Simple Admin Access Control

Recommended Posts

Hi Jared. nice contrib

Works well for me

 

question : if I use your code :

if ($PHP_AUTH_USER==admin)
  {;
  } else {
  if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&
		($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "customers.php") )
	{ die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
  }

is there a way for the limited users not to delete some orders ? If I grant the access to orders.php he is able to delete some orders. Here is the link of the delete button:

http://127.0.0.1/catalog/admin/orders.php?selected_box=customers&page=1&oID=96&action=delete

thanks for your answer.


Osc 2.2 MS2

Share this post


Link to post
Share on other sites

Sorry pressed reply by accident.

 

Should now read:

 

case 'deleteconfirm':

if ($PHP_AUTH_USER==admin)

{

$oID = tep_db_prepare_input($HTTP_GET_VARS['oID']);

tep_remove_order($oID, $HTTP_POST_VARS['restock']);

tep_redirect(tep_href_link(FILENAME_ORDERS,tep_get_all_get_params(array('oID', 'action'))));

}

break;

Share this post


Link to post
Share on other sites

Hi Kenja,

I haven't enabled email notifications! So i see your code only now ! sorry..

I've tested your solution. But that generate an error :

Parse error: parse error, unexpected T_CASE in blablabla

I'm not skilled in php, but seems that a "if" condition could not match with a "case" condition....

I hope you are better than me and could light my brain... Thanks :)


Osc 2.2 MS2

Share this post


Link to post
Share on other sites

:thumbsup:

My fault... Your code works perfectly Kenja.... I've had tomatoes in my eyes >_< and typed not correctly your code.

Ok it works : When i click an delete button; it asks me to confirm and when I click again on delete, nothing happens.

But my best preference would be to hide the "delete" button if not logued as admin...

I've a small idea. will try to apply it...

thanks again and great contrib.

Seb


Osc 2.2 MS2

Share this post


Link to post
Share on other sites

Hi everyone,

Can I use this contribution for this functionality?:

- admin is allowed to do everything

- user1 is allowed to do everything, except for pressing the update-button in orders.php

I think I have to do some coding in the 'update_order' case, in orders.php, but I have no knowledge of PHP

Can anyone help me out?

Share this post


Link to post
Share on other sites

K I think I may have lost my mind. Everyone keeps saying this is such an easy contribution and I'm sure it is if you understand this thread at all. I have OScommerce installed and I have added many contributions to it. I had AAC added in but it conflicted with another contribution I needed to have so now I have no security for my admin. Now I may just be going about this all wrong but to get to my admin panel when I'm at my website I add /admin to the end of my site name. Should I be logging into the store as admin and getting to the admin panel another way? Because when I add this contribution and I go to my admin panel there is no place for me to log in or anything so I am not sure how it can know who I am.....if someone could help me with this I'd really appreciate it.

Share this post


Link to post
Share on other sites

@Leon - - the best way to do disable the button based on the logged in user will not be a URL-based control, like this contribution. What you can do, though, is take this same code (or VERY similar) and put it around the code that generates the Update button. That way you can prevent the button from even showing up unless you're the the desired user.

 

@Alison -- This does not cause you to login to your admin area. You should use your hosting control panel to do that, or use .htaccess (LOTS of tutorials online on this) to protect it. This contribution simply manages access based on the users you've already created.

 

-jared

Share this post


Link to post
Share on other sites
@Alison -- This does not cause you to login to your admin area. You should use your hosting control panel to do that, or use .htaccess (LOTS of tutorials online on this) to protect it. This contribution simply manages access based on the users you've already created.

 

-jared

 

Ok thanks!!!

Share this post


Link to post
Share on other sites

Greetings

 

I've been using this for quite some time and it was simple to set up and all but now I have a problem that I want to change the admin1 password and can't remember where admin1 user was set up! The documentation says to create it in cpanel but I don't find it there. I know, it's really a dumb question but maybe someone can stop laughing just long enough to give me a pointer? LOL!!

 

Thanks much for this great contrib BTW, works super and was very easy to install - the proof is that I got it going!

 

Thanks again

Ron

Share this post


Link to post
Share on other sites

same problem with me.

i used your latest code and added two htaccess users via control panel of my webspaceprovider. everytime i want to go to /admin/ the login window of windows occurs. i log in myself(as nicadmin) to the admin area and cant access anything. just the examplefiles from your code.

 

if ($PHP_AUTH_USER==nicadmin)

{;

} else {

if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&

($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&

($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&

($PHP_SELF != DIR_WS_ADMIN . "customers.php") )

{ die("<br><Br><center>You are not authorized to view this page.\n\n</center>"); }

}

Share this post


Link to post
Share on other sites

ok, this is what i am now use:

if ($PHP_AUTH_USER==nic)

{;

} else {

if (

($PHP_SELF != DIR_WS_ADMIN . "stats_products_viewed.php") &&

($PHP_SELF != DIR_WS_ADMIN . "products_attributes.php") &&

($PHP_SELF != DIR_WS_ADMIN . "reviews.php") &&

($PHP_SELF != DIR_WS_ADMIN . "specials.php") &&

($PHP_SELF != DIR_WS_ADMIN . "products_expected.php") &&

($PHP_SELF != DIR_WS_ADMIN . "banner_manager.php") &&

($PHP_SELF != DIR_WS_ADMIN . "file_manager.php") &&

($PHP_SELF != DIR_WS_ADMIN . "configuration.php") &&

($PHP_SELF != DIR_WS_ADMIN . "modules.php") &&

($PHP_SELF != DIR_WS_ADMIN . "countries.php") &&

($PHP_SELF != DIR_WS_ADMIN . "geo_zones.php") &&

($PHP_SELF != DIR_WS_ADMIN . "currencies.php") &&

($PHP_SELF != DIR_WS_ADMIN . "languages.php") &&

($PHP_SELF != DIR_WS_ADMIN . "backup.php") &&

($PHP_SELF != DIR_WS_ADMIN . "categories.php") &&

($PHP_SELF != DIR_WS_ADMIN . "manufacturers.php") &&

($PHP_SELF != DIR_WS_ADMIN . "birthday.php") &&

($PHP_SELF != DIR_WS_ADMIN . "stats_products_purchased.php") &&

($PHP_SELF != DIR_WS_ADMIN . "stats_customers.php") &&

($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&

($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&

($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&

($PHP_SELF != DIR_WS_ADMIN . "customers.php") )

{ die("<br><br><center>no access\n\n</center>"); }

}

if ($PHP_AUTH_USER==admin)

{;

} else {

if (

($PHP_SELF != DIR_WS_ADMIN . "stats_products_viewed.php") &&

($PHP_SELF != DIR_WS_ADMIN . "products_attributes.php") &&

($PHP_SELF != DIR_WS_ADMIN . "reviews.php") &&

($PHP_SELF != DIR_WS_ADMIN . "specials.php") &&

($PHP_SELF != DIR_WS_ADMIN . "products_expected.php") &&

($PHP_SELF != DIR_WS_ADMIN . "categories.php") &&

($PHP_SELF != DIR_WS_ADMIN . "manufacturers.php") &&

($PHP_SELF != DIR_WS_ADMIN . "birthday.php") &&

($PHP_SELF != DIR_WS_ADMIN . "stats_products_purchased.php") &&

($PHP_SELF != DIR_WS_ADMIN . "stats_customers.php") &&

($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&

($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&

($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&

($PHP_SELF != DIR_WS_ADMIN . "customers.php") )

{ die("<br><br><center>no access\n\n</center>"); }

}

 

when i log in with "admin" i can acess the files listed below the function.

but when i log in as "nic" (me, the master) i just can access the files from "admin" but i want to access the ones below the "nic-function".

what is wrong?

Share this post


Link to post
Share on other sites

Nic - - when you put the code in there 2 times like that, you actually are granting and then immediately denying yourself access. Take it back to just one chunk of code, then change the line from:'

if ($PHP_AUTH_USER==nic)

to

if ( ($PHP_AUTH_USER==nic) || ($PHP_AUTH_USER==admin) )

 

-jared

Share this post


Link to post
Share on other sites

thanks for answer jcall.

 

i did it the way you say but it still does not work:

if ( ($PHP_AUTH_USER==nic) || ($PHP_AUTH_USER==admin) )
  {;
  } else {
  if ( 
   ($PHP_SELF != DIR_WS_ADMIN . "stats_products_viewed.php") &&
   ($PHP_SELF != DIR_WS_ADMIN . "products_attributes.php") &&
   ($PHP_SELF != DIR_WS_ADMIN . "reviews.php") &&
   ($PHP_SELF != DIR_WS_ADMIN . "specials.php") &&
   ($PHP_SELF != DIR_WS_ADMIN . "products_expected.php") &&
   ($PHP_SELF != DIR_WS_ADMIN . "categories.php") &&
   ($PHP_SELF != DIR_WS_ADMIN . "manufacturers.php") &&
   ($PHP_SELF != DIR_WS_ADMIN . "birthday.php") &&
   ($PHP_SELF != DIR_WS_ADMIN . "stats_products_purchased.php") &&
   ($PHP_SELF != DIR_WS_ADMIN . "stats_customers.php") &&
   ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "customers.php") )
	{ die("<br><br><center>Sie besitzen nicht ?ber gen?gend Zugriffsrechte!\n\n</center>"); }
  }

me, the superadmin (nic), wants complete access.

But with this code i just can access the files listed above. (like the admin)

so what is wrong? i really get sick with the thing :blink:

phpinfo: http://www.wellness-lagoon.de/info.php

Edited by nicmare

Share this post


Link to post
Share on other sites

Hi,

not sure if this thread is still being followed, but I'll try anyway. It doesn't seem to work for me.

I've created users in my host's CP - they use Plesk. However $PHP_AUTH_USER and _SERVER[REMOTE_USER] don't work for me. The only option I have left is to use $_SERVER['REMOTE_ADDR'] which is obviously not quite handy (cannot use the admin the same way if logged from a different computer). This is my debug output:

PHP_AUTH_USER:

PHP_SELF: /admin/whos_online.php

_SERVER[php_AUTH_USER]:

_SERVER[REMOTE_USER]:

_SERVER[REMOTE_ADDR]: 8x.xx.xxx.xxx

 

Any ideas what could be done to make it work with user instead of IP?

 

Thanks a lot.


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

OK, got just about everything working. Here is the code I'm using...

 

-----------------------------------------------------------------

 

if ($messageStack->size > 0) {

echo $messageStack->output();

}

 

if ($_SERVER[REMOTE_USER]==USERNAME1)

{;

} else {

if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&

($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&

($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&

($PHP_SELF != DIR_WS_ADMIN . "login.php") )

 

-----------------------------------------------------------------

 

The problem I am running into is that once a person enters in their user/pass, it directs to "login.php" where they have to enter their user/pass again in OSC's login page. Not a huge deal, but a little annoying.

 

Anybody have a suggestion? Even if it was defaulted to go directly to the orders.php page would be fine, because the 2nd level admins do not have access to see the index.php page (which is where it goes to after OSC's login page) or the customers.php page, which is where they would have to go to in order to get the the orders.php page.

 

Thanks for your time!

Share this post


Link to post
Share on other sites

Hi,

 

I think i have the same problem as Mr.absinth...

 

I've tried installing this contrib but i can't get it to work. Here is the de-bug:

 

PHP_AUTH_USER:

PHP_SELF: /stockroom/configuration.php

_SERVER[php_AUTH_USER]:

_SERVER[REMOTE_USER]:

_SERVER[REMOTE_ADDR]: xxx.xxx.xxx.xxx

 

I've created the usernames in ensim pro. However I have only ever been allowed into the stockroom using the master username and passwork (I have protected the HTML folder and all files with this username and password as my host advised via the cpanel.) Ok so thats one issue i need to get round, but even when i log into stockroom with the master the files allowed for the second user work but all other links don't. I should add the stockroom (formally admin) is all SLL protected.

The master username seems to be in a .htgroup and .htpassword file. I can't find the other usernames i've created via the control panel.....

 

Any advice greatly appreciated :)

 

Thanks

Becki

Share this post


Link to post
Share on other sites

Hi, I installed this and its great! Just a few lines of code!

 

I am using a heavily modified rc1 installation which has had work constantly added 9am till 5pm Mon till friday for over a year! so this simple version has helped me out a lot!

 

I am trying to add a check before the htaccess login check, so if im logging into the admin from work I can skip the 1st htaccess login check and only enter my details on the standard RC1 login.php page.

 

 

 

Heres a snippet of my admin/includes/header.php

 

 

 if ($messageStack->size > 0) {
echo $messageStack->output();
 }
 //START OF ACCESS
 //pre check ip address of client  ---- this should skip past the access control mod but it doesnt!
$ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
  // if the ip address is the one below bypass htacess login check and proceed to normal RC1 login page.
 if ($ip == "xx.xx.xx.xx.xx")  {  ///my work ip address
 } else {
//start of simple access control mod ---- works fine
//if ( ($PHP_AUTH_USER==admin1) || ($PHP_AUTH_USER==admin2) || 
  // ($_SERVER[REMOTE_USER]==admin1) || ($_SERVER[REMOTE_USER]==admin2) ) 
if (($_SERVER['REMOTE_USER']=="admin1") || ($_SERVER['REMOTE_USER']=="admin2") || ($_SERVER['REMOTE_USER']=="admin3")){;
  } else {
  if (($PHP_SELF != DIR_WS_ADMIN . "index.php") &&
  ($PHP_SELF != DIR_WS_ADMIN . "login.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&
	  // ($PHP_SELF != DIR_WS_ADMIN . "customers.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php"))
  { die("<center><br><h1>Forbidden!</h1><br><br><b>You are not authorized to view this page.</b><br><br> \n\n <b>If you do need access to a specific page please contact the sites administrator and quote the below page name.</b><br><br><br>Page name: $PHP_SELF<Br></center>"); }
  }
  } 
  ///eof simple access control mod


////this code just prints the IP address on the admin/includes/header.php

//print ip address and try to get the actual ip not a proxy	------------- works fine!
if(isset($_SERVER['HTTP_X_FORWARDED_FOR']) || isset($_SERVER['HTTP_VIA']))
{
echo "Your IP is " .$_SERVER['HTTP_X_FORWARDED_FOR']; 
}
elseif(isset($_SERVER['HTTP_CLIENT_IP']))
	{
	echo "Your IP is" .$_SERVER['HTTP_CLIENT_IP']; 
	}
	else
		{
		echo "Your IP is" .$_SERVER['REMOTE_ADDR']; 
		}
		//eof proxy detection
?>

 

Can anyone see where im going wrong? , the brackets seem to be right?

 

Kind regards

Chris

Share this post


Link to post
Share on other sites

Hi All

 

Read through this thread a few times now and have really tried to get it to work for my shop but with no success. I've realised I do not have the PHP_AUTH_USER or PHP_SELF in my server.info.php..... Does that mean I should just give up as my shop files aren't compatible? Or can I implement these variables somehow?

 

Thanks - forever hopeful!!

Share this post


Link to post
Share on other sites

Please post or send me the results of the debug output from the following:

 

  if ( ($PHP_AUTH_USER==admin1) || ($PHP_AUTH_USER==admin2) )
  {;
  } else {
   echo "<br>PHP_AUTH_USER:  " . $PHP_AUTH_USER;
   echo "<br>PHP_SELF:  " . $PHP_SELF;
   echo "<br>_SERVER[php_AUTH_USER]:  " . $_SERVER['PHP_AUTH_USER'];
   echo "<br>_SERVER[REMOTE_USER]:  " . $_SERVER['REMOTE_USER'];
   echo "<br>_SERVER[REMOTE_ADDR]:  " . $_SERVER['REMOTE_ADDR'];
      if ( ($PHP_SELF != "/admin/orders.php") &&
          ($PHP_SELF != "/admin/invoice.php") &&
          ($PHP_SELF != "/admin/packing_slip.php") &&
          ($PHP_SELF != "/admin/customers.php") )
       { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
  }

 

-jared

 

 

Jared, I liked much your work!! it's very simple and practical as all we need... i had problem when i used this with my username, and i tried to follow your above advice to see what goes around.. i realised that PHP_AUTH_USER, _SERVER[php_AUTH_USER] and _SERVER[REMOTE_USER] don't return a value!!! what i have to do, and do you know maybe why this happens!?? thanks in advance, Giorgos!

Share this post


Link to post
Share on other sites

I can see that quite a few people were having similar problem, $PHP_AUTH_USER and _SERVER[REMOTE_USER] didn't work. It was same for me, I have therefore replaced it with _SERVER[REDIRECT_REMOTE_USER]. Also, on some servers, you cannot use DIR_WS_ADMIN, don't ask me why. You will have to keep the file name only. To give you an example, the whole, working piece of code would look like this:

if ($_SERVER['REDIRECT_REMOTE_USER']==user1)
  {;
  } else {
     if ( ($PHP_SELF != "orders.php") &&
          ($PHP_SELF != "index.php") &&
          ($PHP_SELF != "invoice.php") &&
          ($PHP_SELF != "server_info.php") )
       { die("<br /><br /><br /><br /><center><b>You are not currently authorized to view this page.</b><br /><br />Please contact the store administrator for details. To return, click back on your browser.<br /><br /><br /><br />\n\n <i>If you do need access to a specific page please contact the site administrator and quote the below page name.</i><br><br>Page name: $PHP_SELF</center>"); }
  }

 

And last but not least, you may need to add index.php in your list of permitted files, otherwise you would need to enter the permitted page via direct link - https://www.yourstore.com/admin/orders.php for example.

 

I hope that helps.


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

Someone can help me?

 

I read all pages and tested every tips anda nothing :(

 

all the same error (user "teste" and all other user can only acces on pages that was placed in code)

 

exemples of i've tried:

 

1)

if ($PHP_AUTH_USER==teste)

{;

} else {

if ( ($PHP_SELF != DIR_WS_ADMIN . "index.php") &&

($PHP_SELF != DIR_WS_ADMIN . "login.php") &&

($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&

($PHP_SELF != DIR_WS_ADMIN . "customers.php") )

{ die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }

}

 

 

2)

if ($PHP_AUTH_USER==test)

{;

} else {

if ( ($PHP_SELF != "/admin/login.php") &&

($PHP_SELF != "/admin/index.php") &&

($PHP_SELF != "/admin/packing_slip.php") &&

($PHP_SELF != "/admin/customers.php") )

{ die("<br><Br><center>You are not authorized to view this page.\n\n</center>"); }

}

 

 

3)

if ($_SERVER[REMOTE_USER]==test)

{;

} else {

if ( ($PHP_SELF != DIR_WS_ADMIN . "index.php") &&

($PHP_SELF != DIR_WS_ADMIN . "administrators.php") &&

($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&

($PHP_SELF != DIR_WS_ADMIN . "login.php") )

 

{ die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }

}

 

4)

if ($_SERVER['REDIRECT_REMOTE_USER']==test) {; } else { if ( ($PHP_SELF != "login.php") && ($PHP_SELF != "index.php") && ($PHP_SELF != "invoice.php") && ($PHP_SELF != "server_info.php") ) { die("<br /><br /><br /><br /><center><b>You are not currently authorized to view this page.</b><br /><br />Please contact the store administrator for details. To return, click back on your browser.<br /><br /><br /><br />\n\n <i>If you do need access to a specific page please contact the site administrator and quote the below page name.</i><br><br>Page name: $PHP_SELF</center>"); } }

Share this post


Link to post
Share on other sites

if ($PHP_AUTH_USER==teste)

should be

if ($PHP_AUTH_USER=='teste')

Note the quotes around the user name.

 

-jared

Share this post


Link to post
Share on other sites

For all you guys that the code is still not working. Replace: $PHP_SELF with $_SERVER['SCRIPT_NAME']

Simple reason being that $_SERVER['SCRIPT_NAME'] returns the script file name no matter there is any query string or directory trailing.

 

Replace:

($PHP_SELF != DIR_WS_ADMIN . "orders.php") && etc.

With:

($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN . "orders.php") && etc.

 

Script should work on osCommerce 2.3 too.

 

Best,

</nt>

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×