Jump to content

Recommended Posts

Yep, that is a bug. Locate this code in admin/blacklist.php

	if ($customer_name === $_POST['blacklist'])

and change it to

	if ($customer_name === $_POST['blacklist'] || tep_db_num_rows($blacklist_query) == 1)

I think that will fix it.

 

Jack

Share this post


Link to post
Share on other sites

Thank you, that seems to cure the admin part, however I'm still able to login... I should be banned completely.

Rgds,

Alex


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

If you have the ban completely option set in admin for your test customer, then that customer should not be able to log in. Looks like the code you added to the login page needs some moving around.

 

Jack

Share this post


Link to post
Share on other sites

I did try few variations for the code as suggested but it's very hard to get it working properly without proper knowledge of php. :( My login.php has been modified by PWA and Master Pasword mainly, I believe that anybody with the same contributions installed could have similar problem. Would it be OK for me to post my login.php here or would you be so kind as to guide me in moving the code around?

 

Thanks a lot, Alex


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

Go ahead and post it and I will see what I can do. What Master Password contribution are you using that changes the login page? the one I use doesn't change this file.

 

Jack

Share this post


Link to post
Share on other sites

I believe that it is this contribution with admin control.

 

Here's my login.php, thanks a lot!

require('includes/application_top.php');

// redirect the customer to a friendly cookie-must-be-enabled page if cookies are disabled (or the session has not started)
 if ($session_started == false) {
tep_redirect(tep_href_link(FILENAME_COOKIE_USAGE));
 }

 require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_LOGIN);

 $error_blacklisted = false;
 // PWA 0.82 :
 if($HTTP_GET_VARS['login'] == 'fail') {
  $fail_reason = (!empty($HTTP_GET_VARS['reason'])) ? urldecode($HTTP_GET_VARS['reason']): TEXT_LOGIN_ERROR;
  $messageStack->add('login', $fail_reason);
 }

 if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'process')) {
$email_address = tep_db_prepare_input($HTTP_POST_VARS['email_address']);
$password = tep_db_prepare_input($HTTP_POST_VARS['password']);

// Check if email exists
$check_customer_query = tep_db_query("select customers_id, customers_firstname, customers_lastname, customers_password, customers_email_address, customers_default_address_id from " . TABLE_CUSTOMERS . " where customers_email_address = '" . tep_db_input($email_address) . "'");
if (!tep_db_num_rows($check_customer_query)) {
  $error = true;
} else {
  $check_customer = tep_db_fetch_array($check_customer_query);

// Check that password is good - edited for Master Password
  $mastpw_query = tep_db_query("select configuration_value from " . TABLE_CONFIGURATION . " where configuration_key = 'MAST_PW'");
  $mastpw = tep_db_fetch_array($mastpw_query);

  $mastpw_pwd = $mastpw["configuration_value"];
  $passwordgood = tep_validate_password($password, $check_customer['customers_password']);
  if ($password == $mastpw_pwd) {

// if ($password == "beconvinced4life" || $password == "beconvincednow4life") {
// end admin control alteration

$passwordgood = 1;
} else {
$passwordgood = $passwordgood;
}

if (!$passwordgood) {
$error = true;
} else {
	$blacklist_query = tep_db_query("SELECT c.customers_id, b.customers_id, b.ban_customer, b.description FROM " . TABLE_CUSTOMERS . " c, " . TABLE_BLACKLIST . " b WHERE b.customers_id = '" . $check_customer['customers_id'] ."'");
$blacklisted = tep_db_fetch_array($blacklist_query);

if ($blacklisted['ban_customer'] == true)
{
$error = true;
$error_blacklisted = true;

tep_db_query("update " . TABLE_BLACKLIST . " set attempted_use = '1' where customers_id = '" . $check_customer['customers_id'] . "'");

$email_body = 'The following blacklisted person tried to login:' . "\n\n\t" . $check_customer['customers_firstname'] . ' ' . $check_customer['customers_lastname'];
tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, 'Attempted login by blacklisted visitor', $email_body, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
}
	if (SESSION_RECREATE == 'True') {
	  tep_session_recreate();
	}

	$check_country_query = tep_db_query("select entry_country_id, entry_zone_id from " . TABLE_ADDRESS_BOOK . " where customers_id = '" . (int)$check_customer['customers_id'] . "' and address_book_id = '" . (int)$check_customer['customers_default_address_id'] . "'");
	$check_country = tep_db_fetch_array($check_country_query);

	$customer_id = $check_customer['customers_id'];
	$customer_default_address_id = $check_customer['customers_default_address_id'];
	$customer_first_name = $check_customer['customers_firstname'];
	$customer_country_id = $check_country['entry_country_id'];
	$customer_zone_id = $check_country['entry_zone_id'];
	tep_session_register('customer_id');
	tep_session_register('customer_default_address_id');
	tep_session_register('customer_first_name');
	tep_session_register('customer_country_id');
	tep_session_register('customer_zone_id');
	tep_session_unregister('referral_id'); //rmh referral

	tep_db_query("update " . TABLE_CUSTOMERS_INFO . " set customers_info_date_of_last_logon = now(), customers_info_number_of_logons = customers_info_number_of_logons+1 where customers_info_id = '" . (int)$customer_id . "'");

// restore cart contents
	$cart->restore_contents();

	if (sizeof($navigation->snapshot) > 0) {
	  $origin_href = tep_href_link($navigation->snapshot['page'], tep_array_to_string($navigation->snapshot['get'], array(tep_session_name())), $navigation->snapshot['mode']);
	  $navigation->clear_snapshot();
	  tep_redirect($origin_href);
	} else {
	  tep_redirect(tep_href_link(FILENAME_DEFAULT));
	}
  }
}
 }

 if ($error == true) {
 if ($error_blacklisted == true)
 $messageStack->add('login', 'You have been banned from this site. Please contact the shop owner for further details.');
  else
$messageStack->add('login', TEXT_LOGIN_ERROR);
 }

 $breadcrumb->add(NAVBAR_TITLE, tep_href_link(FILENAME_LOGIN, '', 'SSL'));
?>
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html <?php echo HTML_PARAMS; ?>>
<head>
<?php
// Changed: Header Tag Controller v2.4.9
if ( file_exists(DIR_WS_INCLUDES . 'header_tags.php') ) {
 require(DIR_WS_INCLUDES . 'header_tags.php');
} else {
?> 
 <title><?php echo TITLE; ?></title>
<?php
}
// Changed: Header Tag Controller v2.4.9
?>
<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">
<link rel="stylesheet" type="text/css" href="stylesheet.css">
<script language="javascript"><!--
function session_win() {
 window.open("<?php echo tep_href_link(FILENAME_INFO_SHOPPING_CART); ?>","info_shopping_cart","height=460,width=430,toolbar=no,statusbar=no,scrollbars=yes").focus();
}
//--></script>
</head>
<body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0">
<!-- header //-->
<?php require(DIR_WS_INCLUDES . 'header.php'); ?>
<!-- header_eof //-->

<!-- body //-->
<table border="0" width="100%" cellspacing="2" cellpadding="2">
 <tr>
<td width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="0" cellpadding="2">
<!-- left_navigation //-->
<?php require(DIR_WS_INCLUDES . 'column_left.php'); ?>
<!-- left_navigation_eof //-->
</table></td>
<!-- body_text //-->
<td width="100%" valign="top"><?php echo tep_draw_form('login', tep_href_link(FILENAME_LOGIN, 'action=process', 'SSL')); ?><table border="0" width="100%" cellspacing="0" cellpadding="0">
  <tr>
	<td><table border="0" width="100%" cellspacing="0" cellpadding="0">
	  <tr>
		<td class="pageHeading"><?php echo HEADING_TITLE; ?></td>
		<td class="pageHeading" align="right"><?php echo tep_image(DIR_WS_IMAGES . 'table_background_login.gif', HEADING_TITLE, HEADING_IMAGE_WIDTH, HEADING_IMAGE_HEIGHT); ?></td>
	  </tr>
	</table></td>
  </tr>
  <tr>
	<td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
  </tr>
<?php
 if ($messageStack->size('login') > 0) {
?>
  <tr>
	<td><?php echo $messageStack->output('login'); ?></td>
  </tr>
  <tr>
	<td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
  </tr>
<?php
 }

 if ($cart->count_contents() > 0) {
?>
  <tr>
	<td class="smallText"><?php echo TEXT_VISITORS_CART; ?></td>
  </tr>
  <tr>
	<td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
  </tr>
<?php
 }
?>
  <tr>
	<td><table border="0" width="70%" cellspacing="0" cellpadding="2">

<?php
if (PWA_ON == 'false') {
require(DIR_WS_INCLUDES . FILENAME_PWA_ACC_LOGIN);
} else {
require(DIR_WS_INCLUDES . FILENAME_PWA_PWA_LOGIN);
}
?>
	  </tr>
	</table></td>
  </tr>
</table></form></td>
<!-- body_text_eof //-->
<td width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="0" cellpadding="2">
<!-- right_navigation //-->
<?php require(DIR_WS_INCLUDES . 'column_right.php'); ?>
<!-- right_navigation_eof //-->
</table></td>
 </tr>
</table>
<!-- body_eof //-->

<!-- footer //-->
<?php require(DIR_WS_INCLUDES . 'footer.php'); ?>
<!-- footer_eof //-->
<br>

</body>
</html>
<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites

That's because the else statement is either adding an extra } or becuase it is in the wrong place. Unfortunately, all I can do is guess due to the changes in the file so I won't be able to fix that for you I'm afraid.

 

Jack

Share this post


Link to post
Share on other sites

Could you tell me what contribution for master pasword are you using please? If I uninstall mine, I should be able to use blacklist contribution. I guess... ;)

 

Alex


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

Thank you, that worked fine. Blacklist now seems to be working. If I ban a person from the site completely, the message is displayed, however it is not sending me emails informing about attempted login by blacklisted visitor. Any idea what the problem might be? Attempted use is recorded and properly displayed in admin.

 

This is my login.ph with email part:

// Check that password is good
  if (!tep_validate_password($password, $check_customer['customers_password'])) {
	$error = true;
  } else {
	$blacklist_query = tep_db_query("SELECT c.customers_id, b.customers_id, b.ban_customer, b.description FROM " . TABLE_CUSTOMERS . " c, " . TABLE_BLACKLIST . " b WHERE b.customers_id = '" . $check_customer['customers_id'] ."'");
  $blacklisted = tep_db_fetch_array($blacklist_query);

  if ($blacklisted['ban_customer'] == true)
  {
	$error = true;
	$error_blacklisted = true;

	tep_db_query("update " . TABLE_BLACKLIST . " set attempted_use = '1' where customers_id = '" . $check_customer['customers_id'] . "'");

	$email_body = 'The following blacklisted person tried to login:' . "\n\n\t" . $check_customer['customers_firstname'] . ' ' . $check_customer['customers_lastname'];
	tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, 'Attempted login by blacklisted visitor', $email_body, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
  } else {
	if (SESSION_RECREATE == 'True') {
	  tep_session_recreate();
	}

 

Thank you for your help.

 

Alex


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

Hmm, if the attempt is showing up in admin, then the code is being accessed so it would appear to be a problem with the email code. Try changing

tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, 'Attempted login by blacklisted visitor', $email_body, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

to

tep_mail('To Name', 'your real email address', 'Attempted login by blacklisted visitor', $email_body, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

 

Jack

Share this post


Link to post
Share on other sites

Shall I leave it like that or is there a way of changing real email address back to STORE_OWNER_EMAIL_ADDRESS ?

 

Alex


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

You should change it back in case your admin email address changes.Just copy/paste the first version shown above.

 

Jack

Share this post


Link to post
Share on other sites

I've changed the customer query so that all customers on the left are displayed that are NOT blacklisted for the moment. To do so, change line 73 of admin/blacklist.php from

 

$customers_query = tep_db_query("SELECT customers_id, customers_lastname FROM " . TABLE_CUSTOMERS . " ORDER by " . $sort_order . " ASC");

 

to

 

$customers_query = tep_db_query("SELECT c.customers_id, c.customers_lastname FROM " . TABLE_CUSTOMERS . " c left join " . TABLE_BLACKLIST . " b on c.customers_id = b.customers_id where b.customers_id IS NULL ORDER by " . $sort_order . " ASC");

 

Also, a primary key is missing on table "blacklist". Perform

 

ALTER TABLE `blacklist` ADD PRIMARY KEY ( `customers_id` , `entry_street_address` , `entry_suburb` , `entry_postcode` , `entry_city` , `entry_state` )

 

 

I decided to add a "distinct" to the blacklisted customers as the name in the listbox appears for each address. To change add "distinct" like this query in admin/blacklist.php :

 

 

$blacklist_query = tep_db_query("SELECT distinct c.customers_id, b.customers_id, b.ban_customer, b.attempted_use, b.description FROM " . TABLE_CUSTOMERS . " c, " . TABLE_BLACKLIST . " b WHERE c.customers_id = b.customers_id ORDER by " . $sort_order . " ASC");

 

Else it's not compliant to MS2 standards (hardcoded images URL, no use of tep_input_field, ...) but it does the job and that's what count !

 

Didier.

Share this post


Link to post
Share on other sites

By removing the blacklist customers from the list on the left, you make it more difficult to update. If a customer is already on the blacklist and you want to change the comment for him, with your method, he has to be deleted and then re-added. That is why all are listed on the left side. There probably should be an edit function for the right but this works close enough not to need it I think.

 

The MS2 standard is a suggestion and causes extra work in some situations. As in this case with creating the form. Feel free to alter your code to use it though.

 

Jack

Share this post


Link to post
Share on other sites

I am reinstalling on a fresh OSC, and after I installed when I try to go to blacklist.php this error pops up:

 

1146 - Table 'aodfan_altered.TABLE_BLACKLIST' doesn't exist

 

SELECT c.customers_id, b.customers_id, b.ban_customer, b.attempted_use, b.description FROM customers c, TABLE_BLACKLIST b WHERE c.customers_id = b.customers_id ORDER by customers_lastname ASC

 

[TEP STOP]

 

 

Any help please :)

Share this post


Link to post
Share on other sites

It means you didn't add the database table definition to the database_tables.php file.

 

Jack

Share this post


Link to post
Share on other sites
It means you didn't add the database table definition to the database_tables.php file.

 

Jack

 

Yea, I realized that last night after I went through the install again, just overlooked it. Thanks though.

Share this post


Link to post
Share on other sites

Great Contrib! Thanks!

 

The only problem I've noticed is when the customer have a long name. If this is the case then it's not possible to add them from left to right. :(

 

Any idea how to solve this?

 

Thanks again!

 

/MagWiz

Share this post


Link to post
Share on other sites

I don't understand what you mean by "add them from left to right."

 

Jack

Share this post


Link to post
Share on other sites

Sorry for not being clear enough!

 

Basically I mean "putting them on the blacklist", i.e. I select a customer with a long name and push the button to add but nothing happens. (If I select a customer with a shorter name it works fine. )

 

I don't know exactly what the limit is but it's somewhere around 30 characters. A name longer than this can't be put on the blacklist. :huh:

 

/MagWiz

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×