Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

steefking

How to secure your admin for other users

5 posts in this topic

I use the module Secure Admin Login-Logout. I would like to use the following code in the header of my admin, so that other users handle orders only and can't go to tools or other places they don't belong.

 

if ( ($PHP_AUTH_USER=='admin1') || ($PHP_AUTH_USER=='admin2') ||
	   ($_SERVER[REMOTE_USER]==admin1) || ($_SERVER[REMOTE_USER]==admin2) )
  {;
  } else {
	  if ( ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN  . "orders.php") &&
			   ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN  . "invoice.php") &&
	 ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN  . "index.php") &&
	  ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN  . "login.php") &&
			   ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN  . "packing_slip.php") &&
			   ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN  . "customers.php") )
		    { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
  }

 

But it doesn't work for Secure Admin Login-Logout, because it looks to something else for users. So does someone know what i have to change in Secure Admin Login-Logout so it will work. Because it works, but blocks now all users for all other options like tools.

 

Steven

Share this post


Link to post
Share on other sites

Try this Steven and let me know if it works:

 

 
   $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );
   if ( defined( 'DIR_WS_ADMIN' ) ) {
    $allowedpages = preg_match('/(?:orders|invoice|index|login|packing_slip|customers).php/i', $PHP_SELF );
    if ( ( $admin['username'] == 'admin1' ) || ( $admin['username'] == 'admin2' ) ) $allowedpages = true;
    if ( false === ( bool )$allowedpages ) die( "<br><br><center><font face=verdana size=1>You are not authorized to view this page.<br />\n[<a href=./index.php>Click here</a>] to return to admin</font><br />\n</center>" );
   }

 

 

Assumes that the username is determined via $admin['username'].

 

To make sure $PHP_SELF is reporting correctly I included the $PHP_SELF code from 2.3.1

 

Also added a link back to the admin page if the error is called.

 

A better method would be to restrict the options in the left column to specific users.

 

This way above is a bit clunky but it might work.

Share this post


Link to post
Share on other sites

In the addon 'Secure Admin Login-Logout' it seems they are using $psName as the admin username. But it seems that $psName can be set by merely making the form post operation and the authenticated username is set via a cookie session so it may not be safe to just add in $psName into the legitimate username list

 

if ( ( $psName == 'admin1' ) || ( $psName == 'admin2' ) ) $allowedpages = true;

 

That would be rather unsafe I would think.

In my first example, $admin['username'] is taken from the 2.2rc2 Administration Tool

 

So might need to think about this a bit more I think.

Share this post


Link to post
Share on other sites

In the addon 'Secure Admin Login-Logout' it seems they are using $psName as the admin username. But it seems that $psName can be set by merely making the form post operation and the authenticated username is set via a cookie session so it may not be safe to just add in $psName into the legitimate username list

 

if ( ( $psName == 'admin1' ) || ( $psName == 'admin2' ) ) $allowedpages = true;

 

That would be rather unsafe I would think.

In my first example, $admin['username'] is taken from the 2.2rc2 Administration Tool

 

So might need to think about this a bit more I think.

 

 

First of all many thanks. Little bit late with my reaction. Unfortunally it didn't work yet.

 

Maybe it doesn't know what $psName means in the header?

 

Is it maybe a solution the i use 2 portals for securing the admin. So this one and the htaccess security?

 

Greets,

 

Steven

Share this post


Link to post
Share on other sites

It would probably be better use of time to develop an actual addon that has an admin section that allows for the main admin to assign accessible sections to other admins. The allowed pages list might be better set from an added table in the database. That sort of thing.

 

Yes certainly use htpasswd basic authentication protection to protect the admin section, but that above would be my suggestion for you. Perhaps there is a developer here that might want to look at this sort of thing (assuming someone hasn't already done one - to be honest I haven't really looked around).

Share this post


Link to post
Share on other sites