Parikesit Posted April 17, 2003 Share Posted April 17, 2003 ADMIN ACCESS with LEVEL for osCommerce's Administration Tool Version: 1.1 Released under the GPL Description Access to Administration Tool with access level for each admin member. This will only work with CVS2 and MS1 (see changelog below to see when the last update was made). Feature - Login box, password forgoten and logoff account - Create/edit/delete admin account with group - Create/edit/delete groups - Define boxes and files permission for each groups - Add/remove boxes and files - My Account: edit admin account - Automatic display accessed boxes and files (Left Menu) - Email notification when create admin account Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
Parikesit Posted April 17, 2003 Author Share Posted April 17, 2003 You can take the package in Contribution area: http://www.oscommerce.com/community/contributions,1174 Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
Parikesit Posted April 17, 2003 Author Share Posted April 17, 2003 By default there are two example admin account: and Please try both account and you can see how this contribution works! WARNING: For security reason, don't forget to change email and password of the example account as soon as you have successfully install this contribution. Enjoy :) zaenal You can take the package in Contribution area:http://www.oscommerce.com/community/contributions,1174 Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
Parikesit Posted April 18, 2003 Author Share Posted April 18, 2003 For MS1: Add the new table (admin, admin_files, admin_groups) to backup.php at line 246: Look like .... tep_db_query("drop table if exists admin, admin_files, admin_groups, address_book, address_format, .... zaenal Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
Parikesit Posted April 18, 2003 Author Share Posted April 18, 2003 HOW TO USE Admin Account with Access Level Snapshot 1: Front Page -------------- -------------- Description: 1. My Account (Only current login can access "My Account") Here you can edit your account by your self. 2. Logoff Logoff current account 3. Member Groups (Only who have permission can access this!) - Add/edit/delete account - Add/edit/delete group - Define what "Boxes" and "Files" can accessed by each group (See the snapshot 2 below) 4. File Access (Only who have permission can access this!) - Install/uninstall boxes or categories in Left Menu - Add/remove file from boxes (See the snapshot 3 below). As you can see, when you store new file to e.g. Administrator box (snapshot 3) it's will shown when you define group (snapshot 2). Snapshot 2: Define Groups -------------- -------------- Snapshot 3: Store Files - Permission -------------- -------------- Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
Guest Posted April 18, 2003 Share Posted April 18, 2003 I execute the table using phpMyAdmin 2.4.0 and all work fine. Yes, this could be the best contribution I have seen. Thank's a lot Buana After getting the tables in mySQL (don't know much about adding tables to mySQL {the sql included did not work for me and I had to do it by hand}), this contribution is one of the best that I have seen!!! Thanks, Scott Quote Link to comment Share on other sites More sharing options...
apodigm Posted April 19, 2003 Share Posted April 19, 2003 I have been trying to get the Admin 1.45 to work on my system and having a terrible time. It appears that the new session code or something in the MS1 code is messing it up. I even went completely out of it and tried a new install. It appears that you can only log in on certaing computers and only at certain times. At this point I am willing to try anything, so I am going to back out of that mod and install this. I'm crossing my fingers because this one actually looks like it will be easier to administer. I'll let you know (Monday or Tuesday) when I get a chance to make this change and test it. Thanks for the contrib! Quote Link to comment Share on other sites More sharing options...
Druide Posted April 19, 2003 Share Posted April 19, 2003 Yes, this could be the best contribution I have seen. after 2 replies, i can imagine that. still 1100 + contributions for you to check out....LOL Quote Robert We all need to learn it once, how hard it may seem when you look at it, also you will master it someday ;) Link to comment Share on other sites More sharing options...
Druide Posted April 19, 2003 Share Posted April 19, 2003 please put those images on a faster HOST because it takes about 15 +++ minutes to load them all, no its not my connection. (I download +500 Kb/s) Quote Robert We all need to learn it once, how hard it may seem when you look at it, also you will master it someday ;) Link to comment Share on other sites More sharing options...
dangerous Posted April 19, 2003 Share Posted April 19, 2003 Zaenal, I have to say this is one of the best I have seen. Although I have a question, a suggestion and a problem. My question is, why did you opt to use the email address for login as opposed to a username? Personnaly I find a username much easier to enter and provides the same if not more security. My suggestion is to add the ability for top administrators to edit all other users passwords and the ability to send or not send email at the time the edit is made. Also show the password in plain text in the users profile. My problem is that when adding a new user or editing a user, the email sent is not consisitent. A new users email is sent with the correct data in it (although there are some formatting issues), but when you edit a user, the email sent does not. It has ADMIN_EMAIL_SUBJECT in the subject line and ADMIN_EMAIL_TEXT in the text. I checked the code, and I cannot see any difference in the tep_mail string between case 'member_new' and case 'member_edit' (other than the password variable). You get the same error for the forgotton password email. Dangerous (As in know enough to be) Quote Link to comment Share on other sites More sharing options...
Parikesit Posted April 20, 2003 Author Share Posted April 20, 2003 Hi Druide, Sorry, I have no other website to put my images. Anyway, I came from Indonesia and my server is also there. Here I can load the images for few second but maybe not from your place. Thank's anyway. Maybe this me take to plan move my server to another 'international' HOST. zaenal please put those images on a faster HOST because it takes about 15 +++ minutes to load them all, no its not my connection.(I download +500 Kb/s) Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
Druide Posted April 20, 2003 Share Posted April 20, 2003 Hi Druide, Sorry, I have no other website to put my images. Anyway, I came from Indonesia and my server is also there. Here I can load the images for few second but maybe not from your place. Thank's anyway. Maybe this me take to plan move my server to another 'international' HOST. zaenal please put those images on a faster HOST because it takes about 15 +++ minutes to load them all, no its not my connection.(I download +500 Kb/s) it must have been a bad storm that caused the slow loading of the pics ;) Quote Robert We all need to learn it once, how hard it may seem when you look at it, also you will master it someday ;) Link to comment Share on other sites More sharing options...
Parikesit Posted April 20, 2003 Author Share Posted April 20, 2003 Hi, For me it's same to use username or email. It's just simple: because the Catalog account also use email rather than username. About edit pasword by Top Administrator, I also have been thinking to add this ability. Before I think that not necessary(?) because there is "password forgotten" that give ability resend password if the members forget they passwords. But I plan to add this ability in future version. *** I found the error in password forgotten tep_mail. Please paste these line to admin/includes/languages/english/login.php define('ADMIN_EMAIL_SUBJECT', 'OsC Admin Member'); define('ADMIN_EMAIL_TEXT', 'Hi %s,nn You can access the admin panel with the following password. Once you access the admin, please change your password! nn Website : %s n Username: %s n Password: %s nn Thanks! n %s n This is an automated response, please do not reply!'); Regard's zaenal Zaenal, I have to say this is one of the best I have seen. Although I have a question, a suggestion and a problem. My question is, why did you opt to use the email address for login as opposed to a username? Personnaly I find a username much easier to enter and provides the same if not more security. My suggestion is to add the ability for top administrators to edit all other users passwords and the ability to send or not send email at the time the edit is made. Also show the password in plain text in the users profile. My problem is that when adding a new user or editing a user, the email sent is not consisitent. A new users email is sent with the correct data in it (although there are some formatting issues), but when you edit a user, the email sent does not. It has ADMIN_EMAIL_SUBJECT in the subject line and ADMIN_EMAIL_TEXT in the text. I checked the code, and I cannot see any difference in the tep_mail string between case 'member_new' and case 'member_edit' (other than the password variable). You get the same error for the forgotton password email. Dangerous (As in know enough to be) Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
dangerous Posted April 20, 2003 Share Posted April 20, 2003 Zaenal, Thanks, but this already appears in admin_members.php. I added it to login.php as you said. Still does not fix the problem when the password (or details) is edited for a user. Dangerous Quote Link to comment Share on other sites More sharing options...
dangerous Posted April 20, 2003 Share Posted April 20, 2003 Zaenal, You may also want to include this small change in your next update. It cleans up the email to proper format. What I believe you intended it to look like. define('ADMIN_EMAIL_SUBJECT', 'New Admin Member');define('ADMIN_EMAIL_TEXT', 'Hi %s,' . "nn" . 'You can access the admin panel with the following password. Once you access the admin, please change your password!' . "nn" . 'Website : %s' . "n" . 'Username: %s' . "n" . 'Password: %s' . "nn" . 'Thanks!' . "n" . '%s' . "nn" . 'This is an automated response, please do not reply!'); Dangerous Quote Link to comment Share on other sites More sharing options...
Parikesit Posted April 21, 2003 Author Share Posted April 21, 2003 I still can not solve the problem why tep_mail did'nt works in edit member. :wink: And thank's for for your suggestion. zaenal Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
apodigm Posted April 22, 2003 Share Posted April 22, 2003 well.... i got this installed. It is definitely much more complex than any of the other admin auth scripts I have seen. I have a problem understanding all the features. can you explain a little bit about what the "store files" does and how it interacts with filesystem. There is a warning that the files will be removed, but does that mean you will be deleting files from my disk or just removing from the database? What exactly is the purpose of that feature? JG Quote Link to comment Share on other sites More sharing options...
apodigm Posted April 22, 2003 Share Posted April 22, 2003 ok... nevermind... I figured it out.... Quote Link to comment Share on other sites More sharing options...
Parikesit Posted April 22, 2003 Author Share Posted April 22, 2003 Exactly, this feature just remove the filename from database list. zaenal well.... i got this installed. It is definitely much more complex than any of the other admin auth scripts I have seen. I have a problem understanding all the features. can you explain a little bit about what the "store files" does and how it interacts with filesystem. There is a warning that the files will be removed, but does that mean you will be deleting files from my disk or just removing from the database? What exactly is the purpose of that feature? JG Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
Parikesit Posted April 22, 2003 Author Share Posted April 22, 2003 Hi all, I really need help from someone to make HOWTO use this contribution, and also explain all features, button, etc. This is what miss in the package. I can make it in Indonesian but hard for me to write it in English. :lol: But maybe we can try to explain it step by step in this forum and the resume will be added to later version. Thank's for help. zaenal Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
apodigm Posted April 22, 2003 Share Posted April 22, 2003 zaenal, yes... a user guide would be helpful. But once you get the concept it goes faster. This took me quite a while to implement because of the change on all but a few files in the admin/ folder. Especially since I have added the P&G order tracking/shipping which nearly doubles the number of files. I was thinking that it would be easier to just put it as the last line in admin/includes/application_top.php You could write some code to recognize if you are in the handful of files that don't need protection. I think this is the same way that some of the other admin access (like 1.45) work. It would cut the install time quite a bit. There are a couple of features that probably need to be added also. For instance, I noticed that when the superadmin created a new account, there was a default password 'admin' . It would be nice if super-admin could specify/change the password of any admin. I also noticed that I too got two emails when I did the password forgotten link. It is very strange. I'll see if I can figure it out. I'll also come up with some text to describe how to get started with it. It requires quite a bit of up front customization/installation, but once you get it installed properly it is a great contribution. Thanks, JG Quote Link to comment Share on other sites More sharing options...
Parikesit Posted April 22, 2003 Author Share Posted April 22, 2003 Hi, ... I was thinking that it would be easier to just put it as the last line in admin/includes/application_top.php .... I think this is the same way that some of the other admin access (like 1.45) work. It would cut the install time quite a bit.... That what I need. I try several times to put it in header. I have to download and figure out how admin access 1.45 handle this situation. Thank's John. ...For instance, I noticed that when the superadmin created a new account, there was a default password 'admin'. When create new account why you choose the password have to be fixed (admin)? Is that better if we just generate or randomize the password? Regards. zaenal Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
apodigm Posted April 22, 2003 Share Posted April 22, 2003 When create new account why you choose the password have to be fixed (admin)? Is that better if we just generate or randomize the password? I think it is best to specify the password. If you autogenerate a random password, it must be emailed to the admin email account. I think that would be fine except somehow then you would want to flag the account for a password change the first login. If you specify the password when you create the account, you could avoid the email requirement which may not be installed on all servers (like my home Windows dev computer). On the other hand, if you used a default password it could be a security problem for those osc users that don't know they need to go back in a change the password immediately. I would also like to consider using a username instead of the email address. However, I have decided to just simply change the login text so that it just doesn't say "E-mail Address" and says "Login" instead. This will slow down some people that might use a password cracker. If they can guess the email address, it elliminates one variable they need. Finally how about considering this.... if the login fails 3 times, the account is locked and will need to be reset by the superadmin. This requires in extra field in the admin table to record failed attempts (which gets cleared upon successful signin). In the event that the superadmin account gets locked down, you would need to have some backdoor key file that could be loaded onto the server in order to reset the password. Since you are working on the code to move the pageverifier into application_top, I will work on the lockdown scenario and post the code here. It will probably be a day or two. JG Quote Link to comment Share on other sites More sharing options...
Parikesit Posted April 22, 2003 Author Share Posted April 22, 2003 Ok, I have downloaded admin access 1.45. And on working to move tep_admin_check_login(basename($PHP_SELF)); to application_top.php ... This is the importan thing to cut the install time :idea: , so other suggestion maybe still not be included if will take much time to think :roll: ... I was thinking that it would be easier to just put it as the last line in admin/includes/application_top.php .... I think this is the same way that some of the other admin access (like 1.45) work. It would cut the install time quite a bit.... That what I need. I try several times to put it in header. I have to download and figure out how admin access 1.45 handle this situation. Thank's John. Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
Parikesit Posted April 23, 2003 Author Share Posted April 23, 2003 Hi, I found the solution, and just wondering that not take much time and also the change. This update works on my site, I hope you so. Please report if any problems. The first step: Remove tep_admin_check_login(basename($PHP_SELF)); files inluded in contribution package). Second step: Make a litle change to function tep_admin_check_login($filename) { ... } . Replace with: //// //Check login and file access function tep_admin_check_login() { global $PHP_SELF, $login_groups_id; if (!tep_session_is_registered('login_id')) { tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL')); } else { $filename = basename($PHP_SELF); if ($filename != FILENAME_DEFAULT && $filename != FILENAME_FORBIDEN && $filename != FILENAME_LOGOFF && $filename != FILENAME_ADMIN_ACCOUNT && $filename != FILENAME_POPUP_IMAGE && $filename != 'packingslip.php' && $filename != 'invoice.php') { $db_file_query = tep_db_query("select admin_files_name from " . TABLE_ADMIN_FILES . " where FIND_IN_SET( '" . $login_groups_id . "', admin_groups_id) and admin_files_name = '" . $filename . "'"); if (!tep_db_num_rows($db_file_query)) { tep_redirect(tep_href_link(FILENAME_FORBIDEN)); } } } } The last step: Add these lines to admin/inlcudes/application_top.php (before ?> php tag at last line): // check login if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN) { tep_admin_check_login(); } Hope I don't miss anything, Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.