Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

[Contribution] Admin Account with Access Level


Parikesit

Recommended Posts

  • Replies 297
  • Created
  • Last Reply

Top Posters In This Topic

This appears to work for me as well.

 

I only have one concern... since you are specifying certain files which should not be checked, I wonder if we should let the administrator specify additional "non-check" files. I know in my website I have added several files from other contributions that shouldn't be checked. I have found that as long as I have those files associated with one of the side boxes (even if there is no link from that side box), it will get allowed. I'm just curious if there should be a way in the admin console to specify "allow/disallow" for these miscellaneous files. That may be something to add later.

Link to comment
Share on other sites

I thought about this feature to record bad login attempts. I had created a column in the database table and I wrote some code to increment it if the email address was correct but not the password. The problem is that I was resetting it as soon as the user properly logged in, so although I was capturing what might be useful data, it was reset before the administrator got a chance to view it.

 

And then I started wondering how I would capture information when a hacker attempted to log in and didn't get the email address correct. So I abandoned the lock-down policy and records in the db.

 

However, my solution to tracking this is to create a logfile that can record failed attempts. This can record the IP address, date, time, etc of any failed attempts. I'm borrowing from some code in the HTTP_Error contribution. I should have it ready in another day or two.

 

JG

Link to comment
Share on other sites

Hello All,

 

Is there a chance programing challenged people like myself will ever see a log of changes to apply to files "Replace (or Change)" instead of making a comparison?

 

Thanks in advance

Link to comment
Share on other sites

Here are my instructions to implement the file logging or email for failed login attempts....

 

*****Run SQL script to add the options in configuration:

INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) VALUES ('Store Admin Login Errors', 'STORE_ADMIN_LOGIN_ERROR', 'false', 'Store the results of admin login errors', '10', '6', 'tep_cfg_select_option(array('true', 'false'), ', now());



INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) VALUES ('Admin Login  Errors Log Destination', 'STORE_ADMIN_LOGIN_LOG', '/var/log/www/tep/http_error.log', 'Directory and filename of the admin login error log', '10', '7', now());



INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) VALUES ('Email Admin Login Errors', 'EMAIL_ADMIN_LOGIN_ERROR', 'false', 'Email Admin Login Error Report to Store Owner.', '12', '6', 'tep_cfg_select_option(array('true', 'false'), ', now());

 

******************************************************************************

 

 

 

***Add the following code to admin/login.php:

below:   require('includes/application_top.php'); 



function tep_admin_error_record($att_email='', $att_pass=''){

// Send the Email to Store Owner

 if (EMAIL_ADMIN_LOGIN_ERROR == 'true') {

   tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_FAIL_TEXT_SUBJECT, sprintf(EMAIL_FAIL_BODY, date("m/d/Y G:i:s"), getenv('REMOTE_ADDR'), getenv('HTTP_USER_AGENT'), getenv('HTTP_REFERER'),$att_email, $att_pass ), STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, '');

 }



// Save the Error Report to disk

 if (STORE_ADMIN_LOGIN_ERROR == 'true') {

   error_log(strftime(STORE_PARSE_DATE_TIME_FORMAT) . ',' . getenv('REMOTE_ADDR') . ',' . getenv('HTTP_USER_AGENT') . ',' . getenv('HTTP_REFERER') . ',' . $att_email  . ',' .$att_pass . "n", 3, STORE_ADMIN_LOGIN_LOG);

 }

}

 

***Then add this line in the two places where the login fails:

add below:  $HTTP_GET_VARS['login'] = 'fail';



   tep_admin_error_record($email_address,$password);

******************************************************************************

 

 

 

***Add the following lines to admin/includes/languages/english/login.php:

define('EMAIL_FAIL_TEXT_SUBJECT','Login Fail Attempt');

define('EMAIL_FAIL_BODY',

'------------------------------------------------------' . "n" .

'Date/Time: %s.' . "n" .

'Remote IP Address: %s' . "n" .

'User Agent: %s' . "n" .

'Referer: %s' . "n" .

'Attempted Email Address: %s' . "n" .

'Attempted Password: %s' . "n" .

'------------------------------------------------------');

******************************************************************************

 

 

***Then you will need to update your configuration.

The option to email on failed attempts will be in the Admin console under configuration in the "Email" group.

 

The option to store the failed attempts in a logfile is found in the Admin console under configuration in the "Logging" group.

 

 

Emails and logfile will include the date/time, IP address, browser, page referrer, attempted email address, attempted password. It is set to send the email store owner as defined in the configuration settings. However, for additional security, it may be wise to hardcode that setting to a special security email address.

 

enjoy!

Link to comment
Share on other sites

i followed the readme file exactly imported the sql tabels via phpmyadmin: all ok

 

edited all the .php files in the Admin folder as described.

 

now when I go to the admin folder I get ?

 

 

Fatal error: Call to undefined function: tep_admin_check_login() in /home/www/mywebsite.com/wwwroot/catalog/admin/index.php on line 14

 

 

and line 14 is:

 

 

<?php

/*

$Id: index.php,v 1.17 2003/02/14 12:57:29 dgw_ Exp $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2002 osCommerce

 

Released under the GNU General Public License

*/

 

require('includes/application_top.php');

:arrow: tep_admin_check_login(basename($PHP_SELF));

 

 

what did I miss here ?

Link to comment
Share on other sites

Fatal error: Call to undefined function: tep_admin_check_login() in /home/www/mywebsite.com/wwwroot/catalog/admin/index.php on line 14

...what did I miss here ?

 

Maybe you forgot to add the change admin/includes/functions/general.php (the changes can be found in the package: general_php)

 

 

zaenal

Link to comment
Share on other sites

ADMIN ACCOUNT with ACCESS LEVEL

for osCommerce's Administration Tool

Version: 1.2

 

 

Cut install time when move "tep_admin_check_login();" to admin/includes/application_top.php

 

 

Changelog

Version 1.2, 24 Apr 2003

- Move "tep_admin_check_login();" to admin/includes/application_top.php

- Regarding to the point above, we make litle change to function tep_admin_check_login()

in admin/includes/functions/general_php

- Bug fixed: tep_mail (send email) for password_forgotten.php

- Small change to email text that send when create account and password forgotten --

as suggestion from Don.

 

 

Discussion

Please don't send me email, just send the comment and question to this forum.

Link to comment
Share on other sites

Hi,

If adding any other contribution to below files it's save to replace the files. But if you have add the change to one of those files, you have to compare that file.

- admin: index.php

- admin/includes: column_left.php

- admin/includes: header.php

- admin/includes: stylesheet.css

- admin/includes/boxes: catalog.php

- admin/includes/boxes: customers.php

- admin/includes/boxes: localization.php

- admin/includes/boxes: report.php

- admin/includes/boxes: taxes.php

- admin/includes/boxes: report.php

- admin/includes/boxes: tools.php

 

Hello All,

Is there a chance programing challenged people like myself will ever see a log of changes to apply to files "Replace (or Change)" instead of making a comparison?

 

Thanks in advance

Link to comment
Share on other sites

Sorry.. I mean:

If you not make any changes to files below before, it's save to replace the files. But if you have add the change to one of those files, you have to compare that file

Hi,

If adding any other contribution to below files it's save to replace the files. But if you have add the change to one of those files, you have to compare that file.

Link to comment
Share on other sites

ADMIN ACCESS with LEVEL

for osCommerce's Administration Tool

Version: 1.1

 

Released under the GPL

 

 

Description

Access to Administration Tool with access level for each admin member.

 

This will only work with CVS2 and MS1 (see changelog below to see when the last update was made).

 

 

Feature

- Login box, password forgoten and logoff account

- Create/edit/delete admin account with group

- Create/edit/delete groups

- Define boxes and files permission for each groups

- Add/remove boxes and files

- My Account: edit admin account

- Automatic display accessed boxes and files (Left Menu)

- Email notification when create admin account

 

Hello, I have installed Admin Account /w Access and all seems as if it has installed OK. No glaring error messages. Invoking the admin url: https://localhost/admin invokes login.php as expected. However, no response can be gotten from the system. Both right and wrong email-address and password with subsequent clicking of the confirm button only redraws the login screen with new empty input dialogs for email-address and password. Clinking on the password_forgotten.php link: Password Forgotten? is ignored and the login.php screen is redrawn w/o anything error messages or logs to inspect. If you can suggest a diagnostic please advise, David Brown.

Link to comment
Share on other sites

this is the email I am getting for new signup or password forgotten

 

subject:

ADMIN_EMAIL_SUBJECT

Text:

ADMIN_EMAIL_TEXT

 

Where do we define the above

when we set up a new member he gets an email with password

-hidden-

 

Is their any way we define, so he can actually get the password :roll:

Link to comment
Share on other sites

Hi,

There are the answer in this tread. Please search.

 

Anyway, If I don't forget, this bug has fixed in new version.

 

Wassalam,

zaenal

 

this is the email I am getting for new signup or password forgotten

 

subject:

ADMIN_EMAIL_SUBJECT

Text:

ADMIN_EMAIL_TEXT

 

Where do we define the above

when we set up a new member he gets an email with password

-hidden-

 

Is their any way we define, so he can actually get the password :roll:

Link to comment
Share on other sites

Did anyone find the fix for this problem?

 

Hi,

There are the answer in this tread. Please search.

 

Anyway, If I don't forget, this bug has fixed in new version.

 

Wassalam,

zaenal

 

this is the email I am getting for new signup or password forgotten

 

subject:

ADMIN_EMAIL_SUBJECT

Text:

ADMIN_EMAIL_TEXT

 

Where do we define the above

when we set up a new member he gets an email with password

-hidden-

 

Is their any way we define, so he can actually get the password :roll:

Link to comment
Share on other sites

this is the email I am getting for new signup, editing or password forgotten.

 

subject: ADMIN_EMAIL_SUBJECT

 

Text: ADMIN_EMAIL_TEXT

 

I have read through this Thread and have tried anything I could find... To no avail. The problems still happens. I added the send mail on login failure and it worked fine. But anything the from ADMIN only sends the above???

 

Is the answer in this thread and I keep missing it?

 

Does anyone know how to solve this problem?

 

I asked the author, and he only refered me to this thread.

Link to comment
Share on other sites

hi, i have a problem, maybe someone could help me..

after installing the contrib i get this

 

Warning: Failed opening 'includes/functions/sessions_mysql.php' for inclusion (include_path='.;c:php4pear') in adminincludesfunctionsadministrators.php on line 72



Warning: Cannot add header information - headers already sent by (output started at adminincludesfunctionsadministrators.php:72) in adminincludesfunctionsadministrators.php on line 87

 

 

then.. i when to adminincludesfunctionsadministrators.php change sessions_mysql.php with sessions.php

 

now the error is this

 

Fatal error: Cannot redeclare _sess_open() (previously declared in adminincludesfunctionssessions.php:18) in adminincludesfunctionssessions.php on line 18

 

and i don't know what to do.. i'm using cvs

 

cheers

emiliano

patagonia, argentina

Link to comment
Share on other sites

the osc session tables? sorry.. but i never had this problem and i really don't know what to do.. if you could be more speficif..

 

thanks anyway

 

cheers

emiliano

patagonia, argentina

Link to comment
Share on other sites

I don't know if the same happened to you as It happened to me. When I used this contribution, after a few days, I got message of expired sessions from mysql when I checked and tried to brows or repaire SQL gave me message of Unknown table. I had the backup so then I recreated table session it started working fine for me. Hope this will help.

Link to comment
Share on other sites

please put those images on a faster HOST because it takes about 15 +++ minutes to load them all, no its not my connection.

(I download +500 Kb/s)

 

Only too me seconds... adsl 1.5 meg...

 

Thomas

A signature is something that reflects its user. - The dictionary

 

The question is not, 'to code, or not to code'

the question is, 'if we do not code, are we really alive?'

-- anonymous

Link to comment
Share on other sites

OK, I got it all installed, no problems. Infact fixing some things helped me get phpMyAdmin installed even faster.

 

Now my problem.

 

 

if I load up the admin/index.php and then indicate user 'Admin' and password 'admin' it reloads the same page and does not log me in.

 

I have tried admin and Admin, admin@localhost and Admin@localhost, none seem to work. Have I missed something?

 

Thomas Keats

Edited by Johnson

A signature is something that reflects its user. - The dictionary

 

The question is not, 'to code, or not to code'

the question is, 'if we do not code, are we really alive?'

-- anonymous

Link to comment
Share on other sites

I am unable to get past the login screen as well regardless of whether the information that I enter is correct or not.

 

If it is not correct, there is no message indicating that something was wrong.

"Great spirits have always found violent opposition from mediocre minds. The latter cannot understand it when a man does not thoughtlessly submit to hereditary prejudices but honestly and courageously uses his intelligence." - A. Einstein

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...