Jump to content
Sign in to follow this  
Parikesit

[Contribution] Admin Account with Access Level

Recommended Posts

Hi,

I found the solution, and just wondering that not take much time and also the change.

 

This update works on my site, I hope you so. Please report if any problems.

 

The first step:

Remove tep_admin_check_login(basename($PHP_SELF)); files inluded in contribution package).

 

Second step:

Make a litle change to function tep_admin_check_login($filename) { ... } .

 

Replace with:

////

//Check login and file access

function tep_admin_check_login() {

 global $PHP_SELF, $login_groups_id;

 if (!tep_session_is_registered('login_id')) {

   tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));

 } else {

   $filename = basename($PHP_SELF);

   if ($filename != FILENAME_DEFAULT && $filename != FILENAME_FORBIDEN && $filename != FILENAME_LOGOFF && $filename != FILENAME_ADMIN_ACCOUNT && $filename != FILENAME_POPUP_IMAGE && $filename != 'packingslip.php' && $filename != 'invoice.php') {

     $db_file_query = tep_db_query("select admin_files_name from " . TABLE_ADMIN_FILES . " where FIND_IN_SET( '" . $login_groups_id . "', admin_groups_id) and admin_files_name = '" . $filename . "'");

     if (!tep_db_num_rows($db_file_query)) {

       tep_redirect(tep_href_link(FILENAME_FORBIDEN));

     }

   }

 }  

}

 

 

The last step:

Add these lines to admin/inlcudes/application_top.php (before ?> php tag at last line):

 

// check login  

 if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN) {

   tep_admin_check_login();

 }

 

Hope I don't miss anything,

Share this post


Link to post
Share on other sites

This appears to work for me as well.

 

I only have one concern... since you are specifying certain files which should not be checked, I wonder if we should let the administrator specify additional "non-check" files. I know in my website I have added several files from other contributions that shouldn't be checked. I have found that as long as I have those files associated with one of the side boxes (even if there is no link from that side box), it will get allowed. I'm just curious if there should be a way in the admin console to specify "allow/disallow" for these miscellaneous files. That may be something to add later.

Share this post


Link to post
Share on other sites

I thought about this feature to record bad login attempts. I had created a column in the database table and I wrote some code to increment it if the email address was correct but not the password. The problem is that I was resetting it as soon as the user properly logged in, so although I was capturing what might be useful data, it was reset before the administrator got a chance to view it.

 

And then I started wondering how I would capture information when a hacker attempted to log in and didn't get the email address correct. So I abandoned the lock-down policy and records in the db.

 

However, my solution to tracking this is to create a logfile that can record failed attempts. This can record the IP address, date, time, etc of any failed attempts. I'm borrowing from some code in the HTTP_Error contribution. I should have it ready in another day or two.

 

JG

Share this post


Link to post
Share on other sites

Hello All,

 

Is there a chance programing challenged people like myself will ever see a log of changes to apply to files "Replace (or Change)" instead of making a comparison?

 

Thanks in advance

Share this post


Link to post
Share on other sites

Here are my instructions to implement the file logging or email for failed login attempts....

 

*****Run SQL script to add the options in configuration:

INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) VALUES ('Store Admin Login Errors', 'STORE_ADMIN_LOGIN_ERROR', 'false', 'Store the results of admin login errors', '10', '6', 'tep_cfg_select_option(array('true', 'false'), ', now());



INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) VALUES ('Admin Login  Errors Log Destination', 'STORE_ADMIN_LOGIN_LOG', '/var/log/www/tep/http_error.log', 'Directory and filename of the admin login error log', '10', '7', now());



INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) VALUES ('Email Admin Login Errors', 'EMAIL_ADMIN_LOGIN_ERROR', 'false', 'Email Admin Login Error Report to Store Owner.', '12', '6', 'tep_cfg_select_option(array('true', 'false'), ', now());

 

******************************************************************************

 

 

 

***Add the following code to admin/login.php:

below:   require('includes/application_top.php'); 



function tep_admin_error_record($att_email='', $att_pass=''){

// Send the Email to Store Owner

 if (EMAIL_ADMIN_LOGIN_ERROR == 'true') {

   tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_FAIL_TEXT_SUBJECT, sprintf(EMAIL_FAIL_BODY, date("m/d/Y G:i:s"), getenv('REMOTE_ADDR'), getenv('HTTP_USER_AGENT'), getenv('HTTP_REFERER'),$att_email, $att_pass ), STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, '');

 }



// Save the Error Report to disk

 if (STORE_ADMIN_LOGIN_ERROR == 'true') {

   error_log(strftime(STORE_PARSE_DATE_TIME_FORMAT) . ',' . getenv('REMOTE_ADDR') . ',' . getenv('HTTP_USER_AGENT') . ',' . getenv('HTTP_REFERER') . ',' . $att_email  . ',' .$att_pass . "n", 3, STORE_ADMIN_LOGIN_LOG);

 }

}

 

***Then add this line in the two places where the login fails:

add below:  $HTTP_GET_VARS['login'] = 'fail';



   tep_admin_error_record($email_address,$password);

******************************************************************************

 

 

 

***Add the following lines to admin/includes/languages/english/login.php:

define('EMAIL_FAIL_TEXT_SUBJECT','Login Fail Attempt');

define('EMAIL_FAIL_BODY',

'------------------------------------------------------' . "n" .

'Date/Time: %s.' . "n" .

'Remote IP Address: %s' . "n" .

'User Agent: %s' . "n" .

'Referer: %s' . "n" .

'Attempted Email Address: %s' . "n" .

'Attempted Password: %s' . "n" .

'------------------------------------------------------');

******************************************************************************

 

 

***Then you will need to update your configuration.

The option to email on failed attempts will be in the Admin console under configuration in the "Email" group.

 

The option to store the failed attempts in a logfile is found in the Admin console under configuration in the "Logging" group.

 

 

Emails and logfile will include the date/time, IP address, browser, page referrer, attempted email address, attempted password. It is set to send the email store owner as defined in the configuration settings. However, for additional security, it may be wise to hardcode that setting to a special security email address.

 

enjoy!

Share this post


Link to post
Share on other sites

i followed the readme file exactly imported the sql tabels via phpmyadmin: all ok

 

edited all the .php files in the Admin folder as described.

 

now when I go to the admin folder I get ?

 

 

Fatal error: Call to undefined function: tep_admin_check_login() in /home/www/mywebsite.com/wwwroot/catalog/admin/index.php on line 14

 

 

and line 14 is:

 

 

<?php

/*

$Id: index.php,v 1.17 2003/02/14 12:57:29 dgw_ Exp $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2002 osCommerce

 

Released under the GNU General Public License

*/

 

require('includes/application_top.php');

:arrow: tep_admin_check_login(basename($PHP_SELF));

 

 

what did I miss here ?

Share this post


Link to post
Share on other sites
Fatal error: Call to undefined function: tep_admin_check_login() in /home/www/mywebsite.com/wwwroot/catalog/admin/index.php on line 14

...what did I miss here ?

 

Maybe you forgot to add the change admin/includes/functions/general.php (the changes can be found in the package: general_php)

 

 

zaenal

Share this post


Link to post
Share on other sites

ADMIN ACCOUNT with ACCESS LEVEL

for osCommerce's Administration Tool

Version: 1.2

 

 

Cut install time when move "tep_admin_check_login();" to admin/includes/application_top.php

 

 

Changelog

Version 1.2, 24 Apr 2003

- Move "tep_admin_check_login();" to admin/includes/application_top.php

- Regarding to the point above, we make litle change to function tep_admin_check_login()

in admin/includes/functions/general_php

- Bug fixed: tep_mail (send email) for password_forgotten.php

- Small change to email text that send when create account and password forgotten --

as suggestion from Don.

 

 

Discussion

Please don't send me email, just send the comment and question to this forum.

Share this post


Link to post
Share on other sites

Hi,

If adding any other contribution to below files it's save to replace the files. But if you have add the change to one of those files, you have to compare that file.

- admin: index.php

- admin/includes: column_left.php

- admin/includes: header.php

- admin/includes: stylesheet.css

- admin/includes/boxes: catalog.php

- admin/includes/boxes: customers.php

- admin/includes/boxes: localization.php

- admin/includes/boxes: report.php

- admin/includes/boxes: taxes.php

- admin/includes/boxes: report.php

- admin/includes/boxes: tools.php

 

Hello All,

Is there a chance programing challenged people like myself will ever see a log of changes to apply to files "Replace (or Change)" instead of making a comparison?

 

Thanks in advance

Share this post


Link to post
Share on other sites

Sorry.. I mean:

If you not make any changes to files below before, it's save to replace the files. But if you have add the change to one of those files, you have to compare that file

Hi,

If adding any other contribution to below files it's save to replace the files. But if you have add the change to one of those files, you have to compare that file.

Share this post


Link to post
Share on other sites
ADMIN ACCESS with LEVEL

for osCommerce's Administration Tool

Version: 1.1

 

Released under the GPL

 

 

Description

Access to Administration Tool with access level for each admin member.

 

This will only work with CVS2 and MS1 (see changelog below to see when the last update was made).

 

 

Feature

- Login box, password forgoten and logoff account

- Create/edit/delete admin account with group

- Create/edit/delete groups

- Define boxes and files permission for each groups

- Add/remove boxes and files

- My Account: edit admin account

- Automatic display accessed boxes and files (Left Menu)

- Email notification when create admin account

 

Hello, I have installed Admin Account /w Access and all seems as if it has installed OK. No glaring error messages. Invoking the admin url: https://localhost/admin invokes login.php as expected. However, no response can be gotten from the system. Both right and wrong email-address and password with subsequent clicking of the confirm button only redraws the login screen with new empty input dialogs for email-address and password. Clinking on the password_forgotten.php link: Password Forgotten? is ignored and the login.php screen is redrawn w/o anything error messages or logs to inspect. If you can suggest a diagnostic please advise, David Brown.

Share this post


Link to post
Share on other sites

this is the email I am getting for new signup or password forgotten

 

subject:

ADMIN_EMAIL_SUBJECT

Text:

ADMIN_EMAIL_TEXT

 

Where do we define the above

when we set up a new member he gets an email with password

-hidden-

 

Is their any way we define, so he can actually get the password :roll:

Share this post


Link to post
Share on other sites

Hi,

There are the answer in this tread. Please search.

 

Anyway, If I don't forget, this bug has fixed in new version.

 

Wassalam,

zaenal

 

this is the email I am getting for new signup or password forgotten

 

subject:

ADMIN_EMAIL_SUBJECT

Text:

ADMIN_EMAIL_TEXT

 

Where do we define the above

when we set up a new member he gets an email with password

-hidden-

 

Is their any way we define, so he can actually get the password :roll:

Share this post


Link to post
Share on other sites

Did anyone find the fix for this problem?

 

Hi,

There are the answer in this tread. Please search.

 

Anyway, If I don't forget, this bug has fixed in new version.

 

Wassalam,

zaenal

 

this is the email I am getting for new signup or password forgotten

 

subject:

ADMIN_EMAIL_SUBJECT

Text:

ADMIN_EMAIL_TEXT

 

Where do we define the above

when we set up a new member he gets an email with password

-hidden-

 

Is their any way we define, so he can actually get the password :roll:

Share this post


Link to post
Share on other sites

this is the email I am getting for new signup, editing or password forgotten.

 

subject: ADMIN_EMAIL_SUBJECT

 

Text: ADMIN_EMAIL_TEXT

 

I have read through this Thread and have tried anything I could find... To no avail. The problems still happens. I added the send mail on login failure and it worked fine. But anything the from ADMIN only sends the above???

 

Is the answer in this thread and I keep missing it?

 

Does anyone know how to solve this problem?

 

I asked the author, and he only refered me to this thread.

Share this post


Link to post
Share on other sites

hi, i have a problem, maybe someone could help me..

after installing the contrib i get this

 

Warning: Failed opening 'includes/functions/sessions_mysql.php' for inclusion (include_path='.;c:php4pear') in adminincludesfunctionsadministrators.php on line 72



Warning: Cannot add header information - headers already sent by (output started at adminincludesfunctionsadministrators.php:72) in adminincludesfunctionsadministrators.php on line 87

 

 

then.. i when to adminincludesfunctionsadministrators.php change sessions_mysql.php with sessions.php

 

now the error is this

 

Fatal error: Cannot redeclare _sess_open() (previously declared in adminincludesfunctionssessions.php:18) in adminincludesfunctionssessions.php on line 18

 

and i don't know what to do.. i'm using cvs

 

cheers

emiliano


patagonia, argentina

Share this post


Link to post
Share on other sites

the osc session tables? sorry.. but i never had this problem and i really don't know what to do.. if you could be more speficif..

 

thanks anyway

 

cheers

emiliano


patagonia, argentina

Share this post


Link to post
Share on other sites

I don't know if the same happened to you as It happened to me. When I used this contribution, after a few days, I got message of expired sessions from mysql when I checked and tried to brows or repaire SQL gave me message of Unknown table. I had the backup so then I recreated table session it started working fine for me. Hope this will help.

Share this post


Link to post
Share on other sites

i'm using cvs... and there are many new things referring to sessions and cookies.. i don't know how to deal with this..

 

cheers

emiliano


patagonia, argentina

Share this post


Link to post
Share on other sites
please put those images on a faster HOST because it takes about 15 +++ minutes to load them all, no its not my connection.

(I download +500 Kb/s)

 

Only too me seconds... adsl 1.5 meg...

 

Thomas


A signature is something that reflects its user. - The dictionary

 

The question is not, 'to code, or not to code'

the question is, 'if we do not code, are we really alive?'

-- anonymous

Share this post


Link to post
Share on other sites

OK, I got it all installed, no problems. Infact fixing some things helped me get phpMyAdmin installed even faster.

 

Now my problem.

 

 

if I load up the admin/index.php and then indicate user 'Admin' and password 'admin' it reloads the same page and does not log me in.

 

I have tried admin and Admin, admin@localhost and Admin@localhost, none seem to work. Have I missed something?

 

Thomas Keats

Edited by Johnson

A signature is something that reflects its user. - The dictionary

 

The question is not, 'to code, or not to code'

the question is, 'if we do not code, are we really alive?'

-- anonymous

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×