Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

[CONTRIB] Admin Access Level Accounts for MS2


papasan

Recommended Posts

Yeah........same problem here too.

 

I tried working with the Register Globals help on other contributions but my slim PHP skills are just not up to the task.... :'(

 

So, anyone out there with a solution or a suggestion on a way forward, please help......... :blink:

 

Thanks

 

 

 

Hi,

 

Similar thing here.

 

I am an osCommerce newb,

 

osCommerce 2.2 MS2 (dl two weeks ago)

 

Applied the Register Globals v1.3 (2005-01-13)

http://www.oscommerce.com/community/contributions,2097

 

Applied Administration Access Level Accounts 2.3 (2003-09-05)

http://www.oscommerce.com/community/contributions,1359

 

Clicking on edit, I can change admin name and email address, but not the password.

 

Adding new administrator, prompts only for first/last, email address, and group but no way to assign a password to the new admin.

 

clicking on "password forgotten" emails new random password, but again, cannot change it.

 

BTW, the "password forgotten" is not very secure, anyone who knows the store owner will know her first name and her e-mail address.  Actually, you do not even need to know the store owner, the info is in the "contact us" page...  need to add a "security" question to the "forgotten password" feature.

 

I applied all the changes from Admin Access Level to all files, I double checked all the files, (i.e. the files from the "changed files" and the live files) the only diffs were the sections that had to do with Register Globals, which if applied, would have reverted the files to the pre-Register Globals changes. (I used emacs Tools -> Ediff -> Two Buffers to apply the contribution)

 

Is there a compatibility issue between Register Global and Admin Access Level?

 

If so, what is the fix?

 

If not, what am I doing wrong?

 

Thanks in advance.

 

-avi

Link to comment
Share on other sites

  • 2 months later...
PROBLEM WITH CUSTOMIZED BOXES!

My question: What do I have to edit, in order to make my customized box items show up in the "define group permissions" dialog??

 

I just finished setting this all up for my own sites.

 

admin/includes/boxes/YOURBOX.PHP

 

Example:

'<a href="' . tep_href_link('easypopulate.php', '', 'NONSSL') . '" class="menuBoxContentLink">Easy Populate</a><br>'.
or
'<a href="' . tep_href_link(FILE_NAME_CUSTOMER_GROUPS, '', 'NONSSL') . '" class="menuBoxContentLink">' . BOX_CUSTOMERS_GROUPS . '</a>' .

 

becomes

 

tep_admin_files_boxes('easypopulate.php', 'Easy Populate') .
and
tep_admin_files_boxes(FILE_NAME_CUSTOMER_GROUPS, BOX_CUSTOMERS_GROUPS) .

 

The only links you can't modify in the same manner are configure.php and modules.php BUT you don't need to because Admin 2.X already sets those.

 

 

 

PS: I can't update my passwords. Please keep me posted on this bug.

Sam M. - Seattle

Link to comment
Share on other sites

Password problem...

 

I don't care about encrypting my admin passwords in the database.

In fact, I'd prefer they be visible so I can edit them if possible.

Maybe it would be a temporary work around to this password update hassle.

 

Do do I stop this thing from encrypting passwords?

OR

How do I get it to let me change passwords like it should?

Sam M. - Seattle

Link to comment
Share on other sites

In order to allow for plain passwords, I've added this line

    if ($plain == $encrypted) return true;

after

  function tep_validate_password($plain, $encrypted) {
   if (tep_not_null($plain) && tep_not_null($encrypted)) {

in the file password_funcs.php

 

what it does is compare the plain password to the password from the database table, and if equal, return true, i.e. valid password. if not equal, it will go on to encrypt, and compare the crypted version as it normally does.

 

-avi

 

 

Password problem...

 

I don't care about encrypting my admin passwords in the database.

In fact, I'd prefer they be visible so I can edit them if possible.

Maybe it would be a temporary work around to this password update hassle.

 

Do do I stop this thing from encrypting passwords?

OR

How do I get it to let me change passwords like it should?

-avi

 

http://otn.com complete web site design, specializing in custom programming (php/perl/mysql/postgress/javascript/ajax/c/c++/python/ruby) databases, shopping carts, integration of web site with existing business systems (point of sales, accounting systems, etc.)

 

web site hosting, maintenance, promotion, marketing, search engine optimization (seo) and more.

Link to comment
Share on other sites

Thank you aviram!

That worked great.

This contribution is fantastic.

However, the My Account system isn't working on my install.

 

My Account > Click EDIT button > Enter Password > nothin appears on right side.

I'm assuming I should see blanks there to edit name/email/pw, etc. right?

admin_access1.jpg

Sam M. - Seattle

Link to comment
Share on other sites

  • 2 weeks later...

Having problems when I secure my Admin via SSL...it works but in certain areas it will log me off and I have to log back in. For example, i can generally navigate around my admin (with SSL=true) but when I am on the customer page and try to search for a customer, it logs me out of my admin session.

 

Let's assume my website url is: www.abccompany.com

and i have a shared SSL certficate: https://id100.securedata.net/abccompany

 

Here are my current settings:

CODE define('HTTP_SERVER', 'https://id100.securedata.net/abccompany'); 
define('HTTP_CATALOG_SERVER', 'https://id100.securedata.net/abccompany');
define('HTTPS_CATALOG_SERVER', 'https://id100.securedata.net/abccompany');
define('ENABLE_SSL_CATALOG', 'true'); 
define('DIR_FS_DOCUMENT_ROOT', '/www/abccompany/');  
define('DIR_WS_ADMIN', '/admin/'); // absolute path required
define('DIR_FS_ADMIN', '/www/abccompany/admin/'); 
define('DIR_WS_CATALOG', '/'); 
define('DIR_FS_CATALOG', '/www/abccompany/');

 

and suggestions would be much appreciated. Thanks!

Link to comment
Share on other sites

For example, i can generally navigate around my admin (with SSL=true) but when I am on the customer page and try to search for a customer, it logs me out of my admin session.

 

It apopears that anytime the admin has to submit form data (ie when searching for a customer or an order), this is when it logs me out. Anyone have any ideas?

Link to comment
Share on other sites

  • 3 weeks later...

I backed up of course ;)

 

Then replaced all files like it said on the instructions

 

But then I am havng huge problems trying to add all the extra stuff I already added to the sites admin before the Admin Access Level Accounts for MS2 contrib :S

 

I added the link into

 

admin/includes/boxes/tools.php

 

tep_admin_files_boxes('FILENAME_MYothercontrib', 'BOX_MYothercontrib') .

 

then added the link to the database

 

INSERT INTO admin_files VALUES (57, 'MYothercontrib.php', 0, 9, '1,18');

 

I can choose the file in the adminstration administration, but it will not appear onthe menu.

 

What else do I need to do?

 

thanks!

 

 

I just finished setting this all up for my own sites.

 

admin/includes/boxes/YOURBOX.PHP

 

Example:

'<a href="' . tep_href_link('easypopulate.php', '', 'NONSSL') . '" class="menuBoxContentLink">Easy Populate</a><br>'.
or
'<a href="' . tep_href_link(FILE_NAME_CUSTOMER_GROUPS, '', 'NONSSL') . '" class="menuBoxContentLink">' . BOX_CUSTOMERS_GROUPS . '</a>' .

 

becomes

 

tep_admin_files_boxes('easypopulate.php', 'Easy Populate') .
and
tep_admin_files_boxes(FILE_NAME_CUSTOMER_GROUPS, BOX_CUSTOMERS_GROUPS) .

 

The only links you can't modify in the same manner are configure.php and modules.php BUT you don't need to because Admin 2.X already sets those.

PS: I can't update my passwords. Please keep me posted on this bug.

Edited by urbieta
Link to comment
Share on other sites

  • 2 weeks later...

Hello guys,

 

I have installed OsCommerce version 2.2 few days ago and downloaded the Admin Access v. 2.3 to protect the Admin options.

 

Is there a complete guide somewhere what I have to do so it works ?

 

First I have imported the "admin_table.sql" into my database and then I either

 

a) can copy the admin folder in the original folder => nothings happens when I normally type in the URL .../catalog/admin ( I dont see any changes )

 

b) and when I copy the admin folder in the "changed files" folder, I will be linked to "http://localhost/catalog/admin/login.php" and I get a white screen.

 

I have tried some changes written in this topic but normally ppl say, install worked perfectly but ... but in my case the install of the constribution hasnt even worked.

 

I would appreciate if somebody has some time to explain me or write me a private message what I did wrong.

 

Thanks.

Link to comment
Share on other sites

let me know if you find any omits or irregularities.  All credit goes to Zaenal Muttaqin for the original, I just hacked this for MS2 and re-versioned it 2.0.

 

I've added the AdminAccess Level Accounts and set up a password for the default account, the Top Administrator. After a minor modification to the database_tables.php (MVS contribution required this), everything appears to work. Logging on with my email address for Top Administrator allows me complete access, as I would expect.

 

Next I created a new user and assigned that user to a different Group Level. But how do I assign a password to this new user? Of course this new user has a different name and email address. But when creating the new user, I was not given the opportunity to enter a password.

 

When I view the admin table with phpMyAdmin, a password has already been assigned but of course it is encrypted. What is the solution? I cannot click the Forgot Password link when trying to log on with the new account email address since that email address would not send to me.

 

I'm hoping this contribution allows me to set up a restricted admin access for one user to allow just review/edit/print/delete of customers and orders yet also log on to the Top Administrator and have full access.

Link to comment
Share on other sites

I've added the AdminAccess Level Accounts and set up a password for the default account, the Top Administrator. After a minor modification to the database_tables.php (MVS contribution required this), everything appears to work. Logging on with my email address for Top Administrator allows me complete access, as I would expect.

 

Next I created a new user and assigned that user to a different Group Level. But how do I assign a password to this new user? Of course this new user has a different name and email address. But when creating the new user, I was not given the opportunity to enter a password.

 

When I view the admin table with phpMyAdmin, a password has already been assigned but of course it is encrypted. What is the solution? I cannot click the Forgot Password link when trying to log on with the new account email address since that email address would not send to me.

 

I'm hoping this contribution allows me to set up a restricted admin access for one user to allow just review/edit/print/delete of customers and orders yet also log on to the Top Administrator and have full access.

 

The "Access with Level Account for the Admin Area" contribution works quite well once I solved a problem for new accounts created beyond the default initial set up account.

 

I searched the forum discussions and found a solution to this problem where one is not given the opportuntiy to enter a password for new accounts beyond the "Top Administrator" account. Since the password was encrypted, trying to view the automatically generated password for a restricted account with phpMyAdmin was not possible. Thinking back now, perhaps I could have cut and pasted the encrypted password when trying to access the secondary account. But even if it worked it would not be a desirable situation.

 

The solution was to allow unencrypted password comparison. I could then manually enter a new account password and then log on to secondary accounts.

 

For me, the "forgot password" mechanism was not available for retieving the automatically assigned password on secondary accounts because these new accounts were not using my own email address. Perhaps I could have used another email address that belongs to me but I did not take this approach.

Link to comment
Share on other sites

Hi,

 

My only problem with this contrib is this...

 

I am using shared SSL. My shared SSL url is in the following format...https://securedomain.com/~username

 

The problem is that any images inserted using the WYSIWYG area will not show in SSL mosde on th e actual page.

 

The reson for this is becaus when it's referring ot the image in SSL mode, it is referring to https://securedomain.com/catalog/images/image.gif but it should be referencing https://securedomain.com/~username/catalog/images/image.gif

 

So it's not inserting the "/~username" part required so the images show up as broken since the path is wrong.

 

Anyone have a fix to this?

 

It appears that MaxiDVD has abandoned the forums altogether since 2003 and the site in his profile is not longer in existence. I hope someone else can help.

Edited by cxm322
Link to comment
Share on other sites

  • 2 weeks later...

I have a sneaky feeling I've not cnfigured something obvious here, but when I go to click the "my account" link I get:

 

Not Found

The requested URL /admin/HTTPS_SERVER/admin/admin_account.php was not found on this server.

 

deleting the

 

HTTPS_SERVER/admin/

 

part lets me view the page.

 

I've got my SSL settings set to 0 - any ideas?

 

Thx,

 

Dan :)

Link to comment
Share on other sites

Hmm - manually editing the Login.php, Logoff.php and header.php files to change all references to SSL to NONSSL seems to have fixed the problem?

 

Have I done this correctly or is there a central variable I could use?

 

Dan :P

 

Also needed to do the General.php file - I assume this is preset to be SSL enabled then?

 

No mention in the install.txt of this :blush:

Link to comment
Share on other sites

  • 2 weeks later...

Same headache. ;)

The other way to keep session timeout by keep session_register for login_id, login_group_id every reload page by make litle chang to function tep_admin_check_login()

 

function tep_admin_check_login() {
?global $PHP_SELF, $login_id, $login_groups_id, $login_first_name;
?if (!tep_session_is_registered('login_id')) {
? ?tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));
?} else {
? ?tep_session_register('login_id');
? ?tep_session_register('login_groups_id');
? ?tep_session_register('login_first_name');

? ?$filename = basename( $PHP_SELF );
? ?if ($filename != FILENAME_DEFAULT && $filename != FILENAME_FORBIDEN && $filename != FILENAME_LOGOFF && $filename != FILENAME_ADMIN_ACCOUNT && $filename != FILENAME_POPUP_IMAGE && $filename != 'packingslip.php' && $filename != 'invoice.php') {
? ? ?$db_file_query = tep_db_query("select admin_files_name from " . TABLE_ADMIN_FILES . " where FIND_IN_SET( '" . $login_groups_id . "', admin_groups_id) and admin_files_name = '" . $filename . "'");
? ? ?if (!tep_db_num_rows($db_file_query)) {
? ? ? ?tep_redirect(tep_href_link(FILENAME_FORBIDEN));
? ? ?}
? ?}
?} ?
}

 

No changes on "timeout" with this code or the old one.

 

It is frustrating working on my admin site and being thrown out every 24 minutes.

 

Any other suggestions??

Edited by Aage
Link to comment
Share on other sites

  • 3 weeks later...

Heres a mod to this contrib I have been working on borrowing some code here and there and then writing the rest myself. As always BACKUP! BACKUP! BACKUP!

 

WHAT IT DOES:

It disables an email address after 5 login tries for 5 minutes and emails the administrator the offenders IP Address. After 5 minutes you can log right back in automagically!

 

WHY:

To stop brut force attacks, its not perfect but the next step after basic password protection. It helps keep a hacker from using 100s or 1000s of requests to guess your password....

 

HOW TO DO IT?

 

Here is the SQL to create the neccessary table:

DROP TABLE IF EXISTS admin_lock;
CREATE TABLE `admin_lock` (
 `attempt_id` int(11) NOT NULL auto_increment,
 `attempt_email` varchar(50) default '' UNIQUE,
 `attempts` int(1) default '0',
 `last_attempt` int(20) default '0',
 `first_offense` int(1) default '0',
 PRIMARY KEY  (`attempt_id`)
);

 

Then insert in your admin/login.php

AFTER

$password = tep_db_prepare_input($HTTP_POST_VARS['password']);

 

// Checking to see if login attempt > 4 if so time out for 5 minutes then reset login attempts.
//----------------Configuration----------------
$mail_report = '[email protected]';    // address to mail report to
$show_msg = 'Your IP Address was logged and the administrator has been notified. Your IP Address is: ';
//---------------------------------------------

 $check_lockout_query = tep_db_query("select attempt_id, first_offense, attempt_email, attempts, last_attempt from admin_lock where attempt_email = '" . strtolower($email_address) . "' ");
 $check_lockout = tep_db_fetch_array($check_lockout_query);

$attempts = $check_lockout['attempts'] + 1;
if ($check_lockout['attempt_id'] == '') {
$last_attempt = time();
tep_db_query("insert into admin_lock (attempt_email, attempts, last_attempt) values ('" . strtolower($email_address) ."', '1', '" . $last_attempt."')");
} else if ($attempts < 5) {
$last_attempt = time();
tep_db_query("update admin_lock set attempts = '" . $attempts . "', last_attempt = '" . $last_attempt . "', first_offense = 1 where attempt_id = '" . $check_lockout['attempt_id'] . "'");
} else {
$locked_time = (time() - $check_lockout['last_attempt']);
if ($locked_time < 300) {
 echo ('<center><font color=red>Your login attempt has timed out, try again in 5 minutes</font> Time since lockout: ' . $locked_time . ' seconds</center>');
 $password = '';
 if ($check_lockout['first_offense'] == 1) {
	 // get their IP Address
	 if (getenv(HTTP_X_FORWARDED_FOR)){
     $fwd= ' (' . getenv(HTTP_X_FORWARDED_FOR) . ')';
     $ip=getenv(REMOTE_ADDR);
	 } else {
     $ip=getenv(REMOTE_ADDR);
	 }

	 $name = $email_address;

  	 // create nice report
     $msg = "\n" . 'FAILED LOGIN ATTEMPT REPORT' . "\n" . '---------------------------------------' . "\n";
     $msg .= 'Remote Address: ' . $ip . $fwd . "\n";
     $msg .= 'Referer       : ' . $_SERVER["HTTP_REFERER"] . "\n";
      $msg .= 'Requested     : ' . $_SERVER["REQUEST_URI"] . "\n";
      $msg .= 'Used user name: ' . $email_address . "\n";

     mail($mail_report, 'FAILED ADMIN LOGIN ATTEMPT', $msg);
	 echo '<center><b>' . $show_msg . $ip . '</b></center>';
	 tep_db_query("update admin_lock set first_offense = 0 where attempt_id = '" . $check_lockout['attempt_id'] . "'");
 }

} else {
$last_attempt = time();
tep_db_query("update admin_lock set attempts = 0, last_attempt = '" . $last_attempt . "' where attempt_id = '" . $check_lockout['attempt_id'] . "'");
}
}

 

Then just configure your email address and you're done! :thumbsup:

Most Valuable OsCommerce Contributions:

Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294

FedEx Automated Labels -- Contribution 2244

RMA Returns system -- Contribution 1136

Sort Products By Dropdown -- Contribution 4312

Ultimate SEO URLs -- Contribution 2823

Credit Class & Gift Voucher -- Contribution 282

Cross-Sell -- Contribution 5347

Link to comment
Share on other sites

Hi there,

 

Somebody ever tried to make the main admin page selective. I mean that the user can only view the options which he's allowed to see with his rights?

 

This should be a simple modification I think, but I need some help:

 

Based on the access rights of the user I like to fill the array in the index.php, so it sould be filled selectively depending on the rights.

 

Please give advise.

 

I don't know if anyone else cares about this, but it was bugging me too.

 

As a fix I've bypassed the main index.php already and set the redirect page to be easypopulate.php by default, as this page is common to all my userlevels.

 

just find the code

          tep_redirect(tep_href_link(FILENAME_ADMIN_ACCOUNT));
       } else {
         tep_redirect(tep_href_link(FILENAME_DEFAULT));

 

and replace with

          tep_redirect(tep_href_link(FILENAME_ADMIN_ACCOUNT));
       } else {
         tep_redirect(tep_href_link(FILENAME_EASYPOPULATE));

 

Assuming you've defined EASYPOPULATE in filenames.php. Same needs to be done in heapder.php under the "Administration" link.

 

Hope this helps someone ;)

 

Dan

Link to comment
Share on other sites

  • 2 weeks later...

Hi there!

Trying install Easy Populate v2_76b_1 after Admin_Access-2.1_1

Have some problem : install guides not to modified files.

line :

 

'<a href="' . tep_href_link(FILENAME_PRODUCTS_ATTRIBUTES, '', 'NONSSL') . '"

class="menuBoxContentLink">' . BOX_CATALOG_CATEGORIES_PRODUCTS_ATTRIBUTES .

'</a><br>' .

 

in admin/includes/boxes/catalog.php commented new lines look like this:

 

tep_admin_files_boxes(FILENAME_PRODUCTS_ATTRIBUTES, BOX_CATALOG_CATEGORIES_PRODUCTS_ATTRIBUTES) .

 

i try

 

tep_admin_files_boxes('easypopulate.php', 'Easy Populate') .

 

no error, but no changes in admin tools or elsewhere

 

?????? :huh:

any help??

Link to comment
Share on other sites

  • 3 weeks later...
It apopears that anytime the admin has to submit form data (ie when searching for a customer or an order), this is when it logs me out. Anyone have any ideas?

 

 

Im having the same problem, im not using SSL yet as its just a test site

 

but whenever admin has to send a form using POST method it logs me out ?

 

eg when search on customer page i get logged out, i think ive narrowed it down to just forms set using POST method

 

Anyone solved this problem ???

Link to comment
Share on other sites

Im having the same problem, im not using SSL yet as its just a test site

 

but whenever admin has to send a form using POST method it logs me out ?

 

eg when search on customer page i get logged out, i think ive narrowed it down to just forms set using POST method

 

Anyone solved this problem ???

 

 

Well come on someone must have come across this and solved it???????

Link to comment
Share on other sites

  • 1 month later...

I'm getting a "Redirection limit for this URL exceeded" error in FF and IE just freezes and I've narrowed it down to this block in catalog/admin/includes/application_top.php:

 

//Admin begin

if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN) {

tep_admin_check_login();

}

//Admin end

 

 

It throws certain pages into a loop. How? Why? Help!

 

Thanks in Advance

 

 

Ciraklizer

Link to comment
Share on other sites

  • 4 weeks later...

Iv installed a new copy of OSC, and did a full install of this contrib. And It all seems to install okay. But When I try to visit the admin panel I get a blank page. Any answers for this on?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...