mentalskylight Posted March 17, 2005 Share Posted March 17, 2005 Yeah........same problem here too. I tried working with the Register Globals help on other contributions but my slim PHP skills are just not up to the task.... :'( So, anyone out there with a solution or a suggestion on a way forward, please help......... :blink: Thanks Hi, Similar thing here. I am an osCommerce newb, osCommerce 2.2 MS2 (dl two weeks ago) Applied the Register Globals v1.3 (2005-01-13) http://www.oscommerce.com/community/contributions,2097 Applied Administration Access Level Accounts 2.3 (2003-09-05) http://www.oscommerce.com/community/contributions,1359 Clicking on edit, I can change admin name and email address, but not the password. Adding new administrator, prompts only for first/last, email address, and group but no way to assign a password to the new admin. clicking on "password forgotten" emails new random password, but again, cannot change it. BTW, the "password forgotten" is not very secure, anyone who knows the store owner will know her first name and her e-mail address. Actually, you do not even need to know the store owner, the info is in the "contact us" page... need to add a "security" question to the "forgotten password" feature. I applied all the changes from Admin Access Level to all files, I double checked all the files, (i.e. the files from the "changed files" and the live files) the only diffs were the sections that had to do with Register Globals, which if applied, would have reverted the files to the pre-Register Globals changes. (I used emacs Tools -> Ediff -> Two Buffers to apply the contribution) Is there a compatibility issue between Register Global and Admin Access Level? If so, what is the fix? If not, what am I doing wrong? Thanks in advance. -avi <{POST_SNAPBACK}> Quote Link to comment Share on other sites More sharing options...
netstep Posted May 26, 2005 Share Posted May 26, 2005 PROBLEM WITH CUSTOMIZED BOXES!My question: What do I have to edit, in order to make my customized box items show up in the "define group permissions" dialog?? I just finished setting this all up for my own sites. admin/includes/boxes/YOURBOX.PHP Example: '<a href="' . tep_href_link('easypopulate.php', '', 'NONSSL') . '" class="menuBoxContentLink">Easy Populate</a><br>'. or '<a href="' . tep_href_link(FILE_NAME_CUSTOMER_GROUPS, '', 'NONSSL') . '" class="menuBoxContentLink">' . BOX_CUSTOMERS_GROUPS . '</a>' . becomes tep_admin_files_boxes('easypopulate.php', 'Easy Populate') . and tep_admin_files_boxes(FILE_NAME_CUSTOMER_GROUPS, BOX_CUSTOMERS_GROUPS) . The only links you can't modify in the same manner are configure.php and modules.php BUT you don't need to because Admin 2.X already sets those. PS: I can't update my passwords. Please keep me posted on this bug. Quote Sam M. - Seattle Link to comment Share on other sites More sharing options...
netstep Posted May 26, 2005 Share Posted May 26, 2005 Password problem... I don't care about encrypting my admin passwords in the database. In fact, I'd prefer they be visible so I can edit them if possible. Maybe it would be a temporary work around to this password update hassle. Do do I stop this thing from encrypting passwords? OR How do I get it to let me change passwords like it should? Quote Sam M. - Seattle Link to comment Share on other sites More sharing options...
aviram Posted May 27, 2005 Share Posted May 27, 2005 In order to allow for plain passwords, I've added this line if ($plain == $encrypted) return true; after function tep_validate_password($plain, $encrypted) { if (tep_not_null($plain) && tep_not_null($encrypted)) { in the file password_funcs.php what it does is compare the plain password to the password from the database table, and if equal, return true, i.e. valid password. if not equal, it will go on to encrypt, and compare the crypted version as it normally does. -avi Password problem... I don't care about encrypting my admin passwords in the database. In fact, I'd prefer they be visible so I can edit them if possible. Maybe it would be a temporary work around to this password update hassle. Do do I stop this thing from encrypting passwords? OR How do I get it to let me change passwords like it should? <{POST_SNAPBACK}> Quote -avi http://otn.com complete web site design, specializing in custom programming (php/perl/mysql/postgress/javascript/ajax/c/c++/python/ruby) databases, shopping carts, integration of web site with existing business systems (point of sales, accounting systems, etc.) web site hosting, maintenance, promotion, marketing, search engine optimization (seo) and more. Link to comment Share on other sites More sharing options...
netstep Posted June 1, 2005 Share Posted June 1, 2005 Thank you aviram! That worked great. This contribution is fantastic. However, the My Account system isn't working on my install. My Account > Click EDIT button > Enter Password > nothin appears on right side. I'm assuming I should see blanks there to edit name/email/pw, etc. right? Quote Sam M. - Seattle Link to comment Share on other sites More sharing options...
pstrid Posted June 11, 2005 Share Posted June 11, 2005 Having problems when I secure my Admin via SSL...it works but in certain areas it will log me off and I have to log back in. For example, i can generally navigate around my admin (with SSL=true) but when I am on the customer page and try to search for a customer, it logs me out of my admin session. Let's assume my website url is: www.abccompany.com and i have a shared SSL certficate: https://id100.securedata.net/abccompany Here are my current settings: CODE define('HTTP_SERVER', 'https://id100.securedata.net/abccompany'); define('HTTP_CATALOG_SERVER', 'https://id100.securedata.net/abccompany'); define('HTTPS_CATALOG_SERVER', 'https://id100.securedata.net/abccompany'); define('ENABLE_SSL_CATALOG', 'true'); define('DIR_FS_DOCUMENT_ROOT', '/www/abccompany/'); define('DIR_WS_ADMIN', '/admin/'); // absolute path required define('DIR_FS_ADMIN', '/www/abccompany/admin/'); define('DIR_WS_CATALOG', '/'); define('DIR_FS_CATALOG', '/www/abccompany/'); and suggestions would be much appreciated. Thanks! Quote Link to comment Share on other sites More sharing options...
pstrid Posted June 16, 2005 Share Posted June 16, 2005 For example, i can generally navigate around my admin (with SSL=true) but when I am on the customer page and try to search for a customer, it logs me out of my admin session. It apopears that anytime the admin has to submit form data (ie when searching for a customer or an order), this is when it logs me out. Anyone have any ideas? Quote Link to comment Share on other sites More sharing options...
urbieta Posted July 2, 2005 Share Posted July 2, 2005 (edited) I backed up of course ;) Then replaced all files like it said on the instructions But then I am havng huge problems trying to add all the extra stuff I already added to the sites admin before the Admin Access Level Accounts for MS2 contrib :S I added the link into admin/includes/boxes/tools.php tep_admin_files_boxes('FILENAME_MYothercontrib', 'BOX_MYothercontrib') . then added the link to the database INSERT INTO admin_files VALUES (57, 'MYothercontrib.php', 0, 9, '1,18'); I can choose the file in the adminstration administration, but it will not appear onthe menu. What else do I need to do? thanks! I just finished setting this all up for my own sites. admin/includes/boxes/YOURBOX.PHP Example: '<a href="' . tep_href_link('easypopulate.php', '', 'NONSSL') . '" class="menuBoxContentLink">Easy Populate</a><br>'. or '<a href="' . tep_href_link(FILE_NAME_CUSTOMER_GROUPS, '', 'NONSSL') . '" class="menuBoxContentLink">' . BOX_CUSTOMERS_GROUPS . '</a>' . becomes tep_admin_files_boxes('easypopulate.php', 'Easy Populate') . and tep_admin_files_boxes(FILE_NAME_CUSTOMER_GROUPS, BOX_CUSTOMERS_GROUPS) . The only links you can't modify in the same manner are configure.php and modules.php BUT you don't need to because Admin 2.X already sets those. PS: I can't update my passwords. Please keep me posted on this bug. <{POST_SNAPBACK}> Edited July 2, 2005 by urbieta Quote Link to comment Share on other sites More sharing options...
pstrid Posted July 16, 2005 Share Posted July 16, 2005 Anyone have any good ideas on this? Quote Link to comment Share on other sites More sharing options...
Remak Posted July 18, 2005 Share Posted July 18, 2005 Hello guys, I have installed OsCommerce version 2.2 few days ago and downloaded the Admin Access v. 2.3 to protect the Admin options. Is there a complete guide somewhere what I have to do so it works ? First I have imported the "admin_table.sql" into my database and then I either a) can copy the admin folder in the original folder => nothings happens when I normally type in the URL .../catalog/admin ( I dont see any changes ) b) and when I copy the admin folder in the "changed files" folder, I will be linked to "http://localhost/catalog/admin/login.php" and I get a white screen. I have tried some changes written in this topic but normally ppl say, install worked perfectly but ... but in my case the install of the constribution hasnt even worked. I would appreciate if somebody has some time to explain me or write me a private message what I did wrong. Thanks. Quote Link to comment Share on other sites More sharing options...
Guest Posted July 20, 2005 Share Posted July 20, 2005 let me know if you find any omits or irregularities. All credit goes to Zaenal Muttaqin for the original, I just hacked this for MS2 and re-versioned it 2.0. <{POST_SNAPBACK}> I've added the AdminAccess Level Accounts and set up a password for the default account, the Top Administrator. After a minor modification to the database_tables.php (MVS contribution required this), everything appears to work. Logging on with my email address for Top Administrator allows me complete access, as I would expect. Next I created a new user and assigned that user to a different Group Level. But how do I assign a password to this new user? Of course this new user has a different name and email address. But when creating the new user, I was not given the opportunity to enter a password. When I view the admin table with phpMyAdmin, a password has already been assigned but of course it is encrypted. What is the solution? I cannot click the Forgot Password link when trying to log on with the new account email address since that email address would not send to me. I'm hoping this contribution allows me to set up a restricted admin access for one user to allow just review/edit/print/delete of customers and orders yet also log on to the Top Administrator and have full access. Quote Link to comment Share on other sites More sharing options...
Guest Posted July 23, 2005 Share Posted July 23, 2005 I've added the AdminAccess Level Accounts and set up a password for the default account, the Top Administrator. After a minor modification to the database_tables.php (MVS contribution required this), everything appears to work. Logging on with my email address for Top Administrator allows me complete access, as I would expect. Next I created a new user and assigned that user to a different Group Level. But how do I assign a password to this new user? Of course this new user has a different name and email address. But when creating the new user, I was not given the opportunity to enter a password. When I view the admin table with phpMyAdmin, a password has already been assigned but of course it is encrypted. What is the solution? I cannot click the Forgot Password link when trying to log on with the new account email address since that email address would not send to me. I'm hoping this contribution allows me to set up a restricted admin access for one user to allow just review/edit/print/delete of customers and orders yet also log on to the Top Administrator and have full access. <{POST_SNAPBACK}> The "Access with Level Account for the Admin Area" contribution works quite well once I solved a problem for new accounts created beyond the default initial set up account. I searched the forum discussions and found a solution to this problem where one is not given the opportuntiy to enter a password for new accounts beyond the "Top Administrator" account. Since the password was encrypted, trying to view the automatically generated password for a restricted account with phpMyAdmin was not possible. Thinking back now, perhaps I could have cut and pasted the encrypted password when trying to access the secondary account. But even if it worked it would not be a desirable situation. The solution was to allow unencrypted password comparison. I could then manually enter a new account password and then log on to secondary accounts. For me, the "forgot password" mechanism was not available for retieving the automatically assigned password on secondary accounts because these new accounts were not using my own email address. Perhaps I could have used another email address that belongs to me but I did not take this approach. Quote Link to comment Share on other sites More sharing options...
Guest Posted July 25, 2005 Share Posted July 25, 2005 (edited) Hi, My only problem with this contrib is this... I am using shared SSL. My shared SSL url is in the following format...https://securedomain.com/~username The problem is that any images inserted using the WYSIWYG area will not show in SSL mosde on th e actual page. The reson for this is becaus when it's referring ot the image in SSL mode, it is referring to https://securedomain.com/catalog/images/image.gif but it should be referencing https://securedomain.com/~username/catalog/images/image.gif So it's not inserting the "/~username" part required so the images show up as broken since the path is wrong. Anyone have a fix to this? It appears that MaxiDVD has abandoned the forums altogether since 2003 and the site in his profile is not longer in existence. I hope someone else can help. Edited July 25, 2005 by cxm322 Quote Link to comment Share on other sites More sharing options...
Geordiedan Posted August 8, 2005 Share Posted August 8, 2005 I have a sneaky feeling I've not cnfigured something obvious here, but when I go to click the "my account" link I get: Not Found The requested URL /admin/HTTPS_SERVER/admin/admin_account.php was not found on this server. deleting the HTTPS_SERVER/admin/ part lets me view the page. I've got my SSL settings set to 0 - any ideas? Thx, Dan :) Quote Link to comment Share on other sites More sharing options...
Geordiedan Posted August 8, 2005 Share Posted August 8, 2005 Hmm - manually editing the Login.php, Logoff.php and header.php files to change all references to SSL to NONSSL seems to have fixed the problem? Have I done this correctly or is there a central variable I could use? Dan :P Quote Link to comment Share on other sites More sharing options...
Geordiedan Posted August 8, 2005 Share Posted August 8, 2005 Hmm - manually editing the Login.php, Logoff.php and header.php files to change all references to SSL to NONSSL seems to have fixed the problem? Have I done this correctly or is there a central variable I could use? Dan :P <{POST_SNAPBACK}> Also needed to do the General.php file - I assume this is preset to be SSL enabled then? No mention in the install.txt of this :blush: Quote Link to comment Share on other sites More sharing options...
Aage Posted August 21, 2005 Share Posted August 21, 2005 (edited) Same headache. ;) The other way to keep session timeout by keep session_register for login_id, login_group_id every reload page by make litle chang to function tep_admin_check_login() function tep_admin_check_login() { ?global $PHP_SELF, $login_id, $login_groups_id, $login_first_name; ?if (!tep_session_is_registered('login_id')) { ? ?tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL')); ?} else { ? ?tep_session_register('login_id'); ? ?tep_session_register('login_groups_id'); ? ?tep_session_register('login_first_name'); ? ?$filename = basename( $PHP_SELF ); ? ?if ($filename != FILENAME_DEFAULT && $filename != FILENAME_FORBIDEN && $filename != FILENAME_LOGOFF && $filename != FILENAME_ADMIN_ACCOUNT && $filename != FILENAME_POPUP_IMAGE && $filename != 'packingslip.php' && $filename != 'invoice.php') { ? ? ?$db_file_query = tep_db_query("select admin_files_name from " . TABLE_ADMIN_FILES . " where FIND_IN_SET( '" . $login_groups_id . "', admin_groups_id) and admin_files_name = '" . $filename . "'"); ? ? ?if (!tep_db_num_rows($db_file_query)) { ? ? ? ?tep_redirect(tep_href_link(FILENAME_FORBIDEN)); ? ? ?} ? ?} ?} ? } <{POST_SNAPBACK}> No changes on "timeout" with this code or the old one. It is frustrating working on my admin site and being thrown out every 24 minutes. Any other suggestions?? Edited August 21, 2005 by Aage Quote Link to comment Share on other sites More sharing options...
homewetbar Posted September 7, 2005 Share Posted September 7, 2005 Heres a mod to this contrib I have been working on borrowing some code here and there and then writing the rest myself. As always BACKUP! BACKUP! BACKUP! WHAT IT DOES: It disables an email address after 5 login tries for 5 minutes and emails the administrator the offenders IP Address. After 5 minutes you can log right back in automagically! WHY: To stop brut force attacks, its not perfect but the next step after basic password protection. It helps keep a hacker from using 100s or 1000s of requests to guess your password.... HOW TO DO IT? Here is the SQL to create the neccessary table: DROP TABLE IF EXISTS admin_lock; CREATE TABLE `admin_lock` ( `attempt_id` int(11) NOT NULL auto_increment, `attempt_email` varchar(50) default '' UNIQUE, `attempts` int(1) default '0', `last_attempt` int(20) default '0', `first_offense` int(1) default '0', PRIMARY KEY (`attempt_id`) ); Then insert in your admin/login.php AFTER $password = tep_db_prepare_input($HTTP_POST_VARS['password']); // Checking to see if login attempt > 4 if so time out for 5 minutes then reset login attempts. //----------------Configuration---------------- $mail_report = '[email protected]'; // address to mail report to $show_msg = 'Your IP Address was logged and the administrator has been notified. Your IP Address is: '; //--------------------------------------------- $check_lockout_query = tep_db_query("select attempt_id, first_offense, attempt_email, attempts, last_attempt from admin_lock where attempt_email = '" . strtolower($email_address) . "' "); $check_lockout = tep_db_fetch_array($check_lockout_query); $attempts = $check_lockout['attempts'] + 1; if ($check_lockout['attempt_id'] == '') { $last_attempt = time(); tep_db_query("insert into admin_lock (attempt_email, attempts, last_attempt) values ('" . strtolower($email_address) ."', '1', '" . $last_attempt."')"); } else if ($attempts < 5) { $last_attempt = time(); tep_db_query("update admin_lock set attempts = '" . $attempts . "', last_attempt = '" . $last_attempt . "', first_offense = 1 where attempt_id = '" . $check_lockout['attempt_id'] . "'"); } else { $locked_time = (time() - $check_lockout['last_attempt']); if ($locked_time < 300) { echo ('<center><font color=red>Your login attempt has timed out, try again in 5 minutes</font> Time since lockout: ' . $locked_time . ' seconds</center>'); $password = ''; if ($check_lockout['first_offense'] == 1) { // get their IP Address if (getenv(HTTP_X_FORWARDED_FOR)){ $fwd= ' (' . getenv(HTTP_X_FORWARDED_FOR) . ')'; $ip=getenv(REMOTE_ADDR); } else { $ip=getenv(REMOTE_ADDR); } $name = $email_address; // create nice report $msg = "\n" . 'FAILED LOGIN ATTEMPT REPORT' . "\n" . '---------------------------------------' . "\n"; $msg .= 'Remote Address: ' . $ip . $fwd . "\n"; $msg .= 'Referer : ' . $_SERVER["HTTP_REFERER"] . "\n"; $msg .= 'Requested : ' . $_SERVER["REQUEST_URI"] . "\n"; $msg .= 'Used user name: ' . $email_address . "\n"; mail($mail_report, 'FAILED ADMIN LOGIN ATTEMPT', $msg); echo '<center><b>' . $show_msg . $ip . '</b></center>'; tep_db_query("update admin_lock set first_offense = 0 where attempt_id = '" . $check_lockout['attempt_id'] . "'"); } } else { $last_attempt = time(); tep_db_query("update admin_lock set attempts = 0, last_attempt = '" . $last_attempt . "' where attempt_id = '" . $check_lockout['attempt_id'] . "'"); } } Then just configure your email address and you're done! :thumbsup: Quote Most Valuable OsCommerce Contributions: Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294 FedEx Automated Labels -- Contribution 2244 RMA Returns system -- Contribution 1136 Sort Products By Dropdown -- Contribution 4312 Ultimate SEO URLs -- Contribution 2823 Credit Class & Gift Voucher -- Contribution 282 Cross-Sell -- Contribution 5347 Link to comment Share on other sites More sharing options...
Geordiedan Posted September 9, 2005 Share Posted September 9, 2005 Hi there, Somebody ever tried to make the main admin page selective. I mean that the user can only view the options which he's allowed to see with his rights? This should be a simple modification I think, but I need some help: Based on the access rights of the user I like to fill the array in the index.php, so it sould be filled selectively depending on the rights. Please give advise. <{POST_SNAPBACK}> I don't know if anyone else cares about this, but it was bugging me too. As a fix I've bypassed the main index.php already and set the redirect page to be easypopulate.php by default, as this page is common to all my userlevels. just find the code tep_redirect(tep_href_link(FILENAME_ADMIN_ACCOUNT)); } else { tep_redirect(tep_href_link(FILENAME_DEFAULT)); and replace with tep_redirect(tep_href_link(FILENAME_ADMIN_ACCOUNT)); } else { tep_redirect(tep_href_link(FILENAME_EASYPOPULATE)); Assuming you've defined EASYPOPULATE in filenames.php. Same needs to be done in heapder.php under the "Administration" link. Hope this helps someone ;) Dan Quote Link to comment Share on other sites More sharing options...
VSG Posted September 22, 2005 Share Posted September 22, 2005 Hi there! Trying install Easy Populate v2_76b_1 after Admin_Access-2.1_1 Have some problem : install guides not to modified files. line : '<a href="' . tep_href_link(FILENAME_PRODUCTS_ATTRIBUTES, '', 'NONSSL') . '" class="menuBoxContentLink">' . BOX_CATALOG_CATEGORIES_PRODUCTS_ATTRIBUTES . '</a><br>' . in admin/includes/boxes/catalog.php commented new lines look like this: tep_admin_files_boxes(FILENAME_PRODUCTS_ATTRIBUTES, BOX_CATALOG_CATEGORIES_PRODUCTS_ATTRIBUTES) . i try tep_admin_files_boxes('easypopulate.php', 'Easy Populate') . no error, but no changes in admin tools or elsewhere ?????? :huh: any help?? Quote Link to comment Share on other sites More sharing options...
gscreations Posted October 12, 2005 Share Posted October 12, 2005 It apopears that anytime the admin has to submit form data (ie when searching for a customer or an order), this is when it logs me out. Anyone have any ideas? Im having the same problem, im not using SSL yet as its just a test site but whenever admin has to send a form using POST method it logs me out ? eg when search on customer page i get logged out, i think ive narrowed it down to just forms set using POST method Anyone solved this problem ??? Quote Link to comment Share on other sites More sharing options...
gscreations Posted October 14, 2005 Share Posted October 14, 2005 Im having the same problem, im not using SSL yet as its just a test site but whenever admin has to send a form using POST method it logs me out ? eg when search on customer page i get logged out, i think ive narrowed it down to just forms set using POST method Anyone solved this problem ??? Well come on someone must have come across this and solved it??????? Quote Link to comment Share on other sites More sharing options...
gscreations Posted October 14, 2005 Share Posted October 14, 2005 doesnt matter im removing this contribution it obviously has flaws Quote Link to comment Share on other sites More sharing options...
ciraklizer Posted November 15, 2005 Share Posted November 15, 2005 I'm getting a "Redirection limit for this URL exceeded" error in FF and IE just freezes and I've narrowed it down to this block in catalog/admin/includes/application_top.php: //Admin begin if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN) { tep_admin_check_login(); } //Admin end It throws certain pages into a loop. How? Why? Help! Thanks in Advance Ciraklizer Quote Link to comment Share on other sites More sharing options...
Guest Posted December 8, 2005 Share Posted December 8, 2005 Iv installed a new copy of OSC, and did a full install of this contrib. And It all seems to install okay. But When I try to visit the admin panel I get a blank page. Any answers for this on? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.