Jump to content
Sign in to follow this  
papasan

[CONTRIB] Admin Access Level Accounts for MS2

Recommended Posts

Hi,

 

I have my oscommerce ms2 with many contributions installed and I want to install Admin Access. Wich version should I install?

 

Best Regards, Andr?.

Edited by lopes_andre

Share this post


Link to post
Share on other sites

I am trying to uninstall this contribution as is conflicts with another contribution that I need, and I commented out everything.....I think, but now how do I get the Admin Table in the SQL back to the original state, I can't find it anywhere.

 

Any help would be appreciated.

Share this post


Link to post
Share on other sites
I am trying to uninstall this contribution as is conflicts with another contribution that I need, and I commented out everything.....I think, but now how do I get the Admin Table in the SQL back to the original state, I can't find it anywhere.

 

Any help would be appreciated.

 

And this contribution conflits with which another contribution?

 

I'am thinking to install this contributuin but my oscommerce have many contributions installed...

 

And which version you have download to install??

 

Regards, Andre.

Share this post


Link to post
Share on other sites
And this contribution conflits with which another contribution?

 

I'am thinking to install this contributuin but my oscommerce have many contributions installed...

 

And which version you have download to install??

 

Regards, Andre.

 

It is conflicting with the installation of Multi Vendor Shipping V1.1, I am hoping to get that installed and then reinstall this one and hopefully it won't conflict, but who knows. I have Admin Access 2.2.

Share this post


Link to post
Share on other sites
It is conflicting with the installation of Multi Vendor Shipping V1.1, I am hoping to get that installed and then reinstall this one and hopefully it won't conflict, but who knows. I have Admin Access 2.2.

 

Try the Simple Admin Access Control, it much more easy to install and could be more specific than AAL.

 

http://www.oscommerce.com/community/contributions,2701

 

http://forums.oscommerce.com/index.php?showtopic=125058

Share this post


Link to post
Share on other sites

Hello

 

I could install this contrib, and prinzipally all is working fine but now I need help with this error message. I've spend some hours to read this thread but nobody has the same problem.

 

 

This is the error message I get when I open a product to edit it or when I choose "new product"

 

 

Fatal error: Call to undefined function: tep_draw_mselect_menu() in /var/www/my-web/html/my-shop/catalog/admin/categories.php on line 684

The code in this line is:

 

<tr>
		<td class="main"><?php echo TEXT_CATEGORIES; ?></td>
		<td class="main"><?php echo tep_draw_separator('pixel_trans.gif', '24', '15') . '?' . tep_draw_mselect_menu('categories_ids[]', $categories_array, $categories_array_selected, 'size=10'); ?></td>
	  </tr>

 

 

Any idea. Please help.

 

 

Cheers Amigoo

Share this post


Link to post
Share on other sites

i have not seen that problem.. I installed it and it works great for me, the only problem is it seems not to work with ccgv.. has any body had any issue with with ccgv?

Share this post


Link to post
Share on other sites
Hello

 

I could install this contrib, and prinzipally all is working fine but now I need help with this error message. I've spend some hours to read this thread but nobody has the same problem.

This is the error message I get when I open a product to edit it or when I choose "new product"

Fatal error: Call to undefined function: tep_draw_mselect_menu() in /var/www/my-web/html/my-shop/catalog/admin/categories.php on line 684

The code in this line is:

 

<tr>
		<td class="main"><?php echo TEXT_CATEGORIES; ?></td>
		<td class="main"><?php echo tep_draw_separator('pixel_trans.gif', '24', '15') . '?' . tep_draw_mselect_menu('categories_ids[]', $categories_array, $categories_array_selected, 'size=10'); ?></td>
	  </tr>

 

Hello folk,

 

I'm very stupid.

The install advice said: Replace some code in catalog/admin/includes/functions/html_output.php

and I have changed the code in catalog/includes/functions/html_output.php.

 

Now all is working fine. Sorry for molestation.

Share this post


Link to post
Share on other sites

Installed contrib Access with Level Account 2.2a and it works great. I just did a stupid thing when I created a new user; I did not assign them to a group now the user gives me an error. How do I delete the account or assign it to a group?

Share this post


Link to post
Share on other sites

installed the latest version of admin access Level Accounts, now clicking admin > member groups > Top administrator > edit takes you to store/admin/admin_members.php?page=1&mID=1&action=edit_member and produces:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/userid/public_html/admin/includes/functions/database.php on line 107

has anyone got any clues?

Share this post


Link to post
Share on other sites

OK, I'm stumped: I'm testing out my installation and I created a new member of the "Customer Relations" group. However, where do I set this person's password? Is there some default for this?

 

Thanks!

 

-= Dave =-

Share this post


Link to post
Share on other sites
OK, I'm stumped: I'm testing out my installation and I created a new member of the "Customer Relations" group. However, where do I set this person's password? Is there some default for this?

 

Thanks!

 

-= Dave =-

You can not set a person's password when you first add them. the script for this contribution has the store send an email to the person you added their new auto-generated password. If You can access that person's email box, the email sent will show you that password.

Share this post


Link to post
Share on other sites
You can not set a person's password when you first add them. the script for this contribution has the store send an email to the person you added their new auto-generated password. If You can access that person's email box, the email sent will show you that password.

 

If you don't have access to the new user post box, go to phpmyAdmin copy the admin user name and password into the new user fields. Voila..... you have access to the new user account. When you don't need access anymore, change the pass and email from his account. The store will send it.

Share this post


Link to post
Share on other sites
If you don't have access to the new user post box, go to phpmyAdmin copy the admin user name and password into the new user fields. Voila..... you have access to the new user account. When you don't need access anymore, change the pass and email from his account. The store will send it.

 

 

Yeah, that's what I did as a temporary work-around. I didn't realize that an email alert goes out to the person once I've created their account.

 

Thanks!

 

-= Dave =-

Share this post


Link to post
Share on other sites
installed the latest version of admin access Level Accounts, now clicking admin > member groups > Top administrator > edit takes you to store/admin/admin_members.php?page=1&mID=1&action=edit_member and produces:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/userid/public_html/admin/includes/functions/database.php on line 107

has anyone got any clues?

any clues ?

Share this post


Link to post
Share on other sites
installed the latest version of admin access Level Accounts, now clicking admin > member groups > Top administrator > edit takes you to store/admin/admin_members.php?page=1&mID=1&action=edit_member and produces:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/userid/public_html/admin/includes/functions/database.php on line 107

has anyone got any clues?

 

 

 

same error here.

 

I've solved it changing a bracket position, in admin_members.php, near line 600.

 

Take a look a the code below, look for my 2 comments //changed by bill, near the end:

 

		while ($n < tep_db_num_rows($top_categories_query)) {
	  $top_categories = tep_db_fetch_array($top_categories_query);
	  $top_categories_name_query = tep_db_query("select categories_name from " . TABLE_CATEGORIES_DESCRIPTION . " where language_id=2 and categories_id=" . $top_categories['categories_id']);
	  $top_categories_name = tep_db_fetch_array($top_categories_name_query);
	  if (in_array($top_categories['categories_id'],$str_cat_no_array)) {
		$is_selected = true;
	  } else {
		$is_selected = false;
	  }
	  $all_categories .= tep_draw_checkbox_field('admin_cat_access_' . $n, $top_categories['categories_id'],$is_selected) . " " . $top_categories_name['categories_name'] . " (ID" . $top_categories['categories_id'] . ")<br> ";
	  $n = $n + 1;
	}
//	  } //changed by bill

  $contents[] = array('text' => '<br> <b>' . TEXT_INFO_CATEGORIEACCESS . '</b><br> ' . $all_categories);
  $contents[] = array('text' => tep_draw_hidden_field('admin_cat_access_fields', tep_db_num_rows($top_categories_query)));
  } //changed by bill

// Thomas Schittli: End Bugfixes

 

Cya,

Billsoft.

Share this post


Link to post
Share on other sites
same error here.

 

I've solved it changing a bracket position, in admin_members.php, near line 600.

 

Take a look a the code below, look for my 2 comments //changed by bill, near the end:

 

		while ($n < tep_db_num_rows($top_categories_query)) {
	  $top_categories = tep_db_fetch_array($top_categories_query);
	  $top_categories_name_query = tep_db_query("select categories_name from " . TABLE_CATEGORIES_DESCRIPTION . " where language_id=2 and categories_id=" . $top_categories['categories_id']);
	  $top_categories_name = tep_db_fetch_array($top_categories_name_query);
	  if (in_array($top_categories['categories_id'],$str_cat_no_array)) {
		$is_selected = true;
	  } else {
		$is_selected = false;
	  }
	  $all_categories .= tep_draw_checkbox_field('admin_cat_access_' . $n, $top_categories['categories_id'],$is_selected) . " " . $top_categories_name['categories_name'] . " (ID" . $top_categories['categories_id'] . ")<br> ";
	  $n = $n + 1;
	}
//	  } //changed by bill

  $contents[] = array('text' => '<br> <b>' . TEXT_INFO_CATEGORIEACCESS . '</b><br> ' . $all_categories);
  $contents[] = array('text' => tep_draw_hidden_field('admin_cat_access_fields', tep_db_num_rows($top_categories_query)));
  } //changed by bill

// Thomas Schittli: End Bugfixes

 

Cya,

Billsoft.

 

 

Fantastic! This fixed a problem, I didn't realise I had.

Share this post


Link to post
Share on other sites

Reposting this from another thread. Has anyone done a security audit on AAL 2.2a? Are there any known exploits for this contrib? Thanks

 

Hi Iggy ... yes that is one problem i`ve noticed. I am not a wizard at php but understand a good portion. It seems the Admin side of the catalog is not using the same session code ... which seems to be better written on the catalog side. I have read that the osc admin code was written by different osc programmers who all had their own ideas on how things should be done.

 

One thing I noticed is that if you forget to do the logout in admin access the session is not destroyed .. sometimes if i reopen my browser and type an admin url to a file I can bypass the login intermittently.

 

I also noticed that even when restricting files to certain admins like categories.php for example ... that certain critical function buttons can be accessed if you know what url parameters and categories id etc to use. For example the copy, move, duplicate buttons are only disabled because the admin level is not equal to 1 .... but if you type in the correct url and paramters ... there is no code to stop the execution.

 

I have been adding bits and pieces of code myself to try and add more logic to the checking of admins level and which buttons can be clicked etc .. but it is a slow, complicating process. If somone was really good with code the Admin Access mod needs some core code added for selecting which buttons on pages can be used ... like Insert and New Product etc. , but I am not sure on what the best way to go about this would because there are other factors involved like any other mods which people have installed that have button links etc.

 

All in all I think Admin Access is a very impressive mod though and the creators and the contributors concepts are awesome. I can see this one going a long way and being developed further.

 

Well, there's a certain level of trust involved to hand-out an admin pass in the first place so in the cases above, although it would be good to get those fixed up, the security breach is the top admin.

 

As far as someone coming to the admin without a login/pass I can't see that there's an exploit that gets them past the login page (which doesn't mean there isn't one just that I can't figure out how to do it :) other than brute forcing it.

 

Someone ( ask not what osC can do for you people ) should update the admin contrib to include an index.php in all the subdirs though and especially in backups as that's wide open to anyone who knows the path.

 

Iggy


Everything's funny but nothing's a joke...

Share this post


Link to post
Share on other sites

Here's the index.php I'm adding to all my /admin/subdirs

 

Hope it's helpful to someone

 

<?php
if(isset($_SESSION['osCAdminID'])) {
echo 'Session exists';
} else {
echo 'You really ought to login first shouldn\'t you?';
}
?>

 

Iggy


Everything's funny but nothing's a joke...

Share this post


Link to post
Share on other sites
Here's the index.php I'm adding to all my /admin/subdirs

 

Hope it's helpful to someone

 

<?php
if(isset($_SESSION['osCAdminID'])) {
echo 'Session exists';
} else {
echo 'You really ought to login first shouldn\'t you?';
}
?>

 

Iggy

 

Actually that doesn't seem to do anything but keep everyone out. Still, better than a kick in the head when someone steals your backup files.

 

Iggy


Everything's funny but nothing's a joke...

Share this post


Link to post
Share on other sites
Reposting this from another thread. Has anyone done a security audit on AAL 2.2a? Are there any known exploits for this contrib? Thanks

Well, there's a certain level of trust involved to hand-out an admin pass in the first place so in the cases above, although it would be good to get those fixed up, the security breach is the top admin.

 

As far as someone coming to the admin without a login/pass I can't see that there's an exploit that gets them past the login page (which doesn't mean there isn't one just that I can't figure out how to do it :) other than brute forcing it.

 

Someone ( ask not what osC can do for you people ) should update the admin contrib to include an index.php in all the subdirs though and especially in backups as that's wide open to anyone who knows the path.

 

Iggy

 

I have been tirelessly trying to integrate Human Confirmation V1.2 into the login.php. I'm thinking that since brute force programs are essentially bots, this would prevent brute force attacks. Does anyone have any ideas on how to get this to work?

 

The contribution I'm trying to integrate is here: http://www.oscommerce.com/community/contri...an+confirmation

 

I just took snipets of it and pasted it into login.php in several different places, and followed the instructions, and instead of placing files in the catalog/includes, i placed them in admin/includes, and such. When I go to type in the verifcation code, it comes back correct, but it just refreshes the page and none of the login script is done!? I am so frustrated.

 

Here is the top portion of the code, modified to include the human verification script that would normally be placed in "create_account.php".

 

  require('includes/application_top.php');

//START HUMAN VERIFICATION  
// BOF // Contrib: Human confirmation v1.2

 $noautomationcode = $HTTP_SESSION_VARS["noautamationcode"];

 // -> v1.1 // Changed to work w/ random image names
 $img_dir  = $HTTP_SESSION_VARS["noautamationdir"];
 $img_name = $HTTP_SESSION_VARS["noautamationname"];
 // Find and delete old images
 if (strlen($img_name) >= 6) {
$dirHandle = dir($img_dir);
while($fileHandle = $dirHandle->read()) {
  if (substr($fileHandle,0,strlen($img_name)) == $img_name)
	@unlink($img_dir.$fileHandle);
}
$dirHandle->close();
 }
 // <- v1.1 // Changed to work w/ random image names
if (isset($HTTP_GET_VARS['action'])  && ($HTTP_GET_VARS['action'] == 'process')) {

if (isset($HTTP_GET_VARS['thecode']) && ($HTTP_GET_VARS['thecode'] == $noautomationcode )) {

// EOF // Contrib: Human confirmation v1.2
//END HUMAN VERIFICATION

$email_address = tep_db_prepare_input($HTTP_POST_VARS['email_address']);
$password = tep_db_prepare_input($HTTP_POST_VARS['password']);

// Check if email exists
$check_admin_query = tep_db_query("select admin_id as login_id, admin_groups_id as login_groups_id, admin_firstname as login_firstname, admin_lastname as login_lastname, admin_email_address as login_email_address, admin_password as login_password, admin_modified as login_modified, admin_logdate as login_logdate, admin_lognum as login_lognum from " . TABLE_ADMIN . " where admin_email_address = '" . tep_db_input($email_address) . "'");
if (!tep_db_num_rows($check_admin_query)) {
  $HTTP_GET_VARS['login'] = 'fail';
} else {
  $check_admin = tep_db_fetch_array($check_admin_query);
  // Check that password is good
  if (!tep_validate_password($password, $check_admin['login_password'])) {
	$HTTP_GET_VARS['login'] = 'fail';
  } else {
	if (tep_session_is_registered('password_forgotten')) {
	  tep_session_unregister('password_forgotten');
	}

	$login_id = $check_admin['login_id'];
	$login_groups_id = $check_admin['login_groups_id'];
	$login_firstname = $check_admin['login_firstname'];
	$login_lastname = $check_admin['login_lastname'];
	$login_email_address = $check_admin['login_email_address'];
	$login_logdate = $check_admin['login_logdate'];
	$login_lognum = $check_admin['login_lognum'];
	$login_modified = $check_admin['login_modified'];

	tep_session_register('login_id');
	tep_session_register('login_groups_id');
	tep_session_register('login_firstname');
	tep_session_register('login_lastname');

	//$date_now = date('Ymd');
	tep_db_query("update " . TABLE_ADMIN . " set admin_logdate = now(), admin_lognum = admin_lognum+1 where admin_id = '" . $login_id . "'");

	if (($login_lognum == 0) || !($login_logdate) || ($login_email_address == 'admin@localhost') || ($login_modified == '0000-00-00 00:00:00')) {
	  tep_redirect(tep_href_link(FILENAME_ADMIN_ACCOUNT));
	} else {
	  tep_redirect(tep_href_link(FILENAME_DEFAULT));
	}

  }
}
 }
}

 

This snippet is from where the form is first drawn, all the ways to the footer.

<?php echo tep_draw_form('login', FILENAME_LOGIN, 'get', 'onSubmit="return check_form(login);"') . tep_draw_hidden_field('action', 'process'); ?>

<table width="280" border="0" cellspacing="0" cellpadding="2">

<tr>

<td class="login_heading" valign="top"> <b><?php echo HEADING_RETURNING_ADMIN; ?></b></td>

</tr>

<tr>

<td height="100%" valign="top" align="center">

<table border="0" height="100%" cellspacing="0" cellpadding="1" bgcolor="#666666">

<tr><td><table border="0" width="100%" height="100%" cellspacing="3" cellpadding="2" bgcolor="#F0F0FF">

<?php

// if ($HTTP_GET_VARS['login'] == 'fail') {

// $info_message = TEXT_LOGIN_ERROR;

// }

// BOF // Contrib: Human confirmation v1.2

 

if ( ($process_okay == true) && ($thecode_okay == false) ) {

$info_message = ENTRY_HUMANCHECK_ERROR;

}

 

// EOF // Contrib: Human confirmation v1.2

if (isset($info_message)) {

?>

<tr>

<td colspan="2" class="smallText" align="center"><?php echo $info_message; ?></td>

</tr>

<?php

} else {

?>

<tr>

<td colspan="2"><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>

</tr>

<?php

}

?>

<tr>

<td class="login"><?php echo ENTRY_EMAIL_ADDRESS; ?></td>

<td class="login"><?php echo tep_draw_input_field('email_address'); ?></td>

</tr>

<tr>

<td class="login"><?php echo ENTRY_PASSWORD; echo $cool; ?></td>

<td class="login"><?php echo tep_draw_password_field('password'); ?></td>

</tr>

<tr>

<td>

<?

// BOF // Contrib: Human confirmation v1.2

 

if (!tep_session_is_registered('noautamationcode')) tep_session_register('noautamationcode');

include('includes/human_confirmation.php');

tep_session_close('noautamationcode');

 

// EOF // Contrib: Human confirmation v1.2

?>

</td>

</tr>

<tr>

<td colspan="2" align="right" valign="top"><?php echo tep_image_submit('button_confirm.gif', IMAGE_BUTTON_LOGIN); ?></td>

</tr>

</table></td></tr>

</table>

</td>

</tr>

<tr>

<td valign="top" align="right"><?php echo '<a class="sub" href="' . tep_href_link(FILENAME_PASSWORD_FORGOTTEN, '', 'SSL') . '">' . TEXT_PASSWORD_FORGOTTEN . '</a><span class="sub"> </span>'; ?></td>

</tr>

</table>

</form>

<?php require('includes/form_check.js.php'); ?>

</td>

</tr>

</table></td>

</tr>

<tr>

<td><?php require(DIR_WS_INCLUDES . 'footer.php'); ?></td>

[code]

 

Anyone have any insight on what I'm doing wrong?

 

I really think this can improve the security of this contrib dramatically, since script-kiddies would be powerless... :D

Share this post


Link to post
Share on other sites

Wich one should I install:

 

http://www.oscommerce.com/community/contributions,1359

 

http://www.oscommerce.com/community/contributions,1174

 

http://www.oscommerce.com/community/contributions,2037

 

Can someone help me to decide which one is better, more easy to use, and install, ...

 

I only need to have ore than 1 admin, and that some of them only be ablo to enter new prodcutos, but can not do anymore in the admin area.

 

Thanks in advance. ;)

Share this post


Link to post
Share on other sites

Hi Gang,

 

I have been trying to install BOTH the Admin Access and Multi Vendor Shipping contribs. They don't seem to work together, but it might be me of course...

 

Anyway, there is a vital need for Vendors who are going to enter their own products thru Admin Access to ONLY be able to modify their own products, and not the products entered by other vendors.

 

While I can get either contrib to work alone okay-ish, I'm not sure they will together accomplish what I want. I want ONE big store with lots of products, some of which are sold by this vendor and some by others. I do NOT want to create different catagories for each vender like a Mall would do.

 

I just was the vendor to see only their products when they log into the store, and still be able to put products into the big store's pre-existing catagories, modify the products, change prices, shipping weights, etc.

 

They do NOT need to be able to create new catagories, nor any other admin functions. Just add/delete/modify products. And only their OWN products.

 

Any ideas?

 

-- Tom Bond,

ClubRestock.com

Share this post


Link to post
Share on other sites

I installed this contrib:

http://forums.oscommerce.com/index.php?sho...=186194&hl=

 

I did everything as it said in the readme, and... DONT WORK WELL

 

For me:

 

1) Is impossible to change the password of the created account "admin@localhost", I only can modify the name and emails, but not the password.

Why???

 

2) If I create another admin account I CAN NOT ENTER A PASSWORD, and of course there are no way to lnow what is it

 

3) To enter admin area I have to enter 2 times the first account details: name and password, and after this I arrive to a nother web page where I have to enter the new account email and password.

Is this the correct way to work for this mod??

If this is the way I will have to give the main password to all admins, and I don?t want to do this.

 

 

PLEASE HELP

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×