Guest Posted December 8, 2004 Share Posted December 8, 2004 (edited) Simple Admin Access Control 1.0 Dec 07, 2004 Authors: Jared Call What this contrib does: ======================== This contribution very simply adds the ability to limit sub-admin users to access only certain areas of the osCommerce administrative area. It assumes that you have already created these users in your host's control panel, requiring login to the /admin area with one of these usernames. Disclaimer: This contrib has been designed for and tested with osCommerce 2.2 MS2. While it should easily work, perhaps with minor modifications, with other versions of osCommerce, it has not been tested as such. If you find this contribution useful, please support the osCommerce project by becoming an osCommerce Community Sponsor. At the time of this writing, details of Community Sponsorship can be found at http://www.oscommerce.com/about/news,111 . Downloadable from: http://www.oscommerce.com/community/contributions,2701 Edited December 8, 2004 by jcall Quote Link to comment Share on other sites More sharing options...
Stewart Gilray Posted December 8, 2004 Share Posted December 8, 2004 Hi, Ok using what you've said I've got the following users setup in my htaccess file... admin test admin, is to have total rights, whilst test is to have limited rights, well using what you've said, I changed the script so only ONE user, admin, is listed at the top. using this rule you say that admin will have total access and test, only limited Guess what, it doens't work... All users are limited. Quote Link to comment Share on other sites More sharing options...
Guest Posted December 8, 2004 Share Posted December 8, 2004 Please post your modified code here so that I can have a look. -jared Quote Link to comment Share on other sites More sharing options...
Stewart Gilray Posted December 9, 2004 Share Posted December 9, 2004 Please post your modified code here so that I can have a look. -jared <{POST_SNAPBACK}> Actually I put it back the way it was, and still nothing, here's the code... if ($messageStack->size > 0) { echo $messageStack->output(); } if ( ($PHP_AUTH_USER!=admin) && ($PHP_AUTH_USER!=admin) ) { if ( ($PHP_SELF != "/admin/orders.php") && ($PHP_SELF != "/admin/invoice.php") && ($PHP_SELF != "/admin/packing_slip.php") && ($PHP_SELF != "/admin/customers.php") ) { die("<br><Br><center>You are not authorized to view this page.\n\n</center>"); } } ?> Quote Link to comment Share on other sites More sharing options...
Guest Posted December 9, 2004 Share Posted December 9, 2004 (edited) Ahh, there's the problem. If you have only one user, change the first line from: if ( ($PHP_AUTH_USER!=admin) && ($PHP_AUTH_USER!=admin) ) to: if ($PHP_AUTH_USER!=admin) Edit: On second thought - - that's probably not the problem. Back in a few minutes. -jared Edited December 9, 2004 by jcall Quote Link to comment Share on other sites More sharing options...
Guest Posted December 9, 2004 Share Posted December 9, 2004 Ok - - I just copied-n-pasted from your post into my includes/admin/header.php, then changed the username from admin to one of my admin usernames. It worked for me with no other changes. As a troubleshooting step, change this line: <td><?php echo tep_image(DIR_WS_IMAGES . STORE_LOGO, STORE_NAME); ?></td> to this: <td><?php echo $PHP_AUTH_USER; echo tep_image(DIR_WS_IMAGES . STORE_LOGO, STORE_NAME); ?></td> . Log in to the admin area, then click on Customers or one of the other "allowed" areas. Your username, as recorded by $PHP_SELF, should show up in the top left corner of the screen. Is it correct? -jared Quote Link to comment Share on other sites More sharing options...
TCwho Posted December 9, 2004 Share Posted December 9, 2004 (edited) Hmm ... Didnt work for me .... There is only 1 Admin (myself) and now the client... I tried every which way I can think of.... I added my name .... took off my name... nothing... the only thing I can get to is the main admin page....then I cant access anything. right now I left it at this: <?php /* $Id: header.php,v 1.19 2002/04/13 16:11:52 hpdl Exp $ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright (c) 2002 osCommerce Released under the GNU General Public License */ if ($messageStack->size > 0) { echo $messageStack->output(); } if ( ($PHP_AUTH_USER!=adminuser1) && ($PHP_AUTH_USER!=secondusernotused) ) { if ( ($PHP_SELF != "/admin/orders.php") && ($PHP_SELF != "/admin/invoice.php") && ($PHP_SELF != "/admin/packing_slip.php") && ($PHP_SELF != "/admin/customers.php") ) { die("You are not authorized to view this page.\n\n"); } } ?> for adminuser1 I had put my actual username .... I never did use the second user name so I had changed it to what you see above...as I was just trying to test... Im under the impression anyone not in $PHP_AUTH_USER!= will get to access everything...everyone else will be limited to the above pages? right? :::Edited:::: oh didnt use htaccess ... only using control panel.... using firefox..and then tried using IE Edited December 9, 2004 by TCwho Quote Drop_Shadow How Did You Hear About Us Email HTML Order Link ---- GMT -5:00 Link to comment Share on other sites More sharing options...
TCwho Posted December 9, 2004 Share Posted December 9, 2004 (edited) Ok. I closed out my browsers...which i had not done before... loaded it up..... got to the admin page....click on stuff and kept getting this: Parse error: parse error, unexpected '{' in /homepages/15/d113630270/htdocs/catalog/admin/includes/header.php on line 18 Here is my code: if ($messageStack->size > 0) { echo $messageStack->output(); } if ( ($PHP_AUTH_USER!=abdurrahman) { if ( ($PHP_SELF != "/catalog/admin/orders.php") && ($PHP_SELF != "/admin/invoice.php") && ($PHP_SELF != "/admin/packing_slip.php") && ($PHP_SELF != "/admin/customers.php") ) { die("You are not authorized to view this page.\n\n"); } } :::Edited::: oh btw..before (this time after closing my browsers) I was getting the statement under for die in the top left corner.... Edited December 9, 2004 by TCwho Quote Drop_Shadow How Did You Hear About Us Email HTML Order Link ---- GMT -5:00 Link to comment Share on other sites More sharing options...
TCwho Posted December 9, 2004 Share Posted December 9, 2004 :::Edited::: Again :blush: I added the missing ) in the first if statement.... and got back to the same error as before...can get to admin>>>but everything I click on shows me>> You are not authorized to view this page. Quote Drop_Shadow How Did You Hear About Us Email HTML Order Link ---- GMT -5:00 Link to comment Share on other sites More sharing options...
TCwho Posted December 10, 2004 Share Posted December 10, 2004 hmm I just check my server info and I cannot find support for $PHP_SELF and $PHP_AUTH_USER PHP Version 4.3.8 guess thats why its not working but very nice ... good idea for something this simple Quote Drop_Shadow How Did You Hear About Us Email HTML Order Link ---- GMT -5:00 Link to comment Share on other sites More sharing options...
Guest Posted December 10, 2004 Share Posted December 10, 2004 Im under the impression anyone not in $PHP_AUTH_USER!= will get to access everything...everyone else will be limited to the above pages? right? Quite the opposite. You list the "superusers" in the file, and everyone else gets rights to only the files listed. The logic is something like this: If you're NOT one of those users listed, you ONLY get access to the files listed. In retrospect, I imagine it's a bit convoluted. <shrug> -jared Quote Link to comment Share on other sites More sharing options...
TCwho Posted December 10, 2004 Share Posted December 10, 2004 In retrospect, I imagine it's a bit convoluted. <shrug> Good Simple Idea though Glad I could do my part by testing it Quote Drop_Shadow How Did You Hear About Us Email HTML Order Link ---- GMT -5:00 Link to comment Share on other sites More sharing options...
Guest Posted December 10, 2004 Share Posted December 10, 2004 I am also running PHP 4.3.8. If you search the /admin/server_info.php page for PHP_SELF (as opposed to $PHP_SELF) you should see it. I guess it'd be easier to read if it were like this: if ( ($PHP_AUTH_USER==admin1) || ($PHP_AUTH_USER==admin2) ) {; } else { if ( ($PHP_SELF != "/admin/orders.php") && ($PHP_SELF != "/admin/invoice.php") && ($PHP_SELF != "/admin/packing_slip.php") && ($PHP_SELF != "/admin/customers.php") ) { die("<br><Br><center>You are not authorized to view this page.\n\n</center>"); } } I just tested that and it works the same way. I'll resubmit in a couple of days with the easier-to-read code. Sorry for the confusion. It *still* should work for you, though - - do you see PHP_SELF on the server_info.php page? -jared Quote Link to comment Share on other sites More sharing options...
TCwho Posted December 10, 2004 Share Posted December 10, 2004 Doh! I do have PHP_SELF hmm must have been spending too much time lookin at monitor :lol: but I dont see PHP_AUTH_USER I will try it again ...be back in a few Quote Drop_Shadow How Did You Hear About Us Email HTML Order Link ---- GMT -5:00 Link to comment Share on other sites More sharing options...
TCwho Posted December 10, 2004 Share Posted December 10, 2004 Alright still doesnt work... but I gather as much info as I could. You can take a look HERE Quote Drop_Shadow How Did You Hear About Us Email HTML Order Link ---- GMT -5:00 Link to comment Share on other sites More sharing options...
Guest Posted December 10, 2004 Share Posted December 10, 2004 Let's get some debug output. Change the die statement to read as follows: { die("<br>PHP_AUTH_USER: $PHP_AUTH_USER <br>PHP_SELF: $PHP_SELF<Br><center>You are not authorized to view this page.\n\n</center>"); } Then tell me what you see. -jared Quote Link to comment Share on other sites More sharing options...
TCwho Posted December 10, 2004 Share Posted December 10, 2004 (edited) I got this: PHP_AUTH_USER: PHP_SELF: /catalog/admin/orders.php You are not authorized to view this page. after I changed per your instructions to : if ($messageStack->size > 0) { echo $messageStack->output(); } if ( ($PHP_AUTH_USER==UserNameHere) || ($PHP_AUTH_USER==admin2) ) {; } else { if ( ($PHP_SELF != "/admin/orders.php") && ($PHP_SELF != "/admin/invoice.php") && ($PHP_SELF != "/admin/packing_slip.php") && ($PHP_SELF != "/admin/customers.php") ) { die("<br>PHP_AUTH_USER: $PHP_AUTH_USER <br>PHP_SELF: $PHP_SELF<Br><center>You are not authorized to view this page.\n\n</center>"); } } ?> Edited December 10, 2004 by TCwho Quote Drop_Shadow How Did You Hear About Us Email HTML Order Link ---- GMT -5:00 Link to comment Share on other sites More sharing options...
Guest Posted December 11, 2004 Share Posted December 11, 2004 Well, that's it then. PHP_AUTH_USER has no value. How did you set up the username/password again? Are they in .htaccess and an .htpassword directory? Did you do them yourself or with a control panel of some sort? As an alternate to PHP_AUTH_USER, we could try _SERVER["PHP_AUTH_USER"] or _SERVER["REMOTE_USER"] - - I haven't tried either of those before, but I think it's the same syntax. If you wanted to similarly restrict to a users from a certain IP address, we could use _SERVER["REMOTE_ADDR"]. I'll hack at it for a bit - - you do the same. -jared Quote Link to comment Share on other sites More sharing options...
TCwho Posted December 11, 2004 Share Posted December 11, 2004 I have only set it up from my domain control panel... As an alternate to PHP_AUTH_USER, we could try _SERVER["PHP_AUTH_USER"] or _SERVER["REMOTE_USER"] Ok I will try those Quote Drop_Shadow How Did You Hear About Us Email HTML Order Link ---- GMT -5:00 Link to comment Share on other sites More sharing options...
Guest Posted December 11, 2004 Share Posted December 11, 2004 (edited) Try this, for debug output: if ( ($PHP_AUTH_USER==admin1) || ($PHP_AUTH_USER==admin2) ) {; } else { echo "<br>PHP_AUTH_USER: " . $PHP_AUTH_USER; echo "<br>PHP_SELF: " . $PHP_SELF; echo "<br>_SERVER[PHP_AUTH_USER]: " . $_SERVER['PHP_AUTH_USER']; echo "<br>_SERVER[REMOTE_USER]: " . $_SERVER['REMOTE_USER']; echo "<br>_SERVER[REMOTE_ADDR]: " . $_SERVER['REMOTE_ADDR']; if ( ($PHP_SELF != "/admin/orders.php") && ($PHP_SELF != "/admin/invoice.php") && ($PHP_SELF != "/admin/packing_slip.php") && ($PHP_SELF != "/admin/customers.php") ) { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); } } Let me know if you get results for any of those variables. -jared Edited December 11, 2004 by jcall Quote Link to comment Share on other sites More sharing options...
TCwho Posted December 11, 2004 Share Posted December 11, 2004 Got it working thanks to your debugging code above... btw...only starting touching php a little over a month ago...when I installed x**ps...then few days later installed osc gonna put it all together for you to see and send you PM Quote Drop_Shadow How Did You Hear About Us Email HTML Order Link ---- GMT -5:00 Link to comment Share on other sites More sharing options...
Guest Posted December 11, 2004 Share Posted December 11, 2004 (edited) I had no idea Xoops had an e-commerce module. I guess that only makes sense, but it shows you what I know. :) I'm glad you got it working! For anyone following along, the $_SERVER[REMOTE_USER] variable was what worked in this case to get the username. He also noted that the original instructions (to be amended in the next rev) do not account for a non-root (i.e. /catalog or /shop or ecommerce/shop , etc) installation. The easy workaround should be just modify the file paths in the instructions to fit your installation. Thanks, Danilov! -jared Edited December 11, 2004 by jcall Quote Link to comment Share on other sites More sharing options...
TCwho Posted December 11, 2004 Share Posted December 11, 2004 :D Glad to help and Thanks to you for a Great Simple Admin Access Control Contribution oh and I dont know if xoops had osc module....first tried xoops...then mambo...then found osc.... and havent looked back....well for this type of application :thumbsup: Quote Drop_Shadow How Did You Hear About Us Email HTML Order Link ---- GMT -5:00 Link to comment Share on other sites More sharing options...
kaos9889 Posted December 22, 2004 Share Posted December 22, 2004 ok im using your simple admin cont and here is my problem, there is two user names, the first admin1 will be my username and needs to have access to everything and the second is admin2 which is the one i need to constrict. if ( ($PHP_AUTH_USER==admin1) || ($PHP_AUTH_USER==admin2) ) {; } else { if ( ($PHP_SELF != "/admin/orders.php") && ($PHP_SELF != "/admin/invoice.php") && ($PHP_SELF != "/admin/packing_slip.php") && ($PHP_SELF != "/admin/customers.php") ) { die("<br><Br><center>You are not authorized to view this page.\n\n</center>"); } } that is what i am using and am having everything blocked on both accounts, any ideas? Quote There are many very useful OsC Contributions BACKUP BACKUP BACKUP!!! You did backup, right?? And remember if you didnt back up its not a big deal, You just have to do everything all over again. Link to comment Share on other sites More sharing options...
Guest Posted December 30, 2004 Share Posted December 30, 2004 sorry for the delay - - things have been very hectic. :( Everything is being blocked? Even orders.php, invoice.php, and the other two? Have you tried the troubleshooting steps earlier in the thread about using $_SERVER[REMOTE_USER] insteaf of $PHP_AUTH_USER ? -jared Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.