Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Simple Admin Access Control


Guest

Recommended Posts

Sure! Let's assume that you have 3 users: fulladmin, orderadmin, and productadmin.

 

Try this:

// give user "fulladmin" full rights
 if ($PHP_AUTH_USER==fulladmin)
  {;

  } else {    // give user "orderadmin" rights to just the "order" pages
   if ($PHP_AUTH_USER==orderadmin) {
    if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&
         ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&
               ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&
               ($PHP_SELF != DIR_WS_ADMIN . "customers.php") )
          { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }              
       } 
       else {   // give user "productadmin" rights to just the "product" pages
        if ($PHP_AUTH_USER==productadmin) {
         if ( ($PHP_SELF != DIR_WS_ADMIN . "categories.php") &&
              ($PHP_SELF != DIR_WS_ADMIN . "products_attributes.php") &&
                    ($PHP_SELF != DIR_WS_ADMIN . "manufacturers.php") &&
                    ($PHP_SELF != DIR_WS_ADMIN . "specials.php") )
                  { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
           }
       }
       { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
   }

 

I didn't test this, but I think that all of the brackets are in the right place. :)

 

If you want any more users we'd be better off using a case statement instead of so many if statements.

 

-jared

Link to comment
Share on other sites

  • Replies 102
  • Created
  • Last Reply

Top Posters In This Topic

I don't really remember why I put the newlines in there. I suppose I was planning on writing something insulting to the user for trying to access pages they didn't have rights to. I'm always looking for upwards compatibility. :P

 

The <br> ones were just to improve readability a touch. You could certainly use any of these ones instead:

{ die("<br><br><center><font size="10"><u>You</u></font> are <font size="10">NOT</font> authorized to view this page. Hrpmh.</center>"); }

{ die("<br><br><center>Move along.  Nothing to see here, folks.</center>"); }

{ die("<br><br><center>You can\'t get there from here.</center>"); }

{ die("<br><br><center>Press any _other_ key to continue.</center>"); }

{ die("<br><br><center>Access denied.<br><br>You have failed to comply with one or more of the following restrictions:
<ul>
 <li>You are not at least<u>    THIS    </u> tall.</li>
 <li>You are not accompanied by an adult.</li>
 <li>Since this is void where prohibited, and prohibited where you are, it is, well, void.</li>  
 <li>This is not a participating location.</li>
 <li>You did not keep your arms and legs inside the ride at all times.</li>
 <li>Terms and Conditions have changed without notice.</li>
 <li>Batteries not included.</li>
 <li>Contents have settled during shipping.</li>
 <li>You are not a trained professional, and this is not a closed course.</li>
 <li>You do not appear to be wearing your safety goggles.</li>
 <li>No shirt, no shoes, well, you know.</li>
 <li>IANAL</li>
 <li>All your base are belong to ME!</li>
 <li>So this dog walks in to a bar . . .</li></ul></center>"); }

 

-jared

Link to comment
Share on other sites

  • 2 months later...
  • 1 month later...

After hours of testing (MY first contribution installed), I also changed the $PHP_AUTH_USER to ($_SERVER[REMOTE_USER] and everything worked fine.

 

I don't know if this info. will help determine when to use which, but I'm on

 

a lynux server (red hat), with a plesk management system.

 

Great Contribution, by the way! Now if I can just master a few others........

Link to comment
Share on other sites

Tammy,

 

I'm glad you got it working! Since you mention that this is your first installed contrib, have a look at the "Tools" box on the left side of my blog. There are some handy items there that can make installing contributions much easier.

 

Thank you for your server details -- hopefully, if a few more people post that detail here, we can have a better understanding of which systems need which variables.

 

-jared

Link to comment
Share on other sites

  • 4 weeks later...
Sure!  Let's assume that you have 3 users:  fulladmin, orderadmin, and productadmin.

 

Try this:

// give user "fulladmin" full rights
 if ($PHP_AUTH_USER==fulladmin)
  {;

  } else {    // give user "orderadmin" rights to just the "order" pages
   if ($PHP_AUTH_USER==orderadmin) {
    if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&
         ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&
               ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&
               ($PHP_SELF != DIR_WS_ADMIN . "customers.php") )
          { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }              
       } 
       else {   // give user "productadmin" rights to just the "product" pages
        if ($PHP_AUTH_USER==productadmin) {
         if ( ($PHP_SELF != DIR_WS_ADMIN . "categories.php") &&
              ($PHP_SELF != DIR_WS_ADMIN . "products_attributes.php") &&
                    ($PHP_SELF != DIR_WS_ADMIN . "manufacturers.php") &&
                    ($PHP_SELF != DIR_WS_ADMIN . "specials.php") )
                  { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
           }
       }
       { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
   }

 

I didn't test this, but I think that all of the brackets are in the right place.  :)

 

If you want any more users we'd be better off using a case statement instead of so many if statements.

 

-jared

 

This doesn't work (well it doesn't work when I try)

I've tried the simpler version and that works without any modification. So no problems on the $PHP_AUTH_USER bit for me.

 

I'll redo it and post the output.

Link to comment
Share on other sites

Awesome contribution! Was going to write my own when I came across this one. Simple and very functional. It took me a while to figure out why $PHP_AUTH_USER wasn't working on my website. In case anyone is curious, it's because I'm running a CGIwrap version of PHP. That's probably why people are having troubles... If you run CGIwrap, you'll need to use the $_SERVER[REMOTE_USER] variable instead.

 

Thanks!

 

Ken

Link to comment
Share on other sites

  • 3 weeks later...

Hi there

 

I've used $PHP_AUTH_USER and ($_SERVER[REMOTE_USER] with and without the ' ' and still i can't seem to access any of the admin files if i log in as the secondary admin

 

I'm using the exact code

 

if ($PHP_AUTH_USER==admin1)
  {;
  } else {
  if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "customers.php") )
	{ die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
  }

 

and i have created a secondary user in cpanel. Unfortunately i still get the 'you are not authorized' message when trying to open any of the paths it is meant to be authorised.

 

Is there something I'm missing somewhere?

 

Thanks

 

Joe

Link to comment
Share on other sites

  • 5 weeks later...

hi

 

this seems a really easy to use and install contribution....

 

... can someone please tell me the biggest difference between this and the Admin Access Level contribution, apart from having to take ages installing that and ading extra SQl instructions for contributins added on!

 

thanks

Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Link to comment
Share on other sites

hi

 

this seems a really easy to use and install contribution....

 

... can someone please tell me the biggest difference between this and the Admin Access Level contribution, apart from having to take ages installing that and ading extra SQl instructions for contributins added on!

 

thanks

 

i havent used the AAL contrib, but this IS really easy to mod...i suggest you use this one.

Link to comment
Share on other sites

if ($PHP_AUTH_USER==admin1)
  {;
  } else {
  if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "customers.php") )
	{ die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
  }

hi

 

is there a way to reverse the set-up so that the listed files are the ones that CANNOT be viewed (unless admin authorised?)

 

thanks

Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Link to comment
Share on other sites

hi

 

is there a way to reverse the set-up so that the listed files are the ones that CANNOT be viewed (unless admin authorised?)

 

thanks

 

to be honest, there arent that many files in admin anyway so im not sure why you'd want to do that.

Link to comment
Share on other sites

Aleem - Admin Access Levels has more features, but is a bit overkill, in my opinion, for what most people want. It includes:

- create additional administrative users from osC Admin

- new admin users get emailed their password

- admin users can change their "user profile" (i.e. password / email address / name) from the osC admin

- every time you add a new admin file, like a new report or something, you have to slightly modify the syntax (it's fairly obvious) of how you reference that file in admin/includes/boxes/reports.php (assuming it's a new report). Then, you have to go into the Admin area and "store" that new admin file in the proper menu.

- new pretty admin login that doesn't rely on you having to create .htaccess / .htpasswd files.

- admin user and admin access configuration is stored in the database

- it's much more involved to install

 

This contrib is really simple - - you create the users in your control panel, or manually using one of the many many web-based .htaccess / .htpassword creation tools, and then you put those usernames in admin/includes/header.php. Either they have access to the files you specify, or they don't. nothing fancy. After you create the users, you edit one file: admin/includes/header.php, pasting in a few lines.

 

If you want to reverse the functionality, and specify which files to deny, rather than grant, then change this:

  if (  ($PHP_AUTH_USER==admin1) || ($PHP_AUTH_USER==admin2) ||  
	($_SERVER[REMOTE_USER]==admin1) || ($_SERVER[REMOTE_USER]==admin2) )
  {;
  } else {
  echo $_SERVER[REMOTE_USER];
  if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&
	   ($PHP_SELF != DIR_WS_ADMIN . "customers.php") )
	{ die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
  }

 

to this:

  if (  ($PHP_AUTH_USER==admin1) || ($PHP_AUTH_USER==admin2) ||  
	($_SERVER[REMOTE_USER]==admin1) || ($_SERVER[REMOTE_USER]==admin2) )
  { if ( ($PHP_SELF == DIR_WS_ADMIN . "orders.php") &&
	   ($PHP_SELF == DIR_WS_ADMIN . "invoice.php") &&
	   ($PHP_SELF == DIR_WS_ADMIN . "packing_slip.php") &&
	   ($PHP_SELF == DIR_WS_ADMIN . "customers.php") )
	{ die($_SERVER[REMOTE_USER] . "<br><br><center>You are not authorized to view this page.\n\n</center>"); 
  } else {
 ; }
  }

 

That should deny the admin1 and admin2 users from orders.php, invoice.php, packing_slip.php, and customers.php.

 

-jared

Link to comment
Share on other sites

Jared - thanks for the reply

 

yes, this is far by an easier way to allow admin access levels

 

thanks for the post, it is easier to keep it as it is.

 

BTW, i have the following code:

 

===============================================================

 

if ($PHP_AUTH_USER==USERNAME)

{;

} else {

if ( ($PHP_SELF != DIR_WS_ADMIN . "mail.php") &&

($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&

($PHP_SELF != DIR_WS_ADMIN . "customers.php") )

{ die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }

}

 

===============================================================

 

is this the latest and best code to have? it differs from what you posted above.

 

thanks

Edited by chooch

Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Link to comment
Share on other sites

Aleem - - there is nothing wrong with your code. I've modified mine to allow for multiple admins, but also because some servers seem to work with $PHP_AUTH_USER, while other servers seem to ignore it completely and use $_SERVER[REMOTE_USER].

 

Since that code snippet now has both of them in there, it should work on both of those types of servers.

 

HTH

 

-jared

Link to comment
Share on other sites

  • 1 month later...
  • 2 weeks later...

Hi,

I am looking at installing this module but i have some questions:

My oscommerce site is host on ipowerweb servers.

How do i create other users since i do not have ssh access.

I would like create mutiple users and assign them different access rights....

Has anyone done this using ipowerweb hosting?

 

On ipowerweb control panel i can create email accounts and ftp users but i do not know how create users that are allowed to login to oscommerce admin section...

 

Please help...

 

Thanks in advance...

Link to comment
Share on other sites

Hi can anyone please help me with my questions.... see below...

 

Thanks

 

Hi,

I am looking at installing this module but i have some questions:

My oscommerce site is host on ipowerweb servers.

How do i create other users since i do not have ssh access.

I would like create mutiple users and assign them different access rights....

Has anyone done this using ipowerweb hosting?

 

On ipowerweb control panel i can create email accounts and ftp users but i do not know how create users that are allowed to login to oscommerce admin section...

 

Please help...

 

Thanks in advance...

Link to comment
Share on other sites

  • 1 month later...
You should be able to create new users using iPowerweb's control panel. It may be listed under "password protect directory" or something like that.

 

-jared

 

Hi Jared - I tried everything mentioned previously - did create users and can login using "fulladmin" and use all functions; when login as "orderadmin" gets to admin page and then everything else is blocked.

 

Tried:

 

if ($_SERVER[REMOTE_USER]==fulladmin)

{;

} else {

if ( ($PHP_SELF != DIR_WS_ADMIN . "/osCommerce2/catalog/admin/orders.php") &&

($PHP_SELF != DIR_WS_ADMIN . "/osCommerce2/catalog/admin/packing_slip.php") &&

($PHP_SELF != DIR_WS_ADMIN . "/osCommerce2/catalog/admin/customers.php") )

{ die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }

}

 

Tried it with $PHP_AUTH_USER instead of $_SERVER, tried it without the directory path and withOUT the directory path

 

Any help for me here? Thanks much in advance!

 

Ron

Edited by BuddahBoy
Link to comment
Share on other sites

try using statements like this to debug what's going on:

die($PHP_SELF);

or

die($PHP_AUTH_USER);

or

die($_SERVER[REMOTE_USER]);

 

the "die" command will halt execution of the script, and display whatever is in the ().

 

-jared

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...