Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Simple Admin Access Control


Guest

Recommended Posts

  • Replies 102
  • Created
  • Last Reply

Top Posters In This Topic

Please post or send me the results of the debug output from the following:

 

  if ( ($PHP_AUTH_USER==admin1) || ($PHP_AUTH_USER==admin2) )
  {;
  } else {
   echo "<br>PHP_AUTH_USER:  " . $PHP_AUTH_USER;
   echo "<br>PHP_SELF:  " . $PHP_SELF;
   echo "<br>_SERVER[PHP_AUTH_USER]:  " . $_SERVER['PHP_AUTH_USER'];
   echo "<br>_SERVER[REMOTE_USER]:  " . $_SERVER['REMOTE_USER'];
   echo "<br>_SERVER[REMOTE_ADDR]:  " . $_SERVER['REMOTE_ADDR'];
      if ( ($PHP_SELF != "/admin/orders.php") &&
          ($PHP_SELF != "/admin/invoice.php") &&
          ($PHP_SELF != "/admin/packing_slip.php") &&
          ($PHP_SELF != "/admin/customers.php") )
       { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }
  }

 

-jared

Link to comment
Share on other sites

ok im using your simple admin cont and here is my problem, there is two user names, the first admin1 will be my username and needs to have access to everything and the second is admin2 which is the one i need to constrict.

 

If that is how you want it setup then you only need to have 1 admin listed in the code.....

 

all accounts not listed in the code will be the ones with the restrictions...

Link to comment
Share on other sites

Hi,

 

I've got a fatal error when i whant to loggin.

 

The message is :

Fatal error: Call to undefined function: tep_admin_check_login() in /home/soundtra/sd/www.shop/admin/includes/application_top.php on line 213

 

What should i do?? The message is here since i've installed the meta-tag contrib.

 

And the line 213 in application_top.php is :

//Admin begin

  if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN) {

    tep_admin_check_login();

  }

//Admin end

 

Thanx

ms2

Link to comment
Share on other sites

  • 4 weeks later...

It don't work i get the same problem i cant get in anything.

 

 

if ($messageStack->size > 0) {

echo $messageStack->output();

}

 

if ($PHP_AUTH_USER==admin1)

{;

} else {

if ( ($PHP_SELF != "/admin/orders.php") &&

($PHP_SELF != "/admin/invoice.php") &&

($PHP_SELF != "/admin/packing_slip.php") &&

($PHP_SELF != "/admin/customers.php") )

{ die("<br><Br><center>You are not authorized to view this page.\n\n</center>"); }

}

 

?>

<table border="0" width="100%" cellspacing="0" cellpadding="0">

<tr>

<td><?php echo tep_image(DIR_WS_IMAGES . 'logowebwinkeldesign.jpg', '', '324', '59'); ?></td>

<td align="right"><?php echo '<a href="http://www.webwinkeldesign.nl" target="_blank">' . tep_image(DIR_WS_IMAGES . 'header_support.gif', HEADER_TITLE_SUPPORT_SITE, '50', '50') . '</a>  <a href="' . tep_catalog_href_link() . '">' . tep_image(DIR_WS_IMAGES . 'header_checkout.gif', HEADER_TITLE_ONLINE_CATALOG, '53', '50') . '</a>  <a href="' . tep_href_link(FILENAME_DEFAULT, '', 'NONSSL') . '">' . tep_image(DIR_WS_IMAGES . 'header_administration.gif', HEADER_TITLE_ADMINISTRATION, '50', '50') . '</a>'; ?>  </td>

</tr>

<tr class="headerBar">

<td class="headerBarContent">  <?php echo '<a href="' . tep_href_link(FILENAME_DEFAULT, '', 'NONSSL') . '" class="headerLink">' . HEADER_TITLE_TOP . '</a>'; ?></td>

<td class="headerBarContent" align="right"><?php echo '<a href="http://www.webwinkeldesign.nl" class="headerLink">' . HEADER_TITLE_SUPPORT_SITE . '</a>  |&

 

 

nbsp; <a href="' . tep_catalog_href_link() . '" class="headerLink">' . HEADER_TITLE_ONLINE_CATALOG . '</a>  |  <a href="' . tep_href_link(FILENAME_DEFAULT, '', 'NONSSL') . '" class="headerLink">' . HEADER_TITLE_ADMINISTRATION . '</a>'; ?>  </td>

</tr>

</table>

Edited by mjeroense
Link to comment
Share on other sites

Are you logging in as admin1? If not, you'll only have access to orders.php and those 3 others. If you're logging in as a user named "fred" for example, you'll need to change that first line from:

 if ($PHP_AUTH_USER==admin1)

to

 if ($PHP_AUTH_USER==fred)

 

-jared

Link to comment
Share on other sites

If you remove that section of code completely, the portion from this contrib, does everything work properly?

 

YES

 

What happens if you browse to http://website/admin/orders.php directly? Can you get there from a non-admin1 user?

 

If i do that first i get the loggin screen because i make that safe so i log in with my username and password. If i loggon with a non-admin1 user i get on all pages of the admin the message: You are not authorized to view this page.

 

 

 

-jared

Link to comment
Share on other sites

Found the problem. Change the paths for each of those files to be /webwinkel/admin/orders.php instead of /admin/orders.php.

 

 

It now occurs to me that this is a better way to do it:

 if ($PHP_AUTH_USER==admin1)
{;
} else {
if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&
($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&
($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&
($PHP_SELF != DIR_WS_ADMIN . "customers.php") )
{ die("<br><Br><center>You are not authorized to view this page.\n\n</center>"); }
}

 

I should have done it that way to begin with - - didn't occur to me at the time that folks install in other directories. <grin>

 

Lemme know if that works for you.

 

-jared

Link to comment
Share on other sites

if ($PHP_AUTH_USER==admin1)

{;

} else {

if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&

($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&

($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&

($PHP_SELF != DIR_WS_ADMIN . "customers.php") )

{ die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }

}

 

 

 

if ($PHP_AUTH_USER==admin1) <---- [email protected] ?

 

but : You are not authorized to view this page. :-(

Link to comment
Share on other sites

this is my code :

 

if ($PHP_AUTH_USER==toni)

{;

} else {

if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&

($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&

($PHP_SELF != DIR_WS_ADMIN . "packing_slip.php") &&

($PHP_SELF != DIR_WS_ADMIN . "customers.php") )

{ die("<br><br><center>You are not authorized to view this page.\n\n</center>"); }

}

 

this my .htaccess :

 

AuthName "PRIVAT"

AuthType Basic

AuthUserFile /var/www/web1/html/logad/.htpasswd

<Limit GET>

require valid-user

</Limit>

 

message : You are not authorized to view this page. :-(:-(:-(:-(:-(

Link to comment
Share on other sites

Hi Jared,

 

I try to implement your code in my (first) shop. Sadly I get some problems: My code is the following:

 

    echo "<br>PHP_AUTH_USER:  " . $PHP_AUTH_USER;
  echo "<br>PHP_SELF:  " . $PHP_SELF;
  echo "<br>_SERVER[PHP_AUTH_USER]:  " . $_SERVER['PHP_AUTH_USER'];
  echo "<br>_SERVER[REMOTE_USER]:  " . $_SERVER['REMOTE_USER'];
  echo "<br>_SERVER[REMOTE_ADDR]:  " . $_SERVER['REMOTE_ADDR'];
  echo "<br> DIR_WS_ADMIN:  " . DIR_WS_ADMIN;

 if ($messageStack->size > 0) {
   echo $messageStack->output();
 }
 if ($_SERVER['REMOTE_USER']==osc-shop)
  {;
  } else {
     if ( ($PHP_SELF != DIR_WS_ADMIN . "orders.php") &&
          ($PHP_SELF != DIR_WS_ADMIN . "invoice.php") &&
          ($PHP_SELF != DIR_WS_ADMIN . "reviews.php") &&
          ($PHP_SELF != DIR_WS_ADMIN . "specials.php") &&
          ($PHP_SELF != DIR_WS_ADMIN . "stats_products_viewed.php") &&
          ($PHP_SELF != DIR_WS_ADMIN . "stats_products_purchased.php") &&
          ($PHP_SELF != DIR_WS_ADMIN . "stats_customers.php") &&
          ($PHP_SELF != DIR_WS_ADMIN . "mail.php") &&
          ($PHP_SELF != DIR_WS_ADMIN . "newsletter.php") &&
          ($PHP_SELF != DIR_WS_ADMIN . "server_info.php") &&
          ($PHP_SELF != DIR_WS_ADMIN . "whos_online.php") &&
          ($PHP_SELF != DIR_WS_ADMIN . "customers.php") )
       { die("<br><Br><center>Sie sind nicht berechtigt diese Seite zu sehen.\n\n</center>"); }
  }
?>

 

Result if XXX/shop/admin/file_manager.php is called:

 

PHP_AUTH_USER:

PHP_SELF: /shop/admin/file_manager.php

_SERVER

[php_AUTH_USER]:
_SERVER[REMOTE_USER]: not_osc-shop
_SERVER[REMOTE_ADDR]: XXX.XXX.XXX.XXX
DIR_WS_ADMIN: /shop/admin/

and the page file_manager.php with all my files! NOT THE MESSAGE Sie sind nicht berechtigt diese Seite zu sehen !
So everyone could see all admin pages, if he/she has an user/password for the .htaccess protection. My .htaccess file:

# $Id: .htaccess,v 1.1 2003/06/20 00:18:30 hpdl Exp $
#
# This is used with Apache WebServers
#
# For this to work, you must include the parameter 'Options' to
# the AllowOverride configuration
#
# Example:
#
# <Directory "/usr/local/apache/htdocs">
#   AllowOverride Options
# </Directory>
#
# 'All' with also work. (This configuration is in the
# apache/conf/httpd.conf file)

# The following makes adjustments to the SSL protocol for Internet
# Explorer browsers

<IfModule mod_setenvif.c>
 <IfDefine SSL>
   SetEnvIf User-Agent ".*MSIE.*" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
 </IfDefine>
</IfModule>

# Fix certain PHP values

#<IfModule mod_php4.c>
#  php_value session.use_trans_sid 0
#  php_value register_globals 1
#</IfModule>

AuthName "Administrator Bereich"
AuthType Basic
AuthUserFile /homepages/33/d39877653/htdocs/shop/admin/.htpasswd
require valid-user

 

Do you know what went wrong? In my opinion, everything is right (but went wrong ;=(), $_SERVER['REMOTE_USER'] checks for the user, DIR_WS_ADMIN gets the correct directory.

Any help for me?

 

Regards and thanks a lot,

 

Hans

Link to comment
Share on other sites

Hmmm,

 

seems to be a big problem. If I includ

 

if ($_SERVER['REMOTE_USER']==osc-shop)
{
echo "hallo osc-shop<br>";
}
else
{
echo "hallo unbekannter<br>";
}

 

in the header.php, I always get the message hallo osc-shop (but _SERVER[REMOTE_USER]: not_osc-shop is printed a few lines below) and not hallo unbekannter. I log in as not_osc-shop.

 

What went wrong?

 

Hans

Link to comment
Share on other sites

Hello Admins and Jared,

 

everything works fine, I'm just too stupid for this great soft :=(

Quotation marks where missing, just my poor PHP knowlegde were the fault.

($_SERVER['REMOTE_USER']=="osc-shop")

works perfect!

 

@admins: If you want, you could delete the last two posts above this one.

 

@Jared: Great work!

 

 

Thanks a lot,

 

Hans

Edited by Hans Meier
Link to comment
Share on other sites

I'm just too stupid for this great soft :=(

Nonsense.

 

Quotation marks where missing, just my poor PHP knowlegde were the fault.

($_SERVER['REMOTE_USER']=="osc-shop")

works perfect!

 

Great! Glad to hear it's working for you! I never have looked into why some servers require $_SERVER['REMOTE_USER'] and others work fine with $PHP_AUTH_USER. I'm curious if $_SERVER['REMOTE_USER'] always requires quote marks around the username, or if $_SERVER['REMOTE_USER'] works on more servers than $PHP_AUTH_USER.

 

I'll have to add notes about that to the readme.

 

Good work!

 

-jared

Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...