Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Admin template top, opinions wanted on a modification


Juto

Recommended Posts

Hi, I have had a look at the admin template_top.php for v2.3.1 The original vanilla code is:

 

<?php
/*
 $Id$
 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com
 Copyright (c) 2010 osCommerce
 Released under the GNU General Public License
*/
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html <?php echo HTML_PARAMS; ?>>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>">
<meta name="robots" content="noindex,nofollow">
<title><?php echo TITLE; ?></title>
<base href="<?php echo HTTP_SERVER . DIR_WS_ADMIN; ?>" />
<!--[if IE]><script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/flot/excanvas.min.js'); ?>"></script><![endif]-->
<link rel="stylesheet" type="text/css" href="<?php echo tep_catalog_href_link('ext/jquery/ui/redmond/jquery-ui-1.8.6.css'); ?>">
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/jquery/jquery-1.4.2.min.js'); ?>"></script>
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/jquery/ui/jquery-ui-1.8.6.min.js'); ?>"></script>
<?php
 if (tep_not_null(JQUERY_DATEPICKER_I18N_CODE)) {
?>
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/jquery/ui/i18n/jquery.ui.datepicker-' . JQUERY_DATEPICKER_I18N_CODE . '.js'); ?>"></script>
<script type="text/javascript">
$.datepicker.setDefaults($.datepicker.regional['<?php echo JQUERY_DATEPICKER_I18N_CODE; ?>']);
</script>
<?php
 }
?>
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/flot/jquery.flot.js'); ?>"></script>
<link rel="stylesheet" type="text/css" href="includes/stylesheet.css">
<script type="text/javascript" src="includes/general.js"></script>
</head>
<body>
<?php require(DIR_WS_INCLUDES . 'header.php'); ?>
<?php
 if (tep_session_is_registered('admin')) {
   include(DIR_WS_INCLUDES . 'column_left.php');
 } else {
?>
<style>
#contentText {
 margin-left: 0;
}
</style>
<?php
 }
?>
<div id="contentText">

 

This is what I would like to use instead:

 

<?php
/*
 $Id$
 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com
 Copyright (c) 2010 osCommerce
 Released under the GNU General Public License
*/
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html <?php echo HTML_PARAMS; ?>>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>">
<meta name="robots" content="noindex,nofollow">
<title><?php echo TITLE; ?></title>
<base href="<?php echo HTTP_SERVER . DIR_WS_ADMIN; ?>" />
<!--[if IE]><script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/flot/excanvas.min.js'); ?>"></script><![endif]-->
<link rel="stylesheet" type="text/css" href="<?php echo tep_catalog_href_link('ext/jquery/ui/redmond/jquery-ui-1.8.6.css'); ?>">
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/jquery/jquery-1.4.2.min.js'); ?>"></script>
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/jquery/ui/jquery-ui-1.8.6.min.js'); ?>"></script>
<?php
 if (tep_not_null(JQUERY_DATEPICKER_I18N_CODE)) {
?>
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/jquery/ui/i18n/jquery.ui.datepicker-' . JQUERY_DATEPICKER_I18N_CODE . '.js'); ?>"></script>
<script type="text/javascript">
$.datepicker.setDefaults($.datepicker.regional['<?php echo JQUERY_DATEPICKER_I18N_CODE; ?>']);
</script>
<?php
 }
?>
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/flot/jquery.flot.js'); ?>"></script>
<link rel="stylesheet" type="text/css" href="includes/stylesheet.css">
<script type="text/javascript" src="includes/general.js"></script>
<style type="text/css">
#contentText {
 margin-left: 0;
</style>
</head>
<body>
<?php require(DIR_WS_INCLUDES . 'header.php'); ?>
<?php
 if (tep_session_is_registered('admin')) {
   include(DIR_WS_INCLUDES . 'column_left.php');
 } else { exit; }
?>
<div id="contentText">

 

As you can see, I have moved the styling of #contentText into the head section and changed the condition for valid session.

 

What's your opinion about this mod.?

 

Sara

Link to comment
Share on other sites

Without documentation (comments), I don't know why the original code overrides the default (stylesheet.css) left margin of 160px with 0px for the admin only. Your code will make it always 0px (margin-left is the only setting, so no problem with other settings being lost). The original code is rather strange -- I would have rather they'd specified a nonAdminContentText ID and switched in/out the use of that, or even used a style= attribute in the tag. If it's just a matter of aesthetics in the placement of that <div>, your code is OK, but you might want to check if the original code is being used to deliberately hide content or something. At least, check the differences between admin and non-admin viewers in the original code. In general, it's cleaner to put <style> in the <head> section (if it can't go in a CSS file), but check if the code knows whether it's admin or not while it's still in the <head> section. You may have to move other PHP code up in the file to get that.

 

You had a second question, but it's been cut off by this wonderful forum software :( . Something about rearranging code?

 

Ah, you added an exit() if it wasn't admin? Will that give you an incomplete page?

Link to comment
Share on other sites

Opinion; Complete waste of time.

 

You would be better off buying a tin-foil hat than relying on this to give any relevant security. Who else other than an admin can access the admin area. And if they do, then a exit() in the code is going to do nothing to stop them doing what they want to do.

 

<style> can go anywhere in a webpage, does not have to be in the head section.

Link to comment
Share on other sites

Hi Phil, I'm sorry I can't remember just now where I talked about rearranging code. Could it be my move to doctype strict, instead of loose?

 

I'm thinking of adding an extra condition to the sessions test. Haven't found a suitable one though... yet. Maby a javascript thing, any ideas?

 

Sara

Link to comment
Share on other sites

Hi Burt, I do like clean structured code that's why I moved the style. I also have in mind to just display...nothing if the session isn't set correctly.

As you might know, there are ways to bypass htaccess and passwords, and I am trying to avoid that. If it's possible.

 

Sara

Link to comment
Share on other sites

  • 2 weeks later...

Hi Burt, I'm sorry I can't remember where that was discussed. You might find it via a search. By the way, I think I've (in my mind) a way to hinder that. :)

 

Sara

 

That is because there is no known security problem with htaccess, assuming a correctly set up server and assuming that whoever wants to get past your ht* files does not already have root access in your site (eg control panel, ftp etc).

Link to comment
Share on other sites

  • 2 weeks later...

@@Juto

 

if your goal is to prevent anyone but yourself from accessing your admin, you could use the IP Trap addon and set it up for your admin rather than for the frontend.

I used to have it installed on my admin (on my old shop), all you do is allow only your IP on the admin's whitelist, any other unauthorized users will get blocked and banned even if they should enter the correct username and password. Obviously it's better if you use a static IP, otherwise you'll keep banning yourself.

~ Don't mistake my kindness for weakness ~

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...