Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

[Contribution] Admin Account with Access Level


Parikesit

Recommended Posts

ADMIN ACCESS with LEVEL

for osCommerce's Administration Tool

Version: 1.1

 

Released under the GPL

 

 

Description

Access to Administration Tool with access level for each admin member.

 

This will only work with CVS2 and MS1 (see changelog below to see when the last update was made).

 

 

Feature

- Login box, password forgoten and logoff account

- Create/edit/delete admin account with group

- Create/edit/delete groups

- Define boxes and files permission for each groups

- Add/remove boxes and files

- My Account: edit admin account

- Automatic display accessed boxes and files (Left Menu)

- Email notification when create admin account

Link to comment
Share on other sites

  • Replies 297
  • Created
  • Last Reply

Top Posters In This Topic

By default there are two example admin account:

 

 

 

and

 

 

 

Please try both account and you can see how this contribution works!

 

WARNING:

For security reason, don't forget to change email and password of the example account as soon as you have successfully install this contribution.

 

Enjoy :)

zaenal

 

You can take the package in Contribution area:

http://www.oscommerce.com/community/contributions,1174

Link to comment
Share on other sites

For MS1:

 

Add the new table (admin, admin_files, admin_groups) to backup.php at line 246:

 

Look like ....

tep_db_query("drop table if exists admin, admin_files, admin_groups, address_book, address_format, ....

 

 

zaenal

Link to comment
Share on other sites

HOW TO USE

Admin Account with Access Level

 

Snapshot 1: Front Page

--------------

admin_level1.gif

--------------

 

Description:

1. My Account

(Only current login can access "My Account")

Here you can edit your account by your self.

2. Logoff

Logoff current account

3. Member Groups

(Only who have permission can access this!)

- Add/edit/delete account

- Add/edit/delete group

- Define what "Boxes" and "Files" can accessed by each group (See the snapshot 2 below)

4. File Access

(Only who have permission can access this!)

- Install/uninstall boxes or categories in Left Menu

- Add/remove file from boxes (See the snapshot 3 below).

 

As you can see, when you store new file to e.g. Administrator box (snapshot 3) it's will shown when you define group (snapshot 2).

 

 

Snapshot 2: Define Groups

--------------

define_groups.gif

--------------

 

Snapshot 3: Store Files - Permission

--------------

store_files.gif

--------------

Link to comment
Share on other sites

I execute the table using phpMyAdmin 2.4.0 and all work fine.

 

Yes, this could be the best contribution I have seen.

 

Thank's a lot

Buana

 

After getting the tables in mySQL (don't know much about adding tables to mySQL {the sql included did not work for me and I had to do it by hand}), this contribution is one of the best that I have seen!!!

 

Thanks,

 

Scott

Link to comment
Share on other sites

I have been trying to get the Admin 1.45 to work on my system and having a terrible time. It appears that the new session code or something in the MS1 code is messing it up. I even went completely out of it and tried a new install. It appears that you can only log in on certaing computers and only at certain times.

 

At this point I am willing to try anything, so I am going to back out of that mod and install this. I'm crossing my fingers because this one actually looks like it will be easier to administer.

 

I'll let you know (Monday or Tuesday) when I get a chance to make this change and test it. Thanks for the contrib!

Link to comment
Share on other sites

Yes, this could be the best contribution I have seen.

 

after 2 replies, i can imagine that.

 

still 1100 + contributions for you to check out....LOL

Robert

 

We all need to learn it once, how hard it may seem when you look at it, also you will master it someday ;)

Link to comment
Share on other sites

please put those images on a faster HOST because it takes about 15 +++ minutes to load them all, no its not my connection.

(I download +500 Kb/s)

Robert

 

We all need to learn it once, how hard it may seem when you look at it, also you will master it someday ;)

Link to comment
Share on other sites

Zaenal,

 

I have to say this is one of the best I have seen. Although I have a question, a suggestion and a problem.

 

My question is, why did you opt to use the email address for login as opposed to a username? Personnaly I find a username much easier to enter and provides the same if not more security.

 

My suggestion is to add the ability for top administrators to edit all other users passwords and the ability to send or not send email at the time the edit is made. Also show the password in plain text in the users profile.

 

My problem is that when adding a new user or editing a user, the email sent is not consisitent. A new users email is sent with the correct data in it (although there are some formatting issues), but when you edit a user, the email sent does not. It has ADMIN_EMAIL_SUBJECT in the subject line and ADMIN_EMAIL_TEXT in the text. I checked the code, and I cannot see any difference in the tep_mail string between case 'member_new' and case 'member_edit' (other than the password variable). You get the same error for the forgotton password email.

 

Dangerous

(As in know enough to be)

Link to comment
Share on other sites

Hi Druide,

 

Sorry, I have no other website to put my images. Anyway, I came from Indonesia and my server is also there. Here I can load the images for few second but maybe not from your place.

 

Thank's anyway. Maybe this me take to plan move my server to another 'international' HOST.

 

 

zaenal

 

 

please put those images on a faster HOST because it takes about 15 +++ minutes to load them all, no its not my connection.

(I download +500 Kb/s)

Link to comment
Share on other sites

Hi Druide,

 

Sorry, I have no other website to put my images. Anyway, I came from Indonesia and my server is also there. Here I can load the images for few second but maybe not from your place.

 

Thank's anyway. Maybe this me take to plan move my server to another 'international' HOST.

 

 

zaenal

 

 

please put those images on a faster HOST because it takes about 15 +++ minutes to load them all, no its not my connection.

(I download +500 Kb/s)

 

it must have been a bad storm that caused the slow loading of the pics ;)

Robert

 

We all need to learn it once, how hard it may seem when you look at it, also you will master it someday ;)

Link to comment
Share on other sites

Hi,

 

For me it's same to use username or email. It's just simple: because the Catalog account also use email rather than username.

 

About edit pasword by Top Administrator, I also have been thinking to add this ability. Before I think that not necessary(?) because there is "password forgotten" that give ability resend password if the members forget they passwords. But I plan to add this ability in future version.

 

***

 

I found the error in password forgotten tep_mail.

Please paste these line to admin/includes/languages/english/login.php

 

define('ADMIN_EMAIL_SUBJECT', 'OsC Admin Member');

define('ADMIN_EMAIL_TEXT', 'Hi %s,nn You can access the admin panel with the following password. Once you access the admin, please change your password! nn  Website : %s n  Username: %s n  Password: %s nn Thanks! n %s n This is an automated response, please do not reply!');

 

 

Regard's

zaenal

 

 

 

 

Zaenal,

 

I have to say this is one of the best I have seen. Although I have a question, a suggestion and a problem.

 

My question is, why did you opt to use the email address for login as opposed to a username? Personnaly I find a username much easier to enter and provides the same if not more security.

 

My suggestion is to add the ability for top administrators to edit all other users passwords and the ability to send or not send email at the time the edit is made. Also show the password in plain text in the users profile.

 

My problem is that when adding a new user or editing a user, the email sent is not consisitent. A new users email is sent with the correct data in it (although there are some formatting issues), but when you edit a user, the email sent does not. It has ADMIN_EMAIL_SUBJECT in the subject line and ADMIN_EMAIL_TEXT in the text. I checked the code, and I cannot see any difference in the tep_mail string between case 'member_new' and case 'member_edit' (other than the password variable). You get the same error for the forgotton password email.

 

Dangerous

(As in know enough to be)

Link to comment
Share on other sites

Zaenal,

 

You may also want to include this small change in your next update. It cleans up the email to proper format. What I believe you intended it to look like.

 

define('ADMIN_EMAIL_SUBJECT', 'New Admin Member');

define('ADMIN_EMAIL_TEXT', 'Hi %s,' . "nn" . 'You can access the admin panel with the following password. Once you access the admin, please change your password!' . "nn" . 'Website : %s' . "n" . 'Username: %s' . "n" . 'Password: %s' . "nn" . 'Thanks!' . "n" . '%s' . "nn" . 'This is an automated response, please do not reply!');

 

Dangerous

Link to comment
Share on other sites

well.... i got this installed. It is definitely much more complex than any of the other admin auth scripts I have seen. I have a problem understanding all the features.

 

can you explain a little bit about what the "store files" does and how it interacts with filesystem. There is a warning that the files will be removed, but does that mean you will be deleting files from my disk or just removing from the database?

 

What exactly is the purpose of that feature?

 

 

JG

Link to comment
Share on other sites

Exactly, this feature just remove the filename from database list.

 

zaenal

 

well.... i got this installed.  It is definitely much more complex than any of the other admin auth scripts I have seen.  I have a problem understanding all the features.

 

can you explain a little bit about what the "store files" does and how it interacts with filesystem.  There is a warning that the files will be removed, but does that mean you will be deleting files from my disk or just removing from the database?

 

What exactly is the purpose of that feature?

 

 

JG

Link to comment
Share on other sites

Hi all,

I really need help from someone to make HOWTO use this contribution, and also explain all features, button, etc. This is what miss in the package.

 

I can make it in Indonesian but hard for me to write it in English. :lol:

 

But maybe we can try to explain it step by step in this forum and the resume will be added to later version.

 

 

Thank's for help.

zaenal

Link to comment
Share on other sites

zaenal,

 

yes... a user guide would be helpful. But once you get the concept it goes faster. This took me quite a while to implement because of the change on all but a few files in the admin/ folder. Especially since I have added the P&G order tracking/shipping which nearly doubles the number of files. I was thinking that it would be easier to just put it as the last line in admin/includes/application_top.php You could write some code to recognize if you are in the handful of files that don't need protection. I think this is the same way that some of the other admin access (like 1.45) work. It would cut the install time quite a bit.

 

There are a couple of features that probably need to be added also. For instance, I noticed that when the superadmin created a new account, there was a default password 'admin' . It would be nice if super-admin could specify/change the password of any admin.

 

I also noticed that I too got two emails when I did the password forgotten link. It is very strange. I'll see if I can figure it out.

I'll also come up with some text to describe how to get started with it. It requires quite a bit of up front customization/installation, but once you get it installed properly it is a great contribution.

 

Thanks,

JG

Link to comment
Share on other sites

Hi,

 

... I was thinking that it would be easier to just put it as the last line in admin/includes/application_top.php .... I think this is the same way that some of the other admin access (like 1.45) work. It would cut the install time quite a bit....

 

That what I need. I try several times to put it in header. I have to download and figure out how admin access 1.45 handle this situation. Thank's John.

 

...For instance, I noticed that when the superadmin created a new account, there was a default password 'admin'.

 

When create new account why you choose the password have to be fixed (admin)? Is that better if we just generate or randomize the password?

 

 

Regards.

zaenal

Link to comment
Share on other sites

When create new account why you choose the password have to be fixed (admin)? Is that better if we just generate or randomize the password?

 

I think it is best to specify the password. If you autogenerate a random password, it must be emailed to the admin email account. I think that would be fine except somehow then you would want to flag the account for a password change the first login. If you specify the password when you create the account, you could avoid the email requirement which may not be installed on all servers (like my home Windows dev computer). On the other hand, if you used a default password it could be a security problem for those osc users that don't know they need to go back in a change the password immediately.

 

I would also like to consider using a username instead of the email address. However, I have decided to just simply change the login text so that it just doesn't say "E-mail Address" and says "Login" instead. This will slow down some people that might use a password cracker. If they can guess the email address, it elliminates one variable they need.

 

Finally how about considering this.... if the login fails 3 times, the account is locked and will need to be reset by the superadmin. This requires in extra field in the admin table to record failed attempts (which gets cleared upon successful signin). In the event that the superadmin account gets locked down, you would need to have some backdoor key file that could be loaded onto the server in order to reset the password.

 

Since you are working on the code to move the pageverifier into application_top, I will work on the lockdown scenario and post the code here. It will probably be a day or two.

 

JG

Link to comment
Share on other sites

Ok, I have downloaded admin access 1.45. And on working to move

tep_admin_check_login(basename($PHP_SELF));

to application_top.php ...

 

This is the importan thing to cut the install time :idea: , so other suggestion maybe still not be included if will take much time to think :roll:

 

 

... I was thinking that it would be easier to just put it as the last line in admin/includes/application_top.php    ....  I think this is the same way that some of the other admin access (like 1.45) work.  It would cut the install time quite a bit....

 

That what I need. I try several times to put it in header. I have to download and figure out how admin access 1.45 handle this situation. Thank's John.

Link to comment
Share on other sites

Hi,

I found the solution, and just wondering that not take much time and also the change.

 

This update works on my site, I hope you so. Please report if any problems.

 

The first step:

Remove tep_admin_check_login(basename($PHP_SELF)); files inluded in contribution package).

 

Second step:

Make a litle change to function tep_admin_check_login($filename) { ... } .

 

Replace with:

////

//Check login and file access

function tep_admin_check_login() {

 global $PHP_SELF, $login_groups_id;

 if (!tep_session_is_registered('login_id')) {

   tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));

 } else {

   $filename = basename($PHP_SELF);

   if ($filename != FILENAME_DEFAULT && $filename != FILENAME_FORBIDEN && $filename != FILENAME_LOGOFF && $filename != FILENAME_ADMIN_ACCOUNT && $filename != FILENAME_POPUP_IMAGE && $filename != 'packingslip.php' && $filename != 'invoice.php') {

     $db_file_query = tep_db_query("select admin_files_name from " . TABLE_ADMIN_FILES . " where FIND_IN_SET( '" . $login_groups_id . "', admin_groups_id) and admin_files_name = '" . $filename . "'");

     if (!tep_db_num_rows($db_file_query)) {

       tep_redirect(tep_href_link(FILENAME_FORBIDEN));

     }

   }

 }  

}

 

 

The last step:

Add these lines to admin/inlcudes/application_top.php (before ?> php tag at last line):

 

// check login  

 if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN) {

   tep_admin_check_login();

 }

 

Hope I don't miss anything,

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...