Proud Posted May 17, 2006 Share Posted May 17, 2006 I am trying to uninstall this contribution as is conflicts with another contribution that I need, and I commented out everything.....I think, but now how do I get the Admin Table in the SQL back to the original state, I can't find it anywhere. Any help would be appreciated. Quote Link to comment Share on other sites More sharing options...
lopes_andre Posted May 17, 2006 Share Posted May 17, 2006 I am trying to uninstall this contribution as is conflicts with another contribution that I need, and I commented out everything.....I think, but now how do I get the Admin Table in the SQL back to the original state, I can't find it anywhere. Any help would be appreciated. And this contribution conflits with which another contribution? I'am thinking to install this contributuin but my oscommerce have many contributions installed... And which version you have download to install?? Regards, Andre. Quote Link to comment Share on other sites More sharing options...
Proud Posted May 17, 2006 Share Posted May 17, 2006 And this contribution conflits with which another contribution? I'am thinking to install this contributuin but my oscommerce have many contributions installed... And which version you have download to install?? Regards, Andre. It is conflicting with the installation of Multi Vendor Shipping V1.1, I am hoping to get that installed and then reinstall this one and hopefully it won't conflict, but who knows. I have Admin Access 2.2. Quote Link to comment Share on other sites More sharing options...
lopes_andre Posted May 17, 2006 Share Posted May 17, 2006 It is conflicting with the installation of Multi Vendor Shipping V1.1, I am hoping to get that installed and then reinstall this one and hopefully it won't conflict, but who knows. I have Admin Access 2.2. Try the Simple Admin Access Control, it much more easy to install and could be more specific than AAL. http://www.oscommerce.com/community/contributions,2701 http://www.oscommerce.com/forums/index.php?showtopic=125058 Quote Link to comment Share on other sites More sharing options...
Amigoo Posted July 8, 2006 Share Posted July 8, 2006 Hello I could install this contrib, and prinzipally all is working fine but now I need help with this error message. I've spend some hours to read this thread but nobody has the same problem. This is the error message I get when I open a product to edit it or when I choose "new product" Fatal error: Call to undefined function: tep_draw_mselect_menu() in /var/www/my-web/html/my-shop/catalog/admin/categories.php on line 684 The code in this line is: <tr> <td class="main"><?php echo TEXT_CATEGORIES; ?></td> <td class="main"><?php echo tep_draw_separator('pixel_trans.gif', '24', '15') . '?' . tep_draw_mselect_menu('categories_ids[]', $categories_array, $categories_array_selected, 'size=10'); ?></td> </tr> Any idea. Please help. Cheers Amigoo Quote Link to comment Share on other sites More sharing options...
scheinarts Posted July 9, 2006 Share Posted July 9, 2006 i have not seen that problem.. I installed it and it works great for me, the only problem is it seems not to work with ccgv.. has any body had any issue with with ccgv? Quote Link to comment Share on other sites More sharing options...
Amigoo Posted July 10, 2006 Share Posted July 10, 2006 Hello I could install this contrib, and prinzipally all is working fine but now I need help with this error message. I've spend some hours to read this thread but nobody has the same problem. This is the error message I get when I open a product to edit it or when I choose "new product" Fatal error: Call to undefined function: tep_draw_mselect_menu() in /var/www/my-web/html/my-shop/catalog/admin/categories.php on line 684 The code in this line is: <tr> <td class="main"><?php echo TEXT_CATEGORIES; ?></td> <td class="main"><?php echo tep_draw_separator('pixel_trans.gif', '24', '15') . '?' . tep_draw_mselect_menu('categories_ids[]', $categories_array, $categories_array_selected, 'size=10'); ?></td> </tr> Hello folk, I'm very stupid. The install advice said: Replace some code in catalog/admin/includes/functions/html_output.php and I have changed the code in catalog/includes/functions/html_output.php. Now all is working fine. Sorry for molestation. Quote Link to comment Share on other sites More sharing options...
evanover Posted July 15, 2006 Share Posted July 15, 2006 Installed contrib Access with Level Account 2.2a and it works great. I just did a stupid thing when I created a new user; I did not assign them to a group now the user gives me an error. How do I delete the account or assign it to a group? Quote Link to comment Share on other sites More sharing options...
avail1now Posted August 15, 2006 Share Posted August 15, 2006 installed the latest version of admin access Level Accounts, now clicking admin > member groups > Top administrator > edit takes you to store/admin/admin_members.php?page=1&mID=1&action=edit_member and produces: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/userid/public_html/admin/includes/functions/database.php on line 107 has anyone got any clues? Quote cheers, Bridgette & Deano my contributions: tableless CSS template login form for STSresources: effective searching knowledge base how to: sandbox with Paypal IPN Link to comment Share on other sites More sharing options...
Guest Posted August 15, 2006 Share Posted August 15, 2006 OK, I'm stumped: I'm testing out my installation and I created a new member of the "Customer Relations" group. However, where do I set this person's password? Is there some default for this? Thanks! -= Dave =- Quote Link to comment Share on other sites More sharing options...
avail1now Posted August 16, 2006 Share Posted August 16, 2006 OK, I'm stumped: I'm testing out my installation and I created a new member of the "Customer Relations" group. However, where do I set this person's password? Is there some default for this? Thanks! -= Dave =- You can not set a person's password when you first add them. the script for this contribution has the store send an email to the person you added their new auto-generated password. If You can access that person's email box, the email sent will show you that password. Quote cheers, Bridgette & Deano my contributions: tableless CSS template login form for STSresources: effective searching knowledge base how to: sandbox with Paypal IPN Link to comment Share on other sites More sharing options...
Amigoo Posted August 16, 2006 Share Posted August 16, 2006 You can not set a person's password when you first add them. the script for this contribution has the store send an email to the person you added their new auto-generated password. If You can access that person's email box, the email sent will show you that password. If you don't have access to the new user post box, go to phpmyAdmin copy the admin user name and password into the new user fields. Voila..... you have access to the new user account. When you don't need access anymore, change the pass and email from his account. The store will send it. Quote Link to comment Share on other sites More sharing options...
Guest Posted August 16, 2006 Share Posted August 16, 2006 If you don't have access to the new user post box, go to phpmyAdmin copy the admin user name and password into the new user fields. Voila..... you have access to the new user account. When you don't need access anymore, change the pass and email from his account. The store will send it. Yeah, that's what I did as a temporary work-around. I didn't realize that an email alert goes out to the person once I've created their account. Thanks! -= Dave =- Quote Link to comment Share on other sites More sharing options...
avail1now Posted August 16, 2006 Share Posted August 16, 2006 installed the latest version of admin access Level Accounts, now clicking admin > member groups > Top administrator > edit takes you to store/admin/admin_members.php?page=1&mID=1&action=edit_member and produces: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/userid/public_html/admin/includes/functions/database.php on line 107 has anyone got any clues? any clues ? Quote cheers, Bridgette & Deano my contributions: tableless CSS template login form for STSresources: effective searching knowledge base how to: sandbox with Paypal IPN Link to comment Share on other sites More sharing options...
billsoft Posted August 25, 2006 Share Posted August 25, 2006 installed the latest version of admin access Level Accounts, now clicking admin > member groups > Top administrator > edit takes you to store/admin/admin_members.php?page=1&mID=1&action=edit_member and produces: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/userid/public_html/admin/includes/functions/database.php on line 107 has anyone got any clues? same error here. I've solved it changing a bracket position, in admin_members.php, near line 600. Take a look a the code below, look for my 2 comments //changed by bill, near the end: while ($n < tep_db_num_rows($top_categories_query)) { $top_categories = tep_db_fetch_array($top_categories_query); $top_categories_name_query = tep_db_query("select categories_name from " . TABLE_CATEGORIES_DESCRIPTION . " where language_id=2 and categories_id=" . $top_categories['categories_id']); $top_categories_name = tep_db_fetch_array($top_categories_name_query); if (in_array($top_categories['categories_id'],$str_cat_no_array)) { $is_selected = true; } else { $is_selected = false; } $all_categories .= tep_draw_checkbox_field('admin_cat_access_' . $n, $top_categories['categories_id'],$is_selected) . " " . $top_categories_name['categories_name'] . " (ID" . $top_categories['categories_id'] . ")<br> "; $n = $n + 1; } // } //changed by bill $contents[] = array('text' => '<br> <b>' . TEXT_INFO_CATEGORIEACCESS . '</b><br> ' . $all_categories); $contents[] = array('text' => tep_draw_hidden_field('admin_cat_access_fields', tep_db_num_rows($top_categories_query))); } //changed by bill // Thomas Schittli: End Bugfixes Cya, Billsoft. Quote Link to comment Share on other sites More sharing options...
avail1now Posted August 26, 2006 Share Posted August 26, 2006 same error here. I've solved it changing a bracket position, in admin_members.php, near line 600. Billsoft, great find , you are a champ. Quote cheers, Bridgette & Deano my contributions: tableless CSS template login form for STSresources: effective searching knowledge base how to: sandbox with Paypal IPN Link to comment Share on other sites More sharing options...
Thenes Posted August 27, 2006 Share Posted August 27, 2006 same error here. I've solved it changing a bracket position, in admin_members.php, near line 600. Take a look a the code below, look for my 2 comments //changed by bill, near the end: while ($n < tep_db_num_rows($top_categories_query)) { $top_categories = tep_db_fetch_array($top_categories_query); $top_categories_name_query = tep_db_query("select categories_name from " . TABLE_CATEGORIES_DESCRIPTION . " where language_id=2 and categories_id=" . $top_categories['categories_id']); $top_categories_name = tep_db_fetch_array($top_categories_name_query); if (in_array($top_categories['categories_id'],$str_cat_no_array)) { $is_selected = true; } else { $is_selected = false; } $all_categories .= tep_draw_checkbox_field('admin_cat_access_' . $n, $top_categories['categories_id'],$is_selected) . " " . $top_categories_name['categories_name'] . " (ID" . $top_categories['categories_id'] . ")<br> "; $n = $n + 1; } // } //changed by bill $contents[] = array('text' => '<br> <b>' . TEXT_INFO_CATEGORIEACCESS . '</b><br> ' . $all_categories); $contents[] = array('text' => tep_draw_hidden_field('admin_cat_access_fields', tep_db_num_rows($top_categories_query))); } //changed by bill // Thomas Schittli: End Bugfixes Cya, Billsoft. Fantastic! This fixed a problem, I didn't realise I had. Quote Link to comment Share on other sites More sharing options...
Iggy Posted August 27, 2006 Share Posted August 27, 2006 Reposting this from another thread. Has anyone done a security audit on AAL 2.2a? Are there any known exploits for this contrib? Thanks Hi Iggy ... yes that is one problem i`ve noticed. I am not a wizard at php but understand a good portion. It seems the Admin side of the catalog is not using the same session code ... which seems to be better written on the catalog side. I have read that the osc admin code was written by different osc programmers who all had their own ideas on how things should be done. One thing I noticed is that if you forget to do the logout in admin access the session is not destroyed .. sometimes if i reopen my browser and type an admin url to a file I can bypass the login intermittently. I also noticed that even when restricting files to certain admins like categories.php for example ... that certain critical function buttons can be accessed if you know what url parameters and categories id etc to use. For example the copy, move, duplicate buttons are only disabled because the admin level is not equal to 1 .... but if you type in the correct url and paramters ... there is no code to stop the execution. I have been adding bits and pieces of code myself to try and add more logic to the checking of admins level and which buttons can be clicked etc .. but it is a slow, complicating process. If somone was really good with code the Admin Access mod needs some core code added for selecting which buttons on pages can be used ... like Insert and New Product etc. , but I am not sure on what the best way to go about this would because there are other factors involved like any other mods which people have installed that have button links etc. All in all I think Admin Access is a very impressive mod though and the creators and the contributors concepts are awesome. I can see this one going a long way and being developed further. Well, there's a certain level of trust involved to hand-out an admin pass in the first place so in the cases above, although it would be good to get those fixed up, the security breach is the top admin. As far as someone coming to the admin without a login/pass I can't see that there's an exploit that gets them past the login page (which doesn't mean there isn't one just that I can't figure out how to do it :) other than brute forcing it. Someone ( ask not what osC can do for you people ) should update the admin contrib to include an index.php in all the subdirs though and especially in backups as that's wide open to anyone who knows the path. Iggy Quote Everything's funny but nothing's a joke... Link to comment Share on other sites More sharing options...
Iggy Posted August 27, 2006 Share Posted August 27, 2006 Here's the index.php I'm adding to all my /admin/subdirs Hope it's helpful to someone <?php if(isset($_SESSION['osCAdminID'])) { echo 'Session exists'; } else { echo 'You really ought to login first shouldn\'t you?'; } ?> Iggy Quote Everything's funny but nothing's a joke... Link to comment Share on other sites More sharing options...
Iggy Posted August 27, 2006 Share Posted August 27, 2006 Here's the index.php I'm adding to all my /admin/subdirs Hope it's helpful to someone <?php if(isset($_SESSION['osCAdminID'])) { echo 'Session exists'; } else { echo 'You really ought to login first shouldn\'t you?'; } ?> Iggy Actually that doesn't seem to do anything but keep everyone out. Still, better than a kick in the head when someone steals your backup files. Iggy Quote Everything's funny but nothing's a joke... Link to comment Share on other sites More sharing options...
vipes Posted September 13, 2006 Share Posted September 13, 2006 Reposting this from another thread. Has anyone done a security audit on AAL 2.2a? Are there any known exploits for this contrib? ThanksWell, there's a certain level of trust involved to hand-out an admin pass in the first place so in the cases above, although it would be good to get those fixed up, the security breach is the top admin. As far as someone coming to the admin without a login/pass I can't see that there's an exploit that gets them past the login page (which doesn't mean there isn't one just that I can't figure out how to do it :) other than brute forcing it. Someone ( ask not what osC can do for you people ) should update the admin contrib to include an index.php in all the subdirs though and especially in backups as that's wide open to anyone who knows the path. Iggy I have been tirelessly trying to integrate Human Confirmation V1.2 into the login.php. I'm thinking that since brute force programs are essentially bots, this would prevent brute force attacks. Does anyone have any ideas on how to get this to work? The contribution I'm trying to integrate is here: http://www.oscommerce.com/community/contri...an+confirmation I just took snipets of it and pasted it into login.php in several different places, and followed the instructions, and instead of placing files in the catalog/includes, i placed them in admin/includes, and such. When I go to type in the verifcation code, it comes back correct, but it just refreshes the page and none of the login script is done!? I am so frustrated. Here is the top portion of the code, modified to include the human verification script that would normally be placed in "create_account.php". require('includes/application_top.php'); //START HUMAN VERIFICATION // BOF // Contrib: Human confirmation v1.2 $noautomationcode = $HTTP_SESSION_VARS["noautamationcode"]; // -> v1.1 // Changed to work w/ random image names $img_dir = $HTTP_SESSION_VARS["noautamationdir"]; $img_name = $HTTP_SESSION_VARS["noautamationname"]; // Find and delete old images if (strlen($img_name) >= 6) { $dirHandle = dir($img_dir); while($fileHandle = $dirHandle->read()) { if (substr($fileHandle,0,strlen($img_name)) == $img_name) @unlink($img_dir.$fileHandle); } $dirHandle->close(); } // <- v1.1 // Changed to work w/ random image names if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'process')) { if (isset($HTTP_GET_VARS['thecode']) && ($HTTP_GET_VARS['thecode'] == $noautomationcode )) { // EOF // Contrib: Human confirmation v1.2 //END HUMAN VERIFICATION $email_address = tep_db_prepare_input($HTTP_POST_VARS['email_address']); $password = tep_db_prepare_input($HTTP_POST_VARS['password']); // Check if email exists $check_admin_query = tep_db_query("select admin_id as login_id, admin_groups_id as login_groups_id, admin_firstname as login_firstname, admin_lastname as login_lastname, admin_email_address as login_email_address, admin_password as login_password, admin_modified as login_modified, admin_logdate as login_logdate, admin_lognum as login_lognum from " . TABLE_ADMIN . " where admin_email_address = '" . tep_db_input($email_address) . "'"); if (!tep_db_num_rows($check_admin_query)) { $HTTP_GET_VARS['login'] = 'fail'; } else { $check_admin = tep_db_fetch_array($check_admin_query); // Check that password is good if (!tep_validate_password($password, $check_admin['login_password'])) { $HTTP_GET_VARS['login'] = 'fail'; } else { if (tep_session_is_registered('password_forgotten')) { tep_session_unregister('password_forgotten'); } $login_id = $check_admin['login_id']; $login_groups_id = $check_admin['login_groups_id']; $login_firstname = $check_admin['login_firstname']; $login_lastname = $check_admin['login_lastname']; $login_email_address = $check_admin['login_email_address']; $login_logdate = $check_admin['login_logdate']; $login_lognum = $check_admin['login_lognum']; $login_modified = $check_admin['login_modified']; tep_session_register('login_id'); tep_session_register('login_groups_id'); tep_session_register('login_firstname'); tep_session_register('login_lastname'); //$date_now = date('Ymd'); tep_db_query("update " . TABLE_ADMIN . " set admin_logdate = now(), admin_lognum = admin_lognum+1 where admin_id = '" . $login_id . "'"); if (($login_lognum == 0) || !($login_logdate) || ($login_email_address == 'admin@localhost') || ($login_modified == '0000-00-00 00:00:00')) { tep_redirect(tep_href_link(FILENAME_ADMIN_ACCOUNT)); } else { tep_redirect(tep_href_link(FILENAME_DEFAULT)); } } } } } This snippet is from where the form is first drawn, all the ways to the footer. <?php echo tep_draw_form('login', FILENAME_LOGIN, 'get', 'onSubmit="return check_form(login);"') . tep_draw_hidden_field('action', 'process'); ?> <table width="280" border="0" cellspacing="0" cellpadding="2"> <tr> <td class="login_heading" valign="top"> <b><?php echo HEADING_RETURNING_ADMIN; ?></b></td> </tr> <tr> <td height="100%" valign="top" align="center"> <table border="0" height="100%" cellspacing="0" cellpadding="1" bgcolor="#666666"> <tr><td><table border="0" width="100%" height="100%" cellspacing="3" cellpadding="2" bgcolor="#F0F0FF"><?php // if ($HTTP_GET_VARS['login'] == 'fail') { // $info_message = TEXT_LOGIN_ERROR; // }// BOF // Contrib: Human confirmation v1.2 if ( ($process_okay == true) && ($thecode_okay == false) ) { $info_message = ENTRY_HUMANCHECK_ERROR; } // EOF // Contrib: Human confirmation v1.2 if (isset($info_message)) {?> <tr> <td colspan="2" class="smallText" align="center"><?php echo $info_message; ?></td> </tr><?php } else {?> <tr> <td colspan="2"><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td> </tr><?php }?> <tr> <td class="login"><?php echo ENTRY_EMAIL_ADDRESS; ?></td> <td class="login"><?php echo tep_draw_input_field('email_address'); ?></td> </tr> <tr> <td class="login"><?php echo ENTRY_PASSWORD; echo $cool; ?></td> <td class="login"><?php echo tep_draw_password_field('password'); ?></td> </tr> <tr> <td> <? // BOF // Contrib: Human confirmation v1.2 if (!tep_session_is_registered('noautamationcode')) tep_session_register('noautamationcode'); include('includes/human_confirmation.php'); tep_session_close('noautamationcode'); // EOF // Contrib: Human confirmation v1.2 ?> </td> </tr> <tr> <td colspan="2" align="right" valign="top"><?php echo tep_image_submit('button_confirm.gif', IMAGE_BUTTON_LOGIN); ?></td> </tr> </table></td></tr> </table> </td> </tr> <tr> <td valign="top" align="right"><?php echo '<a class="sub" href="' . tep_href_link(FILENAME_PASSWORD_FORGOTTEN, '', 'SSL') . '">' . TEXT_PASSWORD_FORGOTTEN . '</a><span class="sub"> </span>'; ?></td> </tr> </table> </form><?php require('includes/form_check.js.php'); ?> </td> </tr> </table></td> </tr> <tr> <td><?php require(DIR_WS_INCLUDES . 'footer.php'); ?></td>[code] Anyone have any insight on what I'm doing wrong? I really think this can improve the security of this contrib dramatically, since script-kiddies would be powerless... :D Quote Link to comment Share on other sites More sharing options...
booncc Posted September 27, 2006 Share Posted September 27, 2006 Wich one should I install: http://www.oscommerce.com/community/contributions,1359 http://www.oscommerce.com/community/contributions,1174 http://www.oscommerce.com/community/contributions,2037 Can someone help me to decide which one is better, more easy to use, and install, ... I only need to have ore than 1 admin, and that some of them only be ablo to enter new prodcutos, but can not do anymore in the admin area. Thanks in advance. ;) Quote Link to comment Share on other sites More sharing options...
tbond Posted September 28, 2006 Share Posted September 28, 2006 Hi Gang, I have been trying to install BOTH the Admin Access and Multi Vendor Shipping contribs. They don't seem to work together, but it might be me of course... Anyway, there is a vital need for Vendors who are going to enter their own products thru Admin Access to ONLY be able to modify their own products, and not the products entered by other vendors. While I can get either contrib to work alone okay-ish, I'm not sure they will together accomplish what I want. I want ONE big store with lots of products, some of which are sold by this vendor and some by others. I do NOT want to create different catagories for each vender like a Mall would do. I just was the vendor to see only their products when they log into the store, and still be able to put products into the big store's pre-existing catagories, modify the products, change prices, shipping weights, etc. They do NOT need to be able to create new catagories, nor any other admin functions. Just add/delete/modify products. And only their OWN products. Any ideas? -- Tom Bond, ClubRestock.com Quote Link to comment Share on other sites More sharing options...
booncc Posted October 4, 2006 Share Posted October 4, 2006 I installed this contrib: http://www.oscommerce.com/forums/index.php?sho...=186194&hl= I did everything as it said in the readme, and... DONT WORK WELL For me: 1) Is impossible to change the password of the created account "admin@localhost", I only can modify the name and emails, but not the password. Why??? 2) If I create another admin account I CAN NOT ENTER A PASSWORD, and of course there are no way to lnow what is it 3) To enter admin area I have to enter 2 times the first account details: name and password, and after this I arrive to a nother web page where I have to enter the new account email and password. Is this the correct way to work for this mod?? If this is the way I will have to give the main password to all admins, and I don?t want to do this. PLEASE HELP Quote Link to comment Share on other sites More sharing options...
EM60 Posted October 15, 2006 Share Posted October 15, 2006 Help Please ! I have an error which I think is caused by the position of closing brackets }} within /admin/categories.php To see the error please click below to see a screen capture please click here If I remove the 2 closing bracket I get a parse error as follows Parse error: syntax error, unexpected $end in /home/cashregi/public_html/catalog/admin/categories.php on line 1306 If anyone is in a position to help I would be ever so grateful. Thank you Edwin Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.