Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

[CONTRIB] Admin Access Level Accounts for MS2


papasan

Recommended Posts

I am trying to uninstall this contribution as is conflicts with another contribution that I need, and I commented out everything.....I think, but now how do I get the Admin Table in the SQL back to the original state, I can't find it anywhere.

 

Any help would be appreciated.

Link to comment
Share on other sites

I am trying to uninstall this contribution as is conflicts with another contribution that I need, and I commented out everything.....I think, but now how do I get the Admin Table in the SQL back to the original state, I can't find it anywhere.

 

Any help would be appreciated.

 

And this contribution conflits with which another contribution?

 

I'am thinking to install this contributuin but my oscommerce have many contributions installed...

 

And which version you have download to install??

 

Regards, Andre.

Link to comment
Share on other sites

And this contribution conflits with which another contribution?

 

I'am thinking to install this contributuin but my oscommerce have many contributions installed...

 

And which version you have download to install??

 

Regards, Andre.

 

It is conflicting with the installation of Multi Vendor Shipping V1.1, I am hoping to get that installed and then reinstall this one and hopefully it won't conflict, but who knows. I have Admin Access 2.2.

Link to comment
Share on other sites

It is conflicting with the installation of Multi Vendor Shipping V1.1, I am hoping to get that installed and then reinstall this one and hopefully it won't conflict, but who knows. I have Admin Access 2.2.

 

Try the Simple Admin Access Control, it much more easy to install and could be more specific than AAL.

 

http://www.oscommerce.com/community/contributions,2701

 

http://www.oscommerce.com/forums/index.php?showtopic=125058

Link to comment
Share on other sites

  • 1 month later...

Hello

 

I could install this contrib, and prinzipally all is working fine but now I need help with this error message. I've spend some hours to read this thread but nobody has the same problem.

 

 

This is the error message I get when I open a product to edit it or when I choose "new product"

 

 

Fatal error: Call to undefined function: tep_draw_mselect_menu() in /var/www/my-web/html/my-shop/catalog/admin/categories.php on line 684

The code in this line is:

 

<tr>
		<td class="main"><?php echo TEXT_CATEGORIES; ?></td>
		<td class="main"><?php echo tep_draw_separator('pixel_trans.gif', '24', '15') . '?' . tep_draw_mselect_menu('categories_ids[]', $categories_array, $categories_array_selected, 'size=10'); ?></td>
	  </tr>

 

 

Any idea. Please help.

 

 

Cheers Amigoo

Link to comment
Share on other sites

Hello

 

I could install this contrib, and prinzipally all is working fine but now I need help with this error message. I've spend some hours to read this thread but nobody has the same problem.

This is the error message I get when I open a product to edit it or when I choose "new product"

Fatal error: Call to undefined function: tep_draw_mselect_menu() in /var/www/my-web/html/my-shop/catalog/admin/categories.php on line 684

The code in this line is:

 

<tr>
		<td class="main"><?php echo TEXT_CATEGORIES; ?></td>
		<td class="main"><?php echo tep_draw_separator('pixel_trans.gif', '24', '15') . '?' . tep_draw_mselect_menu('categories_ids[]', $categories_array, $categories_array_selected, 'size=10'); ?></td>
	  </tr>

 

Hello folk,

 

I'm very stupid.

The install advice said: Replace some code in catalog/admin/includes/functions/html_output.php

and I have changed the code in catalog/includes/functions/html_output.php.

 

Now all is working fine. Sorry for molestation.

Link to comment
Share on other sites

Installed contrib Access with Level Account 2.2a and it works great. I just did a stupid thing when I created a new user; I did not assign them to a group now the user gives me an error. How do I delete the account or assign it to a group?

Link to comment
Share on other sites

  • 1 month later...

installed the latest version of admin access Level Accounts, now clicking admin > member groups > Top administrator > edit takes you to store/admin/admin_members.php?page=1&mID=1&action=edit_member and produces:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/userid/public_html/admin/includes/functions/database.php on line 107

has anyone got any clues?

Link to comment
Share on other sites

OK, I'm stumped: I'm testing out my installation and I created a new member of the "Customer Relations" group. However, where do I set this person's password? Is there some default for this?

 

Thanks!

 

-= Dave =-

Link to comment
Share on other sites

OK, I'm stumped: I'm testing out my installation and I created a new member of the "Customer Relations" group. However, where do I set this person's password? Is there some default for this?

 

Thanks!

 

-= Dave =-

You can not set a person's password when you first add them. the script for this contribution has the store send an email to the person you added their new auto-generated password. If You can access that person's email box, the email sent will show you that password.
Link to comment
Share on other sites

You can not set a person's password when you first add them. the script for this contribution has the store send an email to the person you added their new auto-generated password. If You can access that person's email box, the email sent will show you that password.

 

If you don't have access to the new user post box, go to phpmyAdmin copy the admin user name and password into the new user fields. Voila..... you have access to the new user account. When you don't need access anymore, change the pass and email from his account. The store will send it.

Link to comment
Share on other sites

If you don't have access to the new user post box, go to phpmyAdmin copy the admin user name and password into the new user fields. Voila..... you have access to the new user account. When you don't need access anymore, change the pass and email from his account. The store will send it.

 

 

Yeah, that's what I did as a temporary work-around. I didn't realize that an email alert goes out to the person once I've created their account.

 

Thanks!

 

-= Dave =-

Link to comment
Share on other sites

installed the latest version of admin access Level Accounts, now clicking admin > member groups > Top administrator > edit takes you to store/admin/admin_members.php?page=1&mID=1&action=edit_member and produces:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/userid/public_html/admin/includes/functions/database.php on line 107

has anyone got any clues?

any clues ?

Link to comment
Share on other sites

  • 2 weeks later...
installed the latest version of admin access Level Accounts, now clicking admin > member groups > Top administrator > edit takes you to store/admin/admin_members.php?page=1&mID=1&action=edit_member and produces:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/userid/public_html/admin/includes/functions/database.php on line 107

has anyone got any clues?

 

 

 

same error here.

 

I've solved it changing a bracket position, in admin_members.php, near line 600.

 

Take a look a the code below, look for my 2 comments //changed by bill, near the end:

 

		while ($n < tep_db_num_rows($top_categories_query)) {
	  $top_categories = tep_db_fetch_array($top_categories_query);
	  $top_categories_name_query = tep_db_query("select categories_name from " . TABLE_CATEGORIES_DESCRIPTION . " where language_id=2 and categories_id=" . $top_categories['categories_id']);
	  $top_categories_name = tep_db_fetch_array($top_categories_name_query);
	  if (in_array($top_categories['categories_id'],$str_cat_no_array)) {
		$is_selected = true;
	  } else {
		$is_selected = false;
	  }
	  $all_categories .= tep_draw_checkbox_field('admin_cat_access_' . $n, $top_categories['categories_id'],$is_selected) . " " . $top_categories_name['categories_name'] . " (ID" . $top_categories['categories_id'] . ")<br> ";
	  $n = $n + 1;
	}
//	  } //changed by bill

  $contents[] = array('text' => '<br> <b>' . TEXT_INFO_CATEGORIEACCESS . '</b><br> ' . $all_categories);
  $contents[] = array('text' => tep_draw_hidden_field('admin_cat_access_fields', tep_db_num_rows($top_categories_query)));
  } //changed by bill

// Thomas Schittli: End Bugfixes

 

Cya,

Billsoft.

Link to comment
Share on other sites

same error here.

 

I've solved it changing a bracket position, in admin_members.php, near line 600.

Billsoft, great find , you are a champ.

Link to comment
Share on other sites

same error here.

 

I've solved it changing a bracket position, in admin_members.php, near line 600.

 

Take a look a the code below, look for my 2 comments //changed by bill, near the end:

 

		while ($n < tep_db_num_rows($top_categories_query)) {
	  $top_categories = tep_db_fetch_array($top_categories_query);
	  $top_categories_name_query = tep_db_query("select categories_name from " . TABLE_CATEGORIES_DESCRIPTION . " where language_id=2 and categories_id=" . $top_categories['categories_id']);
	  $top_categories_name = tep_db_fetch_array($top_categories_name_query);
	  if (in_array($top_categories['categories_id'],$str_cat_no_array)) {
		$is_selected = true;
	  } else {
		$is_selected = false;
	  }
	  $all_categories .= tep_draw_checkbox_field('admin_cat_access_' . $n, $top_categories['categories_id'],$is_selected) . " " . $top_categories_name['categories_name'] . " (ID" . $top_categories['categories_id'] . ")<br> ";
	  $n = $n + 1;
	}
//	  } //changed by bill

  $contents[] = array('text' => '<br> <b>' . TEXT_INFO_CATEGORIEACCESS . '</b><br> ' . $all_categories);
  $contents[] = array('text' => tep_draw_hidden_field('admin_cat_access_fields', tep_db_num_rows($top_categories_query)));
  } //changed by bill

// Thomas Schittli: End Bugfixes

 

Cya,

Billsoft.

 

 

Fantastic! This fixed a problem, I didn't realise I had.

Link to comment
Share on other sites

Reposting this from another thread. Has anyone done a security audit on AAL 2.2a? Are there any known exploits for this contrib? Thanks

 

Hi Iggy ... yes that is one problem i`ve noticed. I am not a wizard at php but understand a good portion. It seems the Admin side of the catalog is not using the same session code ... which seems to be better written on the catalog side. I have read that the osc admin code was written by different osc programmers who all had their own ideas on how things should be done.

 

One thing I noticed is that if you forget to do the logout in admin access the session is not destroyed .. sometimes if i reopen my browser and type an admin url to a file I can bypass the login intermittently.

 

I also noticed that even when restricting files to certain admins like categories.php for example ... that certain critical function buttons can be accessed if you know what url parameters and categories id etc to use. For example the copy, move, duplicate buttons are only disabled because the admin level is not equal to 1 .... but if you type in the correct url and paramters ... there is no code to stop the execution.

 

I have been adding bits and pieces of code myself to try and add more logic to the checking of admins level and which buttons can be clicked etc .. but it is a slow, complicating process. If somone was really good with code the Admin Access mod needs some core code added for selecting which buttons on pages can be used ... like Insert and New Product etc. , but I am not sure on what the best way to go about this would because there are other factors involved like any other mods which people have installed that have button links etc.

 

All in all I think Admin Access is a very impressive mod though and the creators and the contributors concepts are awesome. I can see this one going a long way and being developed further.

 

Well, there's a certain level of trust involved to hand-out an admin pass in the first place so in the cases above, although it would be good to get those fixed up, the security breach is the top admin.

 

As far as someone coming to the admin without a login/pass I can't see that there's an exploit that gets them past the login page (which doesn't mean there isn't one just that I can't figure out how to do it :) other than brute forcing it.

 

Someone ( ask not what osC can do for you people ) should update the admin contrib to include an index.php in all the subdirs though and especially in backups as that's wide open to anyone who knows the path.

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Here's the index.php I'm adding to all my /admin/subdirs

 

Hope it's helpful to someone

 

<?php
if(isset($_SESSION['osCAdminID'])) {
echo 'Session exists';
} else {
echo 'You really ought to login first shouldn\'t you?';
}
?>

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Here's the index.php I'm adding to all my /admin/subdirs

 

Hope it's helpful to someone

 

<?php
if(isset($_SESSION['osCAdminID'])) {
echo 'Session exists';
} else {
echo 'You really ought to login first shouldn\'t you?';
}
?>

 

Iggy

 

Actually that doesn't seem to do anything but keep everyone out. Still, better than a kick in the head when someone steals your backup files.

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

  • 3 weeks later...
Reposting this from another thread. Has anyone done a security audit on AAL 2.2a? Are there any known exploits for this contrib? Thanks

Well, there's a certain level of trust involved to hand-out an admin pass in the first place so in the cases above, although it would be good to get those fixed up, the security breach is the top admin.

 

As far as someone coming to the admin without a login/pass I can't see that there's an exploit that gets them past the login page (which doesn't mean there isn't one just that I can't figure out how to do it :) other than brute forcing it.

 

Someone ( ask not what osC can do for you people ) should update the admin contrib to include an index.php in all the subdirs though and especially in backups as that's wide open to anyone who knows the path.

 

Iggy

 

I have been tirelessly trying to integrate Human Confirmation V1.2 into the login.php. I'm thinking that since brute force programs are essentially bots, this would prevent brute force attacks. Does anyone have any ideas on how to get this to work?

 

The contribution I'm trying to integrate is here: http://www.oscommerce.com/community/contri...an+confirmation

 

I just took snipets of it and pasted it into login.php in several different places, and followed the instructions, and instead of placing files in the catalog/includes, i placed them in admin/includes, and such. When I go to type in the verifcation code, it comes back correct, but it just refreshes the page and none of the login script is done!? I am so frustrated.

 

Here is the top portion of the code, modified to include the human verification script that would normally be placed in "create_account.php".

 

  require('includes/application_top.php');

//START HUMAN VERIFICATION  
// BOF // Contrib: Human confirmation v1.2

 $noautomationcode = $HTTP_SESSION_VARS["noautamationcode"];

 // -> v1.1 // Changed to work w/ random image names
 $img_dir  = $HTTP_SESSION_VARS["noautamationdir"];
 $img_name = $HTTP_SESSION_VARS["noautamationname"];
 // Find and delete old images
 if (strlen($img_name) >= 6) {
$dirHandle = dir($img_dir);
while($fileHandle = $dirHandle->read()) {
  if (substr($fileHandle,0,strlen($img_name)) == $img_name)
	@unlink($img_dir.$fileHandle);
}
$dirHandle->close();
 }
 // <- v1.1 // Changed to work w/ random image names
if (isset($HTTP_GET_VARS['action'])  && ($HTTP_GET_VARS['action'] == 'process')) {

if (isset($HTTP_GET_VARS['thecode']) && ($HTTP_GET_VARS['thecode'] == $noautomationcode )) {

// EOF // Contrib: Human confirmation v1.2
//END HUMAN VERIFICATION

$email_address = tep_db_prepare_input($HTTP_POST_VARS['email_address']);
$password = tep_db_prepare_input($HTTP_POST_VARS['password']);

// Check if email exists
$check_admin_query = tep_db_query("select admin_id as login_id, admin_groups_id as login_groups_id, admin_firstname as login_firstname, admin_lastname as login_lastname, admin_email_address as login_email_address, admin_password as login_password, admin_modified as login_modified, admin_logdate as login_logdate, admin_lognum as login_lognum from " . TABLE_ADMIN . " where admin_email_address = '" . tep_db_input($email_address) . "'");
if (!tep_db_num_rows($check_admin_query)) {
  $HTTP_GET_VARS['login'] = 'fail';
} else {
  $check_admin = tep_db_fetch_array($check_admin_query);
  // Check that password is good
  if (!tep_validate_password($password, $check_admin['login_password'])) {
	$HTTP_GET_VARS['login'] = 'fail';
  } else {
	if (tep_session_is_registered('password_forgotten')) {
	  tep_session_unregister('password_forgotten');
	}

	$login_id = $check_admin['login_id'];
	$login_groups_id = $check_admin['login_groups_id'];
	$login_firstname = $check_admin['login_firstname'];
	$login_lastname = $check_admin['login_lastname'];
	$login_email_address = $check_admin['login_email_address'];
	$login_logdate = $check_admin['login_logdate'];
	$login_lognum = $check_admin['login_lognum'];
	$login_modified = $check_admin['login_modified'];

	tep_session_register('login_id');
	tep_session_register('login_groups_id');
	tep_session_register('login_firstname');
	tep_session_register('login_lastname');

	//$date_now = date('Ymd');
	tep_db_query("update " . TABLE_ADMIN . " set admin_logdate = now(), admin_lognum = admin_lognum+1 where admin_id = '" . $login_id . "'");

	if (($login_lognum == 0) || !($login_logdate) || ($login_email_address == 'admin@localhost') || ($login_modified == '0000-00-00 00:00:00')) {
	  tep_redirect(tep_href_link(FILENAME_ADMIN_ACCOUNT));
	} else {
	  tep_redirect(tep_href_link(FILENAME_DEFAULT));
	}

  }
}
 }
}

 

This snippet is from where the form is first drawn, all the ways to the footer.

<?php echo tep_draw_form('login', FILENAME_LOGIN, 'get', 'onSubmit="return check_form(login);"') . tep_draw_hidden_field('action', 'process'); ?>

<table width="280" border="0" cellspacing="0" cellpadding="2">

<tr>

<td class="login_heading" valign="top"> <b><?php echo HEADING_RETURNING_ADMIN; ?></b></td>

</tr>

<tr>

<td height="100%" valign="top" align="center">

<table border="0" height="100%" cellspacing="0" cellpadding="1" bgcolor="#666666">

<tr><td><table border="0" width="100%" height="100%" cellspacing="3" cellpadding="2" bgcolor="#F0F0FF">

<?php

// if ($HTTP_GET_VARS['login'] == 'fail') {

// $info_message = TEXT_LOGIN_ERROR;

// }

// BOF // Contrib: Human confirmation v1.2

 

if ( ($process_okay == true) && ($thecode_okay == false) ) {

$info_message = ENTRY_HUMANCHECK_ERROR;

}

 

// EOF // Contrib: Human confirmation v1.2

if (isset($info_message)) {

?>

<tr>

<td colspan="2" class="smallText" align="center"><?php echo $info_message; ?></td>

</tr>

<?php

} else {

?>

<tr>

<td colspan="2"><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>

</tr>

<?php

}

?>

<tr>

<td class="login"><?php echo ENTRY_EMAIL_ADDRESS; ?></td>

<td class="login"><?php echo tep_draw_input_field('email_address'); ?></td>

</tr>

<tr>

<td class="login"><?php echo ENTRY_PASSWORD; echo $cool; ?></td>

<td class="login"><?php echo tep_draw_password_field('password'); ?></td>

</tr>

<tr>

<td>

<?

// BOF // Contrib: Human confirmation v1.2

 

if (!tep_session_is_registered('noautamationcode')) tep_session_register('noautamationcode');

include('includes/human_confirmation.php');

tep_session_close('noautamationcode');

 

// EOF // Contrib: Human confirmation v1.2

?>

</td>

</tr>

<tr>

<td colspan="2" align="right" valign="top"><?php echo tep_image_submit('button_confirm.gif', IMAGE_BUTTON_LOGIN); ?></td>

</tr>

</table></td></tr>

</table>

</td>

</tr>

<tr>

<td valign="top" align="right"><?php echo '<a class="sub" href="' . tep_href_link(FILENAME_PASSWORD_FORGOTTEN, '', 'SSL') . '">' . TEXT_PASSWORD_FORGOTTEN . '</a><span class="sub"> </span>'; ?></td>

</tr>

</table>

</form>

<?php require('includes/form_check.js.php'); ?>

</td>

</tr>

</table></td>

</tr>

<tr>

<td><?php require(DIR_WS_INCLUDES . 'footer.php'); ?></td>

[code]

 

Anyone have any insight on what I'm doing wrong?

 

I really think this can improve the security of this contrib dramatically, since script-kiddies would be powerless... :D

Link to comment
Share on other sites

  • 2 weeks later...

Wich one should I install:

 

http://www.oscommerce.com/community/contributions,1359

 

http://www.oscommerce.com/community/contributions,1174

 

http://www.oscommerce.com/community/contributions,2037

 

Can someone help me to decide which one is better, more easy to use, and install, ...

 

I only need to have ore than 1 admin, and that some of them only be ablo to enter new prodcutos, but can not do anymore in the admin area.

 

Thanks in advance. ;)

Link to comment
Share on other sites

Hi Gang,

 

I have been trying to install BOTH the Admin Access and Multi Vendor Shipping contribs. They don't seem to work together, but it might be me of course...

 

Anyway, there is a vital need for Vendors who are going to enter their own products thru Admin Access to ONLY be able to modify their own products, and not the products entered by other vendors.

 

While I can get either contrib to work alone okay-ish, I'm not sure they will together accomplish what I want. I want ONE big store with lots of products, some of which are sold by this vendor and some by others. I do NOT want to create different catagories for each vender like a Mall would do.

 

I just was the vendor to see only their products when they log into the store, and still be able to put products into the big store's pre-existing catagories, modify the products, change prices, shipping weights, etc.

 

They do NOT need to be able to create new catagories, nor any other admin functions. Just add/delete/modify products. And only their OWN products.

 

Any ideas?

 

-- Tom Bond,

ClubRestock.com

Link to comment
Share on other sites

I installed this contrib:

http://www.oscommerce.com/forums/index.php?sho...=186194&hl=

 

I did everything as it said in the readme, and... DONT WORK WELL

 

For me:

 

1) Is impossible to change the password of the created account "admin@localhost", I only can modify the name and emails, but not the password.

Why???

 

2) If I create another admin account I CAN NOT ENTER A PASSWORD, and of course there are no way to lnow what is it

 

3) To enter admin area I have to enter 2 times the first account details: name and password, and after this I arrive to a nother web page where I have to enter the new account email and password.

Is this the correct way to work for this mod??

If this is the way I will have to give the main password to all admins, and I don?t want to do this.

 

 

PLEASE HELP

Link to comment
Share on other sites

  • 2 weeks later...

Help Please !

 

I have an error which I think is caused by the position of closing brackets }} within /admin/categories.php

 

To see the error please click below

to see a screen capture please click here

 

If I remove the 2 closing bracket I get a parse error as follows

Parse error: syntax error, unexpected $end in /home/cashregi/public_html/catalog/admin/categories.php on line 1306

 

If anyone is in a position to help I would be ever so grateful.

Thank you

Edwin

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...