There is a minor bug in Admin Tools>Admin Settings which probably most will never notice. It caused me problems when I installed the new Admin Profiles contribution where the effect of the bug is very noticeable.
The bug is only apparent when register globals is 'On'
When a new admin is created or an existing admin is deleted the logged in admin identity changes to that of the new or deleted admin. Checking the admin_activity_log table in the database will confirm this.
The only difference noticeable in Admin Settings would be if the new or deleted admin had a different 'Admin Level' from that of the originally logged in admin. When attempting to 'Edit' the settings for an admin the Admin Levels box would or would not be visible dependant upon the new or deleted admin's permissions and not as per the original login admins permissions. Most people would not notice this and of course logging out and logging back in corrects this.
With register globals set 'Off' there is no problem. I know that this is the recommended setting but I believe ZenCart is supposed to work either way.
I have tested this using v 1.3 and v1.3.0.1 but I also checked an existing install of v1.2.7 and it too has this bug.
I only came across this on my test server when trying out Admin Profiles. Because I was 'just testing' I hadn't bothered to overide the server's register glogals setting using .htaccess.
Caused me a lot of grief before it finally clicked what was wrong.
Regards,
Alan
Thread: [Done]Admin Identity Change
Results 1 to 2 of 2
-
25 Apr 2006, 12:53 PM #1
Zen Follower
- Join Date
- Nov 2004
- Location
- Glasgow, Scotland
- Posts
- 251
- Plugin Contributions
- 0
[Done]Admin Identity Change
-
Re: Admin Identity Change
/admin/admin.php
lines 77-78 contain:change to:PHP Code:$admin_id = zen_db_insert_id();
$admins_id = $admin_id;
PHP Code:$new_admin_id = zen_db_insert_id();
$admins_id = $new_admin_id;
and lines 107-109 contain:change to:PHP Code:$admin_id = zen_db_prepare_input($_GET['adminID']);
$db->Execute("delete from " . TABLE_ADMIN . " where admin_id = '" . (int)$admin_id . "'");
PHP Code:$new_admin_id = zen_db_prepare_input($_GET['adminID']);
$db->Execute("delete from " . TABLE_ADMIN . " where admin_id = '" . (int)$new_admin_id . "'");
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
Similar Threads
-
Payment Data Transfer - Identity Token
By WarsawNan in forum PayPal Express Checkout supportReplies: 1Last Post: 17 Apr 2009, 09:10 PM -
[Done] Cannot change admin password after bugfix
By ronlee67 in forum Bug ReportsReplies: 3Last Post: 26 Feb 2008, 12:56 AM -
Cant Find Identity Token for IPN
By bumba000 in forum General QuestionsReplies: 1Last Post: 21 Sep 2007, 01:41 AM
Bookmarks