1.5.0BETA - Admin Access Management
When adding a new admin user the email field is preset to the superuser user name and this would not process as a valid email-address.
Also missing the capability to hide some unused menu's for the superuser.
(Never used the gift certificate/coupons and extras menu's and always used the admin profiles addon to clean up the admin for the super-user)
Re: 1.5.0BETA - Admin Access Management
The presetting of the email field sounds like something that's happening your browser. Zen Cart makes no attempt to preset that field. But it will prevent you from creating the new user without a properly formatted email address.
Although Admin Profiles was more commonly used to prevent "other people" from accessing everything, the way in which you were using it, was the reason for which I originally wrote it. So your point is understood. However, you'll need to do it slightly differently going forward.
The superuser setting is designed to show everything. So to work with some menus hidden, create a profile, "Store Owner" say, that has just the ones you want and attach that profile to your user ID.
You will still need a superuser though. That's by design too, to stop people from accidentally cutting themselves off from the Admin Access menu. So you may need to create an additional user, even if they're rarely if ever used.
Re: 1.5.0BETA - Admin Access Management
You are right it was my firfox playing up.
Tested on a machine virgin to the test install and then the fields come up empty so it is not really a ZC bug but anyhow confusing.
I have my concerns about this whole new concept and the PA-DSS restrictions but not yet figured out where to post these concerns.
Re: 1.5.0BETA - Admin Access Management
I tend to agree. Some of the changes in this area sort of make sense from a technical security viewpoint, but are a bit counter-productive from a behavioural perspective and certainly reduce usability.
And then many of the requirements are open to interpretation, which understandably encourages auditors to play safe by erring towards even more restrictive judgements.
Concrete examples:
Longer and more complex passwords make it more difficult for somebody to guess your password. Fair enough. But push that too far and add enforced changes and no re-use, and people can't remember their own passwords. So they write them down, which plays straight into the most common type of business fraud, which is internal, by employees using other employees passwords. These regs don't feel to me like they got the balance right.
And wouldn't automated or one-click updates and security patches make systems more secure. But I'm told that would get in the way of the audit process!!!