Page 1 of 2 12 LastLast
Results 1 to 10 of 188

Hybrid View

  1. #1
    Join Date
    Nov 2007
    Location
    Sunny Coast, Australia
    Posts
    3,378
    Plugin Contributions
    9

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    Quote Originally Posted by chibipaw View Post
    .....
    Here's what I've discovered:
    If Im not logged in as a user, and try to directly access a restricted product. It'll throw a simple one line note of "OOPS - ILLEGAL ACCESS !".
    However, if I am logged in as a valid user, but this user is NOT a privileged user, I was able to view and add the product to the user's shopping basket.

    I've attempted to apply the hot fix codes in post #9 by replacing the first part of tpl_document_product_info_display.php. Didn't seem to change any of the behavior. But I figured it shouldn't be, since the post is very old, and looks like its for a versions before 2.0.

    Lastly, products by Manufacturer doesn't seem to work at all. Which file controls this anyways? Im guessing it is the default_filter.php file. .....
    Thank you for the heads up. I will have a look at this in the next couple of days. Just returned from a trip to Melbourne and have a pile of (paying) jobs to attend first.

    Leave it with me

    Cheers / Frank

  2. #2
    Join Date
    Jul 2011
    Posts
    163
    Plugin Contributions
    4

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    Thanks Frank.

    Another thing to consider. My tester had found another bypass using submitting form using Firebug. I have too notice that the view basket/cart function doesn't seem to sanity check for products that are prohibited. Here's the synopsis of his findings. Hope this helps.

    Requirements:
    Firefox with FireBug Plugin ( https://addons.mozilla.org/en-US/firefox/addon/firebug/ )

    If the user loads a non-restricted item page, and then opens the page in firebug, they can edit the following tag in the "Add to Cart Box" section:
    <input type="hidden" name="products_id" value="11321" />
    to input any ID, restricted or otherwise. Then the user can click the Add to Cart button, and the item will be added successfully without any restriction checking done.

    Quote Originally Posted by frank18 View Post
    Thank you for the heads up. I will have a look at this in the next couple of days. Just returned from a trip to Melbourne and have a pile of (paying) jobs to attend first.

    Leave it with me

    Cheers / Frank

  3. #3
    Join Date
    Nov 2007
    Location
    Sunny Coast, Australia
    Posts
    3,378
    Plugin Contributions
    9

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    Quote Originally Posted by chibipaw View Post
    ......
    Looks like I am able to circumvent this restriction by using Ajeh's method of using any non-restricted category + restricted product id in a url.
    Here's what I've discovered:
    If Im not logged in as a user, and try to directly access a restricted product. It'll throw a simple one line note of "OOPS - ILLEGAL ACCESS !".
    However, if I am logged in as a valid user, but this user is NOT a privileged user, I was able to view and add the product to the user's shopping basket.

    I've attempted to apply the hot fix codes in post #9 by replacing the first part of tpl_document_product_info_display.php. Didn't seem to change any of the behavior. But I figured it shouldn't be, since the post is very old, and looks like its for a versions before 2.0.
    Yep, I could reproduce that.

    Open the file /includes/templates/MY_TEMPLATE/templates/tpl_product_info_display.php, find

    Code:
    if (!$_SESSION['customer_id'] && !$_SESSION['customers_privileges'] > 0 && in_array($result->fields['master_categories_id'],explode(',', CATEGORY_RESTRICTION_LOGIN_CATEGORY)) ) { 
     // block access to this product 
      echo TEXT_ILLEGAL_ACCESS ;
    removed the part in red, change to

    Code:
    if (!$_SESSION['customers_privileges'] > 0 && in_array($result->fields['master_categories_id'],explode(',', CATEGORY_RESTRICTION_LOGIN_CATEGORY)) ) { 
     // block access to this product 
      echo TEXT_ILLEGAL_ACCESS ;
    It is marked for the next updated version.

    Quote Originally Posted by chibipaw View Post
    ......
    Lastly, products by Manufacturer doesn't seem to work at all. Which file controls this anyways? Im guessing it is the default_filter.php file.
    Sorry, I can't reproduce this, you may want to check for merging errors. Products by manufacturer works fine in a few test sites and also on a live 1.5.5a store.

  4. #4
    Join Date
    Jul 2011
    Posts
    163
    Plugin Contributions
    4

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    Thanks for the update. Excited to finally patch this hole before anyone figures it out.

    On manufacturer checking issue, which are the best files to look into first to diagnose this?

    Thanks.

  5. #5
    Join Date
    Nov 2007
    Location
    Sunny Coast, Australia
    Posts
    3,378
    Plugin Contributions
    9

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    Quote Originally Posted by chibipaw View Post
    Thanks for the update. Excited to finally patch this hole before anyone figures it out.

    On manufacturer checking issue, which are the best files to look into first to diagnose this?

    Thanks.
    Just in the process of parceling up CSAR 2.2.0 modified for ZC 1.5.5a and will submit in the next day or so.

    PM me your email and I send you a copy of the pack in the next day or 2.

  6. #6
    Join Date
    Jul 2011
    Posts
    163
    Plugin Contributions
    4

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    Just want to drop a status update.
    Successfully upgraded from ZC 1.5.4 to ZC 1.5.5a. Installed CSAR 2.2.0 without too many merging issues. I did some light testing and have pushed it to the production server. But I still haven't figured out how the mechanics of manufacturer restriction works yet, as setting the restriction mID, I can still freely browse any products. But at least the most important components works great.

    Next step, I'll be installing other less important mods, hopefully nothing will conflict.


    Quote Originally Posted by frank18 View Post
    Just in the process of parceling up CSAR 2.2.0 modified for ZC 1.5.5a and will submit in the next day or so.

    PM me your email and I send you a copy of the pack in the next day or 2.

  7. #7
    Join Date
    May 2011
    Location
    Tennessee
    Posts
    510
    Plugin Contributions
    0

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    Does anyone know if the 2.1.2 version is compatible with ZC 1.5.5f ?

  8. #8
    Join Date
    May 2011
    Location
    Tennessee
    Posts
    510
    Plugin Contributions
    0

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    I have tried CSAR 2.1.2 and messed up the 1.5.5f admin and website on both attempts. I just want to see if anyone has successfully installed the CSAR 2.1.2 on ZC 1.5.5f.

  9. #9
    Join Date
    Jul 2011
    Posts
    163
    Plugin Contributions
    4

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    Quote Originally Posted by jodean View Post
    Does anyone know if the 2.1.2 version is compatible with ZC 1.5.5f ?
    Is there a reason why you want to use an older version with known issues discussed in this thread?
    As of this post, it is version v2.2.0

  10. #10
    Join Date
    May 2011
    Location
    Tennessee
    Posts
    510
    Plugin Contributions
    0

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    I finally was able to get a merged version of the CSAR files copy over to my website.
    I entered 1,3,4,5,6,7,8,9,10,11,12,13 into the "Set Categories Requiring Customer To Login" leaving 2 out since that is the only category that I want people to see if the do not login. But if you start the website the login screen appears first.

    Is there any chance you would take a look at this website?

    http://middletennesseeflyfishing.com/shop




 

 
Page 1 of 2 12 LastLast

Similar Threads

  1. Category Specific Restriction of Product Price Display (OLD v1 mod)
    By frank18 in forum All Other Contributions/Addons
    Replies: 40
    Last Post: 26 May 2013, 11:38 PM
  2. v150 [Not a bug] Category Specific Access Restriction‏
    By raf696 in forum Bug Reports
    Replies: 3
    Last Post: 17 Mar 2012, 03:26 AM
  3. v150 Category Specific Access Restriction‏
    By raf696 in forum All Other Contributions/Addons
    Replies: 1
    Last Post: 16 Mar 2012, 10:25 PM
  4. v150 Category Specific Access Restriction
    By raf696 in forum All Other Contributions/Addons
    Replies: 0
    Last Post: 13 Mar 2012, 07:36 PM
  5. Gallery Category support thread
    By gjh42 in forum All Other Contributions/Addons
    Replies: 26
    Last Post: 26 Sep 2008, 09:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg