Login restrictions (and possible security problem)

[HeleneWallis]

I'm working on a plugin that will be used by only a small number of employees. They should not see any other aspects of company operation on the admin side, but there appears to be no way to shut them out of everything. I added a test user to find out what they would see, and enabled nothing but a single one of the admin tools (just so something would show up). This test user can see the entire admin dashboard with customer names, phone numbers and email addresses, company statistics, and a lot of things I don't want them to see. I think this could be a security concern for many companies.

The only menu items available to them were Modules, Customers, Locations / Taxes, Localization, Reports, Tools, and Discounts, and there was only a limited number of choices under each of those menus. But I do not want these employees to see anything other than the single plugin that they will be using. Is there some reasonably uncomplicated way to do that, so that when a person with a certain profile logs in, the screen goes directly to the code they need to see and use?

[swguy]

https://docs.zen-cart.com/user/admin...ee_restricted/

[HeleneWallis]

https://docs.zen-cart.com/user/admin...ee_restricted/

I did all of that. But it appears that I inadvertently chose the wrong user profile to assign the test user to. When I went back and corrected that, the test user could still see some company statistics, but nothing else beyond what I had enabled for that profile.

However, that doesn’t solve the underlying problem of wanting this group of employees to go straight to the plug-in I’m writing when they log in, without seeing any other company information. They have no reason or need to do so. I don’t want them to see a message that their login credentials don’t give them access to other things, because they don’t need to know there are other things they might be able to get access to. Is that not possible?

[swguy]

You'd have to write some custom code to get the behavior you are describing.

[HeleneWallis]

You'd have to write some custom code to get the behavior you are describing.

Yes, that is what I asked for help with. Is there some reasonably uncomplicated way to do this? Even a hint in the right direction would be useful. I know that you can enable certain things when an admin is logged in, so I assume the opposite action could be undertaken as well. I'll eventually figure it out on my own, but any assistance would be appreciated.

[swguy]

A simple change would be just to not show any data on the home page. Edit admin/index_dashboard.php wrap the div with id "colone" with

<?php if (zen_is_superuser()) { ?>

and end it with <?php } ?>

[HeleneWallis]

A simple change would be just to not show any data on the home page. Edit admin/index_dashboard.php wrap the div with id "colone" with

<?php if (zen_is_superuser()) { ?>

and end it with <?php } ?>

Thank you very much indeed. That is almost exactly what I need to do. I'll modify that to allow access to all users other than the one who needs to be completely shut out.

I'm slowly figuring out the Zencart architecture, so I may ask what seem like stupid questions sometimes. But I am not a newbie to programming (though I'm still learning PHP). So even a little bit of help is usually enough to get me started in the right direction.

[swguy]

> I may ask what seem like stupid questions sometimes.

Trust me, you're doing fine.

If you want a little project to increase your knowledge, try this:
modify the admin_profiles table and associated screen to provide a "home page" for non-superusers.
(you could also do this by modifying the admin table if you wanted different home pages for different non-superusers.)

If it works out, you can submit it as a plugin so others can benefit from your work

[HeleneWallis]

> I may ask what seem like stupid questions sometimes.

Trust me, you're doing fine.

If you want a little project to increase your knowledge, try this:
modify the admin_profiles table and associated screen to provide a "home page" for non-superusers.
(you could also do this by modifying the admin table if you wanted different home pages for different non-superusers.)

If it works out, you can submit it as a plugin so others can benefit from your work

Thanks for the suggestion. I hadn't thought of doing anything like that. I may postpone it until after the one I'm working on now is finished. Or I may incorporate it as a configuration setting in the current plugin, which would be a nice refinement.

[swguy]

OK, just an idea based on your original post, where you asked

> when a person with a certain profile logs in, the screen goes directly to the code they need to see and use?

What you (probably) have now - most menus turned off, no home page content - is probably intuitive enough that your staff can figure it out.