Page 1 of 19 12311 ... LastLast
Results 1 to 10 of 188
  1. #1
    Join Date
    Nov 2007
    Location
    Sunny Coast, Australia
    Posts
    3,379
    Plugin Contributions
    9

    Default Category Specific Access Restriction (CSAR) - [Support Thread]

    In the next couple of days I will be submitting my latest plugin Category Specific Access Restriction (CSAR)

    This plugin has the official version number 2.0, reason being that I have previously released a mod with a similar name for ZC version 1.3.9h. That particular mod was unsatisfactory as it did not address sideboxes and centre columns. It also could not restrict products by manufacturers.

    Although related to this plugin the original mod and this new plugin are NOT compatible in any way, hence this new support thread and a new version number.


    This plugin allows you to


    1. hide prices of selected categories if the customer is not logged in. The prices of these categories are hidden and the 'Buy Now' button is replaced with 'Login for price'
    2. specify selected categories which can only be accessed by privileged customers, for example paid-up members. The customer must be logged in AND the customer must be individually authorized by the store owner to access the selected category / categories. Just being logged in does not automatically grant access to these 'privileged' categories. The authorization of individual customers is done via the Admin > Customers file.
    3. specify manufacturers whose products are hidden and are only accessible by customers with special 'privileges'. This can be useful if the manufacturer imposes such a restriction upon online stores or if the range of their products is of sensitive nature.


    These categories and manufacturers can be configured via admin and the configuration is stored in the database.

    The chosen configuration is reflected in the centreboxes 'New Products For (month)' , 'Specials' and 'Featured Products' and their corresponding sideboxes.

    The 'Bestsellers' sidebox is disabled unless a 'privileged' customer is logged in. At this stage the 'Bestsellers' sidebox can not be configured in any other way (I am working on this.....).

    In addition 'All Products' also reflects the chosen configuration.

    The whole store continues to work as normal, customers can browse, see prices, add products to the cart and check out - with the exception of the specified categories and/or manufacturers.

    This mod has been tested to work with Zen Cart v1.5.1 but *may* work with prior versions - use at your own peril, better though: upgrade your store to ZC v1.5.1

    A generic simple demo site is available here

    I will let you know when the new plugin has been approved by the team and is ready for download. A direct download link will be posted here.

    Frank

  2. #2
    Join Date
    Nov 2007
    Location
    Sunny Coast, Australia
    Posts
    3,379
    Plugin Contributions
    9

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    A quick update about this plugin:

    During 'final' testing I found some bugs which obviously needed to be fixed before submitting the plugin.

    Unfortunately it has taken me a bit longer than anticipated to get things right. At long last the mod is working to my satisfaction, all that is left to do is a 'cleanup' of comments in the code and finalizing the documentation.

    So, please accept my apologies for the delay, submission is mighty close!

    Updated demo site here

    Cheers / Frank

  3. #3
    Join Date
    Sep 2003
    Location
    Ohio
    Posts
    69,402
    Plugin Contributions
    6

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    Works pretty well, nice job ...
    However, hacker that I am, there is a way to trick it on going to a products_info page by changing the URL cPath ...

    Interesting enough, removing the cPath and just using the products_id IS protected ...

    Something to play with:
    /index.php?main_page=product_info&cPath=69&products_id=186 <-- blocked

    /index.php?main_page=product_info&cPath=2&products_id=186 <-- sneaks in

    Granted you have to really want to get in there and are not a "good" customer ... so, this might not be worth the hassel to try to fix ... otherwise, somewhere you may need one more check that evil is not being committed ...
    Linda McGrath
    If you have to think ... you haven't been zenned ...

    Did YOU buy the Zen Cart Team a cup of coffee and a donut today? Just click here to support the Zen Cart Team!!

    Are you using the latest? Perhaps you've a problem that's fixed in the latest version: [Upgrade today: v1.5.5]
    Officially PayPal-Certified! Just click here

    Try our Zen Cart Recommended Services - Hosting, Payment and more ...
    Signup for our Announcements Forums to stay up to date on important changes and updates!

  4. #4
    Join Date
    Nov 2007
    Location
    Sunny Coast, Australia
    Posts
    3,379
    Plugin Contributions
    9

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    Quote Originally Posted by Ajeh View Post
    Works pretty well, nice job ...
    However, hacker that I am, there is a way to trick it on going to a products_info page by changing the URL cPath ...

    Interesting enough, removing the cPath and just using the products_id IS protected ...

    Something to play with:
    /index.php?main_page=product_info&cPath=69&products_id=186 <-- blocked

    /index.php?main_page=product_info&cPath=2&products_id=186 <-- sneaks in

    Granted you have to really want to get in there and are not a "good" customer ... so, this might not be worth the hassel to try to fix ... otherwise, somewhere you may need one more check that evil is not being committed ...
    Thank you for your kind comments Ajeh!

    It is the 'good hackers' that reveal flaws - so many thanks for that, I have a go at this in v2.1. No doubt more comments will surface from fellow zenners....

    Cheers / Frank

  5. #5
    Join Date
    Sep 2003
    Location
    Ohio
    Posts
    69,402
    Plugin Contributions
    6

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    Another one to peek at is when going through the Manufacturers box ... things like Hide Prices does hide prices but allows the add to cart to happen ...
    Linda McGrath
    If you have to think ... you haven't been zenned ...

    Did YOU buy the Zen Cart Team a cup of coffee and a donut today? Just click here to support the Zen Cart Team!!

    Are you using the latest? Perhaps you've a problem that's fixed in the latest version: [Upgrade today: v1.5.5]
    Officially PayPal-Certified! Just click here

    Try our Zen Cart Recommended Services - Hosting, Payment and more ...
    Signup for our Announcements Forums to stay up to date on important changes and updates!

  6. #6
    Join Date
    Nov 2007
    Location
    Sunny Coast, Australia
    Posts
    3,379
    Plugin Contributions
    9

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    Quote Originally Posted by Ajeh View Post
    Another one to peek at is when going through the Manufacturers box ... things like Hide Prices does hide prices but allows the add to cart to happen ...
    Stupid me did not upload the /includes/modules/MY_TEMPLATE/product_listing.php file from my local server to the live demo site

    It's fixed now, thanks again Ajeh!

  7. #7
    Join Date
    Nov 2007
    Location
    Sunny Coast, Australia
    Posts
    3,379
    Plugin Contributions
    9

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    Quote Originally Posted by Ajeh View Post
    ......

    Granted you have to really want to get in there and are not a "good" customer ... so, this might not be worth the hassel to try to fix ... otherwise, somewhere you may need one more check that evil is not being committed ...
    Had another thought on this point:

    A customer needs to know the products_id before they can apply this "trick". They first need to be (manually) privileged by the store owner to actually get the products_id

    If they are already approved (=privileged) then there is no point for them to try this hack.

    In the demo store the privileged login credentials are openly displayed for demo / testing purposes, in a real store that is not the case.

    Still, for this mod to be picture perfect it needs to be watertight. So ..... v2.1 it will be

    Need to find a test where the products_id is checked against the array CATEGORY_RESTRICTION_LOGIN_CATEGORY which is configured via admin ...

  8. #8
    Join Date
    Sep 2003
    Location
    Ohio
    Posts
    69,402
    Plugin Contributions
    6

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    That appears to be working better on the Manufacturers selection ... and the Search now appears to be working better (forgot to mention that issue) ...
    Linda McGrath
    If you have to think ... you haven't been zenned ...

    Did YOU buy the Zen Cart Team a cup of coffee and a donut today? Just click here to support the Zen Cart Team!!

    Are you using the latest? Perhaps you've a problem that's fixed in the latest version: [Upgrade today: v1.5.5]
    Officially PayPal-Certified! Just click here

    Try our Zen Cart Recommended Services - Hosting, Payment and more ...
    Signup for our Announcements Forums to stay up to date on important changes and updates!

  9. #9
    Join Date
    Nov 2007
    Location
    Sunny Coast, Australia
    Posts
    3,379
    Plugin Contributions
    9

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    Quote Originally Posted by Ajeh View Post
    Works pretty well, nice job ...
    However, hacker that I am, there is a way to trick it on going to a products_info page by changing the URL cPath ...

    Interesting enough, removing the cPath and just using the products_id IS protected ...

    Something to play with:
    /index.php?main_page=product_info&cPath=69&products_id=186 <-- blocked

    /index.php?main_page=product_info&cPath=2&products_id=186 <-- sneaks in

    Granted you have to really want to get in there and are not a "good" customer ... so, this might not be worth the hassel to try to fix ... otherwise, somewhere you may need one more check that evil is not being committed ...

    Plugged the security hole.

    File /includes/templates/MY_TEMPLATE/templates/tpl_product_info_display.php amended to this:

    Code:
    [ file header here]
    
    <?php 
    /** 
    * CATEGORY_RESTRICTION - find corresponding master category for the current product 
     */ 
    $products_id_to_block = $_GET['products_id']; 
    global $db; 
    $sql = "select master_categories_id from " . TABLE_PRODUCTS . " where products_id = :productID:"; 
    $sql = $db->bindVars($sql, ':productID:', $products_id_to_block, 'integer'); 
    $result = $db->Execute($sql); 
     
    if ($result->RecordCount() > 0) { 
      echo '(used for testing purposes): Master Category ID = ' . $result->fields['master_categories_id']; 
    } else { 
      echo 'Sorry, no record found for product number ' . $products_id_to_block; 
    } 
     
    if (!$_SESSION['customer_id'] && !$_SESSION['customers_privileges'] > 0 && in_array($result->fields['master_categories_id'],explode(',', CATEGORY_RESTRICTION_LOGIN_CATEGORY)) ) { 
     //echo ' - this product should be blocked !!'; 
     echo TEXT_ILLEGAL_ACCESS ; 
    } else { // bof CATEGORY_RESTRICTION - OPEN ACCESS 
    
    .... orginal body of the file
    
    .... then at the bottom added after 
    <!--bof Form close-->
     
    <?php 
        } // eof CATEGORY_RESTRICTION - OPEN ACCESS 
    ?> 
    </div>
    Thanks again for pointing this out Ajeh!

  10. #10
    Join Date
    Nov 2007
    Location
    Sunny Coast, Australia
    Posts
    3,379
    Plugin Contributions
    9

    Default Re: Category Specific Access Restriction (CSAR) - [Support Thread]

    Just to keep you updated: I have submitted this plugin for inclusion to the downloads section a few days ago and I am awaiting approval by the moderators.

 

 
Page 1 of 19 12311 ... LastLast

Similar Threads

  1. Category Specific Restriction of Product Price Display (OLD v1 mod)
    By frank18 in forum All Other Contributions/Addons
    Replies: 40
    Last Post: 26 May 2013, 11:38 PM
  2. v150 [Not a bug] Category Specific Access Restriction‏
    By raf696 in forum Bug Reports
    Replies: 3
    Last Post: 17 Mar 2012, 03:26 AM
  3. v150 Category Specific Access Restriction‏
    By raf696 in forum All Other Contributions/Addons
    Replies: 1
    Last Post: 16 Mar 2012, 10:25 PM
  4. v150 Category Specific Access Restriction
    By raf696 in forum All Other Contributions/Addons
    Replies: 0
    Last Post: 13 Mar 2012, 07:36 PM
  5. Gallery Category support thread
    By gjh42 in forum All Other Contributions/Addons
    Replies: 26
    Last Post: 26 Sep 2008, 09:38 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR