Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Join Date
    Dec 2008
    Location
    Pittsburgh, PA
    Posts
    237
    Plugin Contributions
    1

    Default Front end>admin edit--Possibly IP address spoofing concern, but man I like this...

    So assuming this isn't overwhelming shot down as bad coding

    1.5.5e

    includes/templates/your_template/templates/tpl_product_info_display.php

    ...down around the details/info...

    Code:
    $allowedips = array('**.***.***.**', '**.***.***.**', etc.);
    if(in_array($_SERVER['REMOTE_ADDR'],($allowedips))){
    ?>
    <li><a href="https://www.your_website.com/YOUR_ADMIN/product.php?cPath=<?= $_GET['cPath']; ?>&product_type=1&pID=<?= $_GET['products_id']; ?>&action=new_product&search=<?= $_GET['products_id']; ?>" target="_top" accesskey="w">Edit Product##########____(Alt+w)</a></li>
    <?php
    }
    I have a bunch of other work arounds including a take in/out of stock which works w/ ajax as a button.

    anyone see any reasons why I shouldn't try to make my first add-on w/ some of this logic?

    I was also hoping to maybe put the ip addresses in the configuration table but couldn't figure out writing the sql logic that typically comes w/ installers, and then this is also it's potentially a bad idea in that it's risky I'm guessing.
    Last edited by wolfderby; 5 Jan 2018 at 12:14 AM.

  2. #2
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Front end>admin edit--Possibly IP address spoofing concern, but man I like this..

    There are a number of complex PCI compliance hoops to go through when enabling front-end admin-live-editing like that, which is why such a feature isn't in the core code.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Front end>admin edit--Possibly IP address spoofing concern, but man I like this..

    To answer your question about IPs, often the EXCLUDE_ADMIN_IP_FOR_MAINTENANCE constant is used to do IP-specific access control, since it's already easily configurable in the Admin.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  4. #4
    Join Date
    Jul 2012
    Posts
    16,719
    Plugin Contributions
    17

    Default Re: Front end>admin edit--Possibly IP address spoofing concern, but man I like this..

    Additionally, as for a few improvements to the above: there are a number of things that are locked in: the product type being product on the parameter list, the file to perform the editing being the main product type. Use of short type php tags is generally discouraged because they are not always supported under all php configurations (ie. Instead of using '<?=', use the expanded '<?php echo' format.

    As for the functions to lookup the product type and other factors, these can be found generally in the includes/functions folder in files such as functions_lookup.php and functions_general.php. Others may have as well and can be used without specific reference to those files.
    ZC Installation/Maintenance Support <- Site
    Contribution for contributions welcome...

  5. #5
    Join Date
    Dec 2008
    Location
    Pittsburgh, PA
    Posts
    237
    Plugin Contributions
    1

    Default Re: Front end>admin edit--Possibly IP address spoofing concern, but man I like this..

    So I'm finally realizing the folly of this approach, and I was wondering if anyone had a suggestion of a more secure approach. Using port #'s doesn't seem to work (private ip addresses not seemingly available, only public). I'm thinking of trying to do a browser cookie based approach but know very little about them.

    Any suggestions?

  6. #6
    Join Date
    Dec 2008
    Location
    Pittsburgh, PA
    Posts
    237
    Plugin Contributions
    1

    Default Re: Front end>admin edit--Possibly IP address spoofing concern, but man I like this..

    so I had a few locations giving special functionality in code using:
    Code:
    if(($_SESSION['customer_id'] == 123) || (strstr(EXCLUDE_ADMIN_IP_FOR_MAINTENANCE, $_SERVER['REMOTE_ADDR']))){
    //CONVENIENT ADMIN LINKS
    }

  7. #7
    Join Date
    Dec 2008
    Location
    Pittsburgh, PA
    Posts
    237
    Plugin Contributions
    1

    Default Re: Front end>admin edit--Possibly IP address spoofing concern, but man I like this..

    Would there be a way to detect the admin's log-in session in php from the catalog side? and if statement around that?

  8. #8
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Front end>admin edit--Possibly IP address spoofing concern, but man I like this..

    Quote Originally Posted by wolfderby View Post
    Would there be a way to detect the admin's log-in session in php from the catalog side? and if statement around that?
    That's not a built-in feature, no. I mentioned some reasons in my posts above.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  9. #9
    Join Date
    Dec 2008
    Location
    Pittsburgh, PA
    Posts
    237
    Plugin Contributions
    1

    Default Re: Front end>admin edit--Possibly IP address spoofing concern, but man I like this..

    So I've taken to wrapping this logic from a while ago from within a browser cookie that can only be set by logging into the admin to set it. I have some fun hacks to the front end now that add admin functionality but they generally would rely on this sort of "inserting-admin-stuff-into-catalog-side-stuff" being PCI compliant. I was wondering if it'd be possible to do so as an add-on, which I could then make a dependency of other add-ons. Any thoughts on this?

  10. #10
    Join Date
    Dec 2008
    Location
    Pittsburgh, PA
    Posts
    237
    Plugin Contributions
    1

    Default Re: Front end>admin edit--Possibly IP address spoofing concern, but man I like this..

    so... something like...

    PHP Code:
     if(isset($_COOKIE['specialAdminKeyCookieName'])){
    //then do cool stuff like show jQuery stock status toggle button, 

    //or 

    //show checkbox for showing out-of-stock status stuff in search results

    //or

    //give button to jump directly to editing this product in admin



 

 
Page 1 of 2 12 LastLast

Similar Threads

  1. v139h Product showing on front end, but can't find on back?
    By cyphered in forum Setting Up Categories, Products, Attributes
    Replies: 3
    Last Post: 5 Oct 2012, 06:33 PM
  2. Imported products missing from admin, but present for orders and front-end display
    By AustinThemes in forum Setting Up Categories, Products, Attributes
    Replies: 1
    Last Post: 20 Feb 2011, 09:48 AM
  3. Categories not showing up in front end but it is added in back end
    By raaj.smvec in forum Setting Up Categories, Products, Attributes
    Replies: 0
    Last Post: 22 Apr 2010, 12:06 PM
  4. Migrated, now the admin works but not the front end
    By asimms1 in forum General Questions
    Replies: 4
    Last Post: 8 Apr 2009, 04:25 PM
  5. There is a watermark of a man on the front end...how do I remove?
    By tanyaleann in forum Templates, Stylesheets, Page Layout
    Replies: 5
    Last Post: 13 Oct 2008, 07:22 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR