You probably forgot to add Kuroi's code to the third party extra boxes files. Take a look at the 'updating box files (a step-by-step guide).txt' document included in the download.
You probably forgot to add Kuroi's code to the third party extra boxes files. Take a look at the 'updating box files (a step-by-step guide).txt' document included in the download.
If you did mess that up...man...don't worry, the best do that...(me) Look up a couple of posts and you will see where I gave a great example of how to do this!
G,Luck
Skin Evolution.
Lynda.com,its a great place to learn.
Camelot Hosting,it's where my site calls home!
E-Start your Zen-Cart,KH is the Man, Thanks for all the hard work!
Thanks,
I'll take a look
I found the problem! it was missing the if statment
if (menu_header_visible('Tools')=='true')
It is working fine now.
Thanks All
This might be a fairly major issue.
My user can change their settings if they know the path to the admin page!
If the user enters the URL to edit a user they can change their own permissions and gain full control!
http://www.mysite_url_here.com/admin....php?adminID=2
The user is allowed to access this page, and allowed to change settings on this page. They can open up the site and do quite a bit of harm.
They cannot access the page without the variable in the url, but they have full access otherwise. If someone has installed Zen, or used Zen, they will have an understanding of the expected path and will probably monkey around. I did. They can even lock the main admin out by simply appending the URL with adminID=1! Try it.
Is there a setting that can be changed to fix this?
One other thing. Is there any way to restrict what they see on their 'Admin Home' page? I would prefer that they didn't see all stats.
Roblaw, wow... i just verified what you said and its very true.
Personally I'm not concerned since its all internal users and since everything is tracked, it shouldn't be an issue...
that said, if you have reason to believe (which you always should assume so) that someone has the intent of being malicious and is knowledgable, then they could at the same time clear any of the tracking data and not be noticed.
very interesting find...
Ahmad Rahman
TRUST IT | web site design and development
mobile: 416.828.0224 | email: [email protected]
www.trustit.ca
For IT solutions how you want IT, when you want IT, TRUST IT.
If you replace your admin/includes/init_includes/overrides/init_admin_auth.php with this one --> init_admin_auth.zip then it should close that hole. A small health warning - this file is taken from Admin Profiles 2 which is still under development and so not fully tested, but in a quick test after retrofitting it to a 1.0.6 environment it seemed to work OK without side effects.
What appears on the Admin Home page is controlled by the admin/index.php file. There's not a switchable way, though you could use CSS to set display:none for the class .reportBox. This would turn the home page content off for all users. If you wanted more precision you would need to change the PHP by inserting "if" statement in there to restrict display to specific values of $_SESSION['admin_id'].
Kuroi Web Design and Development | Twitter
(Questions answered in the forum only - so that any forum member can benefit - not by personal message)
Virtualahmad,
As in your case, this won't matter for most users. Anyone who has ever had an employee go bad, will probably want to get a fix in place. Especially if you have employees that like to tinker with things.
I am going to implement the solution by kuroi. Thanks for the quick response.
If others are looking to change the view that other users have on the admin/index.php page, I would recommend kuroi's suggestion a conditional statement checking for the admin_id prior to display. Hiding it with CSS is viewable in source.
Thanks again.
roblaw
Help please. I'm usually pretty good at this stuff
Firs how do I know if I'm using a prefix_not sure what that meansIf you are using a database prefix for your Zen Cart tables, you must either: run the install_adminlevels.sql file using Zen Cart's Admin > Tools > Install SQL Patch facility, or edit the file to change the prefix for all create table and insert statements, before running it using your preferred tool.
I don't see an install-adminlevels.sql file to run?
Can someone please point me in the right direction.
THanks!
Bookmarks