Page 25 of 124 FirstFirst ... 1523242526273575 ... LastLast
Results 241 to 250 of 1238
  1. #241
    Join Date
    Apr 2006
    Posts
    121
    Plugin Contributions
    0

    Default Re: Admin Profiles Support Thread

    You probably forgot to add Kuroi's code to the third party extra boxes files. Take a look at the 'updating box files (a step-by-step guide).txt' document included in the download.

  2. #242
    Join Date
    May 2006
    Location
    Japan
    Posts
    326
    Plugin Contributions
    1

    Default Re: Admin Profiles Support Thread

    If you did mess that up...man...don't worry, the best do that...(me) Look up a couple of posts and you will see where I gave a great example of how to do this!

    G,Luck
    Skin Evolution.
    Lynda.com,its a great place to learn.
    Camelot Hosting,it's where my site calls home!

    E-Start your Zen-Cart,KH is the Man, Thanks for all the hard work!

  3. #243
    Join Date
    Apr 2007
    Posts
    7
    Plugin Contributions
    0

    Default Re: Admin Profiles Support Thread

    Thanks,

    I'll take a look

  4. #244
    Join Date
    Apr 2007
    Posts
    7
    Plugin Contributions
    0

    Default Re: Admin Profiles Support Thread

    I found the problem! it was missing the if statment

    if (menu_header_visible('Tools')=='true')

    It is working fine now.

    Thanks All

  5. #245
    Join Date
    Mar 2007
    Posts
    16
    Plugin Contributions
    0

    Default Pretty major issue?

    This might be a fairly major issue.

    My user can change their settings if they know the path to the admin page!
    If the user enters the URL to edit a user they can change their own permissions and gain full control!
    http://www.mysite_url_here.com/admin....php?adminID=2

    The user is allowed to access this page, and allowed to change settings on this page. They can open up the site and do quite a bit of harm.

    They cannot access the page without the variable in the url, but they have full access otherwise. If someone has installed Zen, or used Zen, they will have an understanding of the expected path and will probably monkey around. I did. They can even lock the main admin out by simply appending the URL with adminID=1! Try it.

    Is there a setting that can be changed to fix this?




    One other thing. Is there any way to restrict what they see on their 'Admin Home' page? I would prefer that they didn't see all stats.

  6. #246
    Join Date
    Jan 2006
    Location
    Toronto, Ontario, Canada
    Posts
    183
    Plugin Contributions
    3

    Default Re: Pretty major issue?

    Roblaw, wow... i just verified what you said and its very true.

    Personally I'm not concerned since its all internal users and since everything is tracked, it shouldn't be an issue...

    that said, if you have reason to believe (which you always should assume so) that someone has the intent of being malicious and is knowledgable, then they could at the same time clear any of the tracking data and not be noticed.

    very interesting find...
    Ahmad Rahman
    TRUST IT | web site design and development
    mobile: 416.828.0224 | email: [email protected]
    www.trustit.ca

    For IT solutions how you want IT, when you want IT, TRUST IT.

  7. #247
    Join Date
    Apr 2006
    Location
    London, UK
    Posts
    10,569
    Plugin Contributions
    25

    Default Re: Pretty major issue?

    Quote Originally Posted by roblaw View Post
    This might be a fairly major issue. ...

    Is there a setting that can be changed to fix this?
    If you replace your admin/includes/init_includes/overrides/init_admin_auth.php with this one --> init_admin_auth.zip then it should close that hole. A small health warning - this file is taken from Admin Profiles 2 which is still under development and so not fully tested, but in a quick test after retrofitting it to a 1.0.6 environment it seemed to work OK without side effects.

    Quote Originally Posted by roblaw View Post
    One other thing. Is there any way to restrict what they see on their 'Admin Home' page? I would prefer that they didn't see all stats.
    What appears on the Admin Home page is controlled by the admin/index.php file. There's not a switchable way, though you could use CSS to set display:none for the class .reportBox. This would turn the home page content off for all users. If you wanted more precision you would need to change the PHP by inserting "if" statement in there to restrict display to specific values of $_SESSION['admin_id'].
    Kuroi Web Design and Development | Twitter

    (Questions answered in the forum only - so that any forum member can benefit - not by personal message)

  8. #248
    Join Date
    Sep 2004
    Posts
    2,420
    Plugin Contributions
    2

    Default Re: Pretty major issue?

    Quote Originally Posted by kuroi View Post
    If you replace your admin/includes/init_includes/overrides/init_admin_auth.php with this one --> init_admin_auth.zip then it should close that hole. A small health warning - this file is taken from Admin Profiles 2 which is still under development and so not fully tested, but in a quick test after retrofitting it to a 1.0.6 environment it seemed to work OK without side effects.
    Thanks for the fix. Appears to work well for me with Admin Profiles 1.06 on ZC 1.37.

    Woody

  9. #249
    Join Date
    Mar 2007
    Posts
    16
    Plugin Contributions
    0

    Default Re: Admin Profiles Support Thread

    Virtualahmad,

    As in your case, this won't matter for most users. Anyone who has ever had an employee go bad, will probably want to get a fix in place. Especially if you have employees that like to tinker with things.

    I am going to implement the solution by kuroi. Thanks for the quick response.

    If others are looking to change the view that other users have on the admin/index.php page, I would recommend kuroi's suggestion a conditional statement checking for the admin_id prior to display. Hiding it with CSS is viewable in source.

    Thanks again.

    roblaw

  10. #250
    Join Date
    Jun 2006
    Posts
    45
    Plugin Contributions
    0

    Default Re: Admin Profiles Support Thread

    Help please. I'm usually pretty good at this stuff

    If you are using a database prefix for your Zen Cart tables, you must either: run the install_adminlevels.sql file using Zen Cart's Admin > Tools > Install SQL Patch facility, or edit the file to change the prefix for all create table and insert statements, before running it using your preferred tool.
    Firs how do I know if I'm using a prefix_not sure what that means

    I don't see an install-adminlevels.sql file to run?

    Can someone please point me in the right direction.

    THanks!

 

 
Page 25 of 124 FirstFirst ... 1523242526273575 ... LastLast

Similar Threads

  1. v150 Admin New Order [Support Thread]
    By lhungil in forum Addon Admin Tools
    Replies: 121
    Last Post: 5 Feb 2021, 07:51 PM
  2. v150 CSS Buttons for Admin [Support Thread]
    By lat9 in forum All Other Contributions/Addons
    Replies: 19
    Last Post: 24 Dec 2015, 09:13 PM
  3. Admin-Editable Sidebox - Support Thread
    By kuroi in forum Addon Sideboxes
    Replies: 331
    Last Post: 29 Oct 2014, 04:15 AM
  4. v151 Blue Admin [Support Thread]
    By vvomble in forum Addon Templates
    Replies: 11
    Last Post: 27 May 2013, 09:43 PM
  5. [Support Thread] IE only JavaScripts and Stylesheets Addon
    By Meshach in forum All Other Contributions/Addons
    Replies: 16
    Last Post: 31 May 2011, 08:18 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR