Login and Logoff for osCommerce Administrators.

Original Version by Blake Schwendiman
blake@intechra.net

Updated Version 1.1.0 (03/01/2002) by Christopher Conkie
chris@conkiec.freeserve.co.uk

Updated Versions 1.2.0-1.2.2 (last on 05/04/2002)
by Ross Lapkoff (rlapkoff@austin.rr.com)

----------------------------------------------

This admin module is for osCommerce pr2.2 and allows for login/logoff from 
the admin section of OSC.  With this mod, only valid administrators can access 
the admin section of your shop, and in varying degrees.

This module is built around osCommerce CVS pr2.2 snapshot 28/03/2002.  It should
work just fine for slightly older versions, but you may need to change some things
around.  You can also try version 1.1.0 (Jan. 3, 2002) or 1.0.0 (Nov. 13, 2001) 
if your versions are that old.   

----------------------------------------------

RSL 05/04/2002 Updates:

 Removed the include for sessions_mysql.php since all sessions are now called from
  the sessions.php file.  If you were not using 'mysql' to store sessions on the 
  admin side, you probably never noticed it...I sure didn't :)
 Fixed up the index page a little bit.  Instead of just "hiding" disallowed boxes
  with empty arrays, I changed them to not show at all.  I also changed the layout 
  to take into account how many boxes will be shown so the layout won't be so goofy.
  It still spaces out in the entire table, but they are not stuck in the same 
  locations they would be if all boxes were shown.

RSL 31/03/2002 Updates:

 Replaced a <td> tag that was accidentally deleted during cleanup.

RSL 30/03/2002 Updates:

 Updated to the latest OSC standards where needed (classes/stylesheet/functions).
  Added lastest pages in the admin to the array list (newsletter.php, etc.) and 
  it now functions with the cool new "control panel" style index page.  The layout
  might look a little funky when only a few sections are selected, I am working
  on that...
 Condensed some code and fixed some minor "issues".
 Admin passwords are now encrypted for storage in the DB!!
 Not really a biggie, but I use it on my catalog for customers...index and header
  only show "logout" if you're logged in...er, but you can't see anything unless
  you're logged in on this mod :)
 "Administration of admins" got a makeover. New features here include:
	- Updated administrator account navigation (rows) with quick viewing of
	  what each account has access to. 
	- Able to edit all accounts without having to delete/create new ones.  You
	  can change access privileges without over-writing existing login info,
	  you can update login info without changing current access privileges,
	  or of course, you can change both at the same time.
	- New style error reporting to go with it ;) 

I'd personally like to thank Blake and Christopher for getting such a good mod
going...I've been using it since it was released back in Nov.  I just thought I'd 
finally make my contribution to the project in by updating it a little.  


----------------------------------------------
		    Installation
----------------------------------------------
									
1. You'll need to add the following table to your osCommerce database.  You'll 
   need at least one account to access the admin, so a default is included (that's 
   why there's an insert statement after the create table).  This Administrator 
   has full access permissions. The UserName is 'default' and the password is 'admin'.  

CREATE TABLE administrators (
  admin_id int(2) NOT NULL auto_increment,
  admin_name varchar(20) NOT NULL default '',
  admin_pass varchar(40) NOT NULL default '',
  admin_date_added datetime NOT NULL default '0000-00-00 00:00:00',
  admin_last_modified datetime NOT NULL default '0000-00-00 00:00:00',
  allowed_pages varchar(255) NOT NULL default '',
  PRIMARY KEY (admin_id)
) TYPE=MyISAM;

INSERT INTO administrators VALUES (1, 'default', 'admin', '0000-00-00 00:00:00', '0000-00-00 00:00:00', '*');


----------------------------------------------

2. This module requires a couple of lines to be added to the admin version of 
   application_top.php.

a) First add the following line to the section which starts // define filenames.

     define('HEADER_TITLE_LOGOFF', 'Logoff');	
     define('FILENAME_ADMINISTRATORS', 'administrators.php');
     define('FILENAME_LOGOFF', 'logoff.php');
     define('FILENAME_UPDATE_ADMIN', 'update_admin.php');
		 
b) Next add the following lines to the section which starts // define database tables.

     define('TABLE_ADMINISTRATORS', 'administrators' );
    
		 
c) Then the following lines must be added AFTER the language translation lines:

 // Require administrative authentication
if ( file_exists( DIR_WS_FUNCTIONS . 'administrators.php' ) )
  {
      include_once( DIR_WS_FUNCTIONS . 'administrators.php' );
      RequireLoginValidForPage( $REQUEST_URI );
	}

So that it looks like this...

// include the language translations
  require(DIR_WS_LANGUAGES . $language . '.php');
  $current_page = split('\?', basename($PHP_SELF)); $current_page = $current_page[0]; // for BadBlue(Win32) webserver compatibility
  if (file_exists(DIR_WS_LANGUAGES . $language . '/' . $current_page)) {
    include(DIR_WS_LANGUAGES . $language . '/' . $current_page);
  }

// Require administrative authentication
if ( file_exists( DIR_WS_FUNCTIONS . 'administrators.php' ) )
  {
      include_once( DIR_WS_FUNCTIONS . 'administrators.php' );
      RequireLoginValidForPage( $REQUEST_URI );
	}

d) Yeah, I hate to do it, but I added one more style to the stylesheet, under the
   /* data table */ listings:

   .dataTableAdmin { font-family: Verdana, Arial, sans-serif; font-size: 12px; color: #000000; font-weight: bold; }

e) Finally, add this function to /admin/includes/functions/general.php:

function tep_get_admin_name($admin_id) {

    $admin_query = tep_db_query("select admin_name from " . TABLE_ADMINISTRATORS . " where admin_id = '" . $admin_id . "'");
    $admin = tep_db_fetch_array($admin_query);

    return $admin['admin_name'];
  }


----------------------------------------------

3. Copy the various pages to their respective locations in the admin folder or 
   ammend/append to your respective files (where you have an existing file of 
   that name). 

----------------------------------------------

4. Instructions for use.

a) Open admin/index.php (or any page in admin/) and you will be redirected to login.
b) Login with UserName: default
		  password: admin
c) Go to the Administrators->Setup page and create a new full-access admin account
   for yourself.  This new account will have the encrypted password.  Logoff and
   re-login under your new account.  Delete the default admin account.  This is
   important and you will be nagged with a status message until it's gone.  It's
   a pretty big security hole if you leave a full access admin on there and everyone
   who uses this knows the login for it :)
d) Create a test account (or a real one) with limited access (say, only to Customers).
   Log in on that account and see how it works.  Try navigating to a page that your
   account doesn't have access to by typing in the URL (since you won't be able to
   "navigate" there!) http://yourdomain/admin/whos_online.php and see what happens.
e) Play around with the editing feature to see how it all works.  Everything is
   pretty well noted on the pages.

----------------------------------------------

This module is implemented in English, but is easily customised for any other 
language in your site.

This module is by no means perfected.
It's a simple fix that allows for a quick solution.
There is no editing of administrators.  
I'm just deleting and adding.  // FIXED!!  --RSL
Also, if there's nothing in the administrators table, you may not be able to access 
the admin site at all.  
READ THAT LAST LINE AGAIN.

----------------------------------------------

If you like the updates/hate them/come across any problems, email me.

Ross Lapkoff
rlapkoff@austin.rr.com

30/03/2002