PDA

View Full Version : way to assign administrator?



blackhawk
10-07-2009, 02:33 PM
I have several admin users accessing my oscmax site. Is there a way to assign an admin name to a completed order? this way we know who worked on each order last? I'm looking through the contributions - no luck yet...

blackhawk

jpf
10-09-2009, 07:51 AM
Currently - no. The "admin" users is strictly an administration to ACCESS parts of your site. If you have several people - you should limit it or create NON-ADMIN levels with more restricted access. Like order processors should have access to update order status. Inventory clerks should only have access to modify and update items and stock levels.....

Other than your CORE programing/support team/personal - NO one else should have Administrator access.

I even give myself 2 access - one is for my everyday stuff - other is full Admin.


What your looking for is know as security tracking and user ownership which is more complicated and has no equivalent function (yet) in osCommerce and thus osCMax.

This would required a major amount of programming - depending on how much you want to track/track/place user ownership.

Manual work arounds may be put in place - but rely on users entry. Updating notes on who did what. Using order status (one "set" for each person - for what needs to be tracked).
.....
BUT it is a manual process - thus subject to error and possibly abuse.

blackhawk
10-09-2009, 09:16 AM
jpf,
one more question, is it possible to set up a user with read-only access. For example, they can look at an admin product page but not click the preview or update button?

thanks!
bh

jpf
10-09-2009, 09:27 AM
Maybe a Report...or be "shopper"

pgmarshall
10-09-2009, 10:40 AM
Thinking out load here - so don't flame me too badly ... but,

If you can find a way to identify the admin user then a simple read-only column could be added to the admin table. You could set this by individual user or user group. (Put it in admin if you want user and put it in admin_groups if you want to bulk restrict.)

Eg.


$read_only_query = tep_db_query ("select a.admin_read_only, g.admin_groups_read_only from " . TABLE_ADMIN . " a, " . TABLE_ADMIN_GROUPS . " g where a.admin_id= " . $login_id . " and g.admin_groups_id= " . $login_groups_id . "");
Run this query in categories.php or any other pages you want to control access and then put a simple if statement round all the buttons.

Or if you wanted to get a bit more involved you could put the query in the header.php file and the if statement within the tep_image_submit function?

I know this is not very elegant ... and it is not bullet-proof (by any means) but it might work for you!

Regards,

jpf
10-09-2009, 10:52 AM
Thinking of that--- change my own DEMO store security might work..... - it uses a custom extra case statement in the process tree if users "level" is less than XX - then does not have access then endcase. (instead of save/new/modify/delete....)

Allow most user access to do most things....but will not allow them to process a "save/delete/modify"

3 to five lines in every admin file you want then to have access to ---but will skip or disable save/delete/modify case statement if not greater than XX admin level....

blackhawk
10-09-2009, 05:58 PM
Thanks guys. Yeah, it just seems like a simpler process to control the update/preview/edit/delete buttons when it comes to assigning permissions on the admin product pages, allowing multiple users the freedom to read but not write.

bh

pgmarshall
10-15-2009, 10:03 AM
Did you get this to work? If so, can you post back what you did for me to have a look at?

Also, I have just seen this which may be of use?

Auto scripting in admin (http://addons.oscommerce.com/info/7068)

Which creates generic text when editting orders - looks quite useful - but perhaps you could extend it so that each user has a set of buttons which put in their name in the text box?

Regards,

blackhawk
10-15-2009, 11:19 AM
not yet boss - been backed up on getting estimated shipping working for oscmax When trying to input a zip code for a ups shipping estimate, as a guess, I get no results back. Plus I read somewhere on the oscommerce site that this is a known issue but how hard can it be to fix??? ;) Hopefully I can get it fixed this way I can jump back on this next project we brought up.


bh

pgmarshall
10-15-2009, 11:40 AM
Are you on ups live server ... I seem to remember reading a thread that mentioned a problem like this and they had to ask UPS to move them onto the correct server?

Regards,

blackhawk
10-15-2009, 11:50 AM
yup, im on a live server but its not ups. using mosso. very strange because the ups rates work well right before you check out. but if i try to get a shipping estimate on products within my cart, i either get a blank result in the popup window or an error like this....


110206: Missing/Illegal ShipTo/Address/StateProvinceCode


so i dont know :(

blackhawk
10-15-2009, 12:10 PM
i wonder now if ship in cart works better than estimated shipping...gonna find out...

ridexbuilder
10-15-2009, 01:32 PM
[UPS: "Consider it nicked!" Sorry, once had a multi-standards 500 bucks VCR go 'missing' on its way from 'out east someplace' to AZ. A paraphrase of an old advert circa 1998/9.]
:buzzsaw:

blackhawk
12-05-2009, 04:36 PM
Thinking of that--- change my own DEMO store security might work..... - it uses a custom extra case statement in the process tree if users "level" is less than XX - then does not have access then endcase. (instead of save/new/modify/delete....)

Allow most user access to do most things....but will not allow them to process a "save/delete/modify"

3 to five lines in every admin file you want then to have access to ---but will skip or disable save/delete/modify case statement if not greater than XX admin level....

jpf - awesome start bro! thanks for the inspiration - I'll play around with it.

this is what i came up with so far, let me know what you guys think...




$allowed_updates_query = tep_db_query ("select a.admin_id, g.admin_groups_id from " . TABLE_ADMIN . " a join ". TABLE_ADMIN_GROUPS . " g where a.admin_groups_id = g.admin_groups_id and a.admin_id != 1");

while ($_allowed_updates = tep_db_fetch_array($allowed_updates_query)) {
$allowed_updates[] = $_allowed_updates;
$allowed_updates_g_id[] = $_allowed_updates['admin_id'];
}

if (in_array($login_id, $allowed_updates_g_id)) {
print "sorry you don't have permission to edit this document";
}
else {
echo tep_draw_hidden_field('products_date_added', (tep_not_null($pInfo->products_date_added) ? $pInfo->products_date_added : date('Y-m-d'))) . tep_image_submit('button_preview.gif', IMAGE_PREVIEW) . '&nbsp;&nbsp;<a href="' . tep_href_link(FILENAME_CATEGORIES, 'cPath=' . $cPath . (isset($HTTP_GET_VARS['pID']) ? '&pID=' . $HTTP_GET_VARS['pID'] : '')) . '">' . tep_image_button('button_cancel.gif', IMAGE_CANCEL) . '</a>';
}


bh

met00
12-05-2009, 10:04 PM
elegant jquery solution...

1) Assign all submit buttons that you want to disable to a class (class=notdisabled)
2) When the admin logs in store their edit/noedit as a flag in a cookie
3) On page load have jquery check the cookie and if noedit either
a) change the class to disable (makes the button go away)
b) assign a bind event to all the class that disables onclick with a javascript popup or other notification

The nice thing about this is that you can then create multiple classes later on where you wish to allow some access, but not others (the ability for some admins to edit, but not delete) or if you want to also use this for field level data entry (like a user can change a product description, but not pricing) and then just use different classes that can be chained in jquery.

This method would move all admin management to just establish the "rules" and then establish classes for which those rules apply. Then apply those classes to the appropriate fields and manipulate the classes and events through the inclusion of a single .js file in the header.

This may seem like a bit more work up front, but it would add much finer granularity and would be, in the longer term, a much cleaner way to manage admin permissions.

This would also necessitate a change to the admin management that would
allow you to (1) set permission levels according to your ruleset and (2) assign those levels to the admin users (this change would be necessary no mater what as this would be necessary no mater what methods you choose to use).

So, rather than thinking in stright php, by moving to using jquery and more complex stylesheets in the admin we can accomplish the same functionality and actually have a cleaner and simpler interface.

pgmarshall
12-06-2009, 04:21 AM
blackhawk,

Nice start - I think this would be excellent core osCMax code ...

Or a third way ... build something similar to the infobox controller. Ie. store in a table which buttons you want different users levels to be able to access (in the same way as you control the menu items).

Then simply create a new tep function to check against the dbase table for the image in the same way the infobox check is done - if found return image button otherwise return blank. Very simple to do (I think). Then you just need a page to store the buttons and the flag on/off - which could be a copy of the infobox page ...

Just thinking of trying to make the admin user levels more functional rather than hard coding all of the links individually and using a function and dbase table instead.

Only my thoughts - feel free to ignore/flame me!

Regards,