[Contrib] Master Password Override

Quote

Post by Qphoria » Tue Aug 11, 2009 3:59 am

UPDATED. Below code should work with ALL v1.4.x versions
What does it do:
================
This contrib changes the customer login function to allow the store admin to login to any customer account without knowing the customer's password by instead using the admin password.


Main features:
==============
* Uses the main admin password to log in. (main admin is user_id 1 in the user table)
* Log into anyone's account to troubleshoot downloads, module errors, locale issues
* Place orders for a customer as the admin. The same as an Admin Order Entry option.
How to Install:
================
1) Edit system/library/customer.php
2) Under the "Login" function

FIND (v1.4.8 or lower):

Code: Select all

$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE email = '" . $this->db->escape($email) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1'"); 
FIND (v1.4.9 or higher):

Code: Select all

$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1'"); 

REPLACE WITH:

Code: Select all

//Q: Master Password
$query = $this->db->query("SELECT `password` FROM " . DB_PREFIX . "user WHERE user_id = '1'");        
$masterpass = $query->row['password'];
        
$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1'");
if (!$customer_query->num_rows) {
    if (md5($password) == $masterpass) {
        $customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE email = '" . $this->db->escape($email) . "'");
    }    
}//                  
Now you can use your customer's email address with YOUR admin password to login to their account as if you were them. This can be used to place orders as the admin on behalf of the customer. An alternative to Admin Order Entry.
Use at own leisure!

Image

User avatar
Qphoria
Administrator
Posts
20056
Joined
Tue Jul 22, 2008 3:02 am
Top

Re: [Contrib] Master Password Override

Quote

Post by Rich » Tue Aug 11, 2009 5:04 am

Thanks Qphoria

I thing this is very useful for store owners. Grate job.

Rich
Bird is the word

Rich
New member
Posts
63
Joined
Tue Jul 28, 2009 2:56 am
Location - Bird Cage
Top

Re: [Contrib] Master Password Override

Quote

Post by Qphoria » Thu Jun 17, 2010 1:13 pm

Ive updated it . There was no mod, it was just a text file with a quick code change, so i just pasted the steps in the first post. Should work with 1.4.8 still

Image

User avatar
Qphoria
Administrator
Posts
20056
Joined
Tue Jul 22, 2008 3:02 am
Top

Re: [Contrib] Master Password Override

Quote

Post by k6wong » Thu Jun 17, 2010 1:42 pm

Thanks for the quick reply. I've updated it and it works greate.
k6wong
Newbie
Posts
9
Joined
Wed May 05, 2010 11:12 am
Top

Re: [Contrib] Master Password Override

Quote

Post by SteveSherry » Fri Jun 18, 2010 4:36 am

Nice idea Q,

To extend this a little, I have created a new admin user with an incredibly difficult password to crack (upper&lower&numbers&special)
I updated your code from:

Code: Select all

$query = $this->db->query("SELECT `password` FROM " . DB_PREFIX . "user WHERE user_id = '1'");  
to:

Code: Select all

$query = $this->db->query("SELECT `password` FROM " . DB_PREFIX . "user WHERE user_id = '2'");  
I have then disabled the new admin user so at least then if the password was ever cracked the admin facility wouldn't be compromised.
And for any serious damage to be done the cracker would need to know each of my customers' email addresses.

My Website ¦ Summer Madness Special Offer ¦

SteveSherry
Active Member
Posts
583
Joined
Thu Apr 08, 2010 7:47 am
Location - Wirral, UK
Top

Re: [Contrib] Master Password Override

Quote

Post by cmebd » Tue Sep 14, 2010 5:17 am

Thanks for that.

Cheers

A stupid question is the one you -don't- ask.........(Anon)

)C1.5.0.1 (IN devel)
OC V1.4.9.5
OC V1.4.9.2
OC V1.4.7
OC V1.3.4

User avatar
cmebd
Active Member
Posts
402
Joined
Fri Nov 13, 2009 11:17 am
Location - Tasmania, Australia
Top

Manually Entering an Order in OpenCart Admin?

Quote

Post by maderstrains » Mon Sep 27, 2010 2:07 am

I did the code change, and when I try to log into the customers account from my website using their email address and my password it does not work. I get this error message saying "Error: No match for E-Mail Address and/or Password." as well as this error notice at the top of the page:

Notice: Undefined variable: customer_query in /home/maderst1/public_html/system/library/customer.php on line 47Notice: Trying to get property of non-object in /home/maderst1/public_html/system/library/customer.php on line 47

Can someone please explain what this means? Does this mean the code was not changed right?

Thanks again,

Josh Mader
Maders Trains
http://maderstrains.com/

maderstrains
Active Member
Posts
123
Joined
Sat Jun 06, 2009 1:31 am
Location - Rancho Santa Margarita, Cali
Top

Re: Manually Entering an Order in OpenCart Admin?

Quote

Post by maderstrains » Thu Sep 30, 2010 12:54 am

any know what the error is or what might have happened? Login has been down on my website for a few days now because of this and i have customers emailing me telling me they cannot login, really need to get this back up.

Would appreciate someones input and help, thank you

Josh Mader
Maders Trains
http://maderstrains.com/

maderstrains
Active Member
Posts
123
Joined
Sat Jun 06, 2009 1:31 am
Location - Rancho Santa Margarita, Cali
Top

Re: Manually Entering an Order in OpenCart Admin?

Quote

Post by maderstrains » Thu Sep 30, 2010 1:07 am

This is what the coding looks like for the entire "Public Function Login" section. Can someone spot an error that needs to be fixed? Im getting this error when trying to login as a customer on my website:

Notice: Undefined variable: customer_query in /home/maderst1/public_html/system/library/customer.php on line 47Notice: Trying to get property of non-object in /home/maderst1/public_html/system/library/customer.php on line 47

And this is the coding:

Code: Select all

public function login($email, $password) {
		if (!$this->config->get('config_customer_approval')) {
			    //Q: Master Password
    $query = $this->db->query("SELECT `password` FROM " . DB_PREFIX . "user WHERE user_id = '1'");        
    $masterpass = $query->row['password'];
            
    $customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1'");
    if (!$customer_query->num_rows) {
        if (md5($password) == $masterpass) {
            $customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE email = '" . $this->db->escape($email) . "'");
        }    
    }//               
		}
		
		if ($customer_query->num_rows) {
			$this->session->data['customer_id'] = $customer_query->row['customer_id'];	
		    
			if (($customer_query->row['cart']) && (is_string($customer_query->row['cart']))) {
				$cart = unserialize($customer_query->row['cart']);
				
				foreach ($cart as $key => $value) {
					if (!array_key_exists($key, $this->session->data['cart'])) {
						$this->session->data['cart'][$key] = $value;
					} else {
						$this->session->data['cart'][$key] += $value;
					}
				}			
			}

Josh Mader
Maders Trains
http://maderstrains.com/

maderstrains
Active Member
Posts
123
Joined
Sat Jun 06, 2009 1:31 am
Location - Rancho Santa Margarita, Cali
Top

Re: [Contrib] Master Password Override

Quote

Post by maderstrains » Tue Oct 05, 2010 7:48 am

Well i just upgraded to version 1.4.9.1 about a day ago, and now im not getting the error message as I was before when trying to login as one of my customers. However, it is still not letting me login as a customer when using their email address and my ADMIN password.

Anyone know why or what might be wrong? Can someone suggest something to do? The coding is still the same as what I posted above.

Josh Mader
Maders Trains
http://maderstrains.com/

maderstrains
Active Member
Posts
123
Joined
Sat Jun 06, 2009 1:31 am
Location - Rancho Santa Margarita, Cali
Top

Re: [Contrib] Master Password Override

Quote

Post by scanreg » Tue Oct 26, 2010 8:56 pm

would it be possible to set up a separate master password that is different from the admin pass?

save admin pass for the most secure things

thanks
scanreg
Active Member
Posts
737
Joined
Thu May 06, 2010 12:15 am
Top

Re: [Contrib] Master Password Override

Quote

Post by keifer » Mon Nov 08, 2010 7:03 am

Just wanted to say Thanks for This Q!

Just what I needed to manually create an order.
keifer
Newbie
Posts
4
Joined
Sat Oct 16, 2010 1:15 pm
Top

Re: [Contrib] Master Password Override

Quote

Post by wifi-online » Mon Feb 07, 2011 3:05 am

Hello, MasterPassword works in 1.4.9.3?

This code doesn't work in 1.4.9.3!!!! :'(

Code: Select all


//Q: Master Password
		$query = $this->db->query("SELECT `password` FROM " . DB_PREFIX . "user WHERE user_id = '1'");		
		$masterpass = $query->row['password'];
		
		$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE email = '" . $this->db->escape($email) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1'");
		if (!$customer_query->num_rows) {
			if (md5($password) == $masterpass) {
				$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE email = '" . $this->db->escape($email) . "'");
			}	
		}//
Help me!
wifi-online
New member
Posts
29
Joined
Wed Oct 20, 2010 8:49 am
Location - Spain
Top

Re: [Contrib] Master Password Override

Quote

Post by Johnathan » Sat Feb 12, 2011 3:49 am

Yeah, I tried it in 1.4.9.3 and it didn't work either. The code all looks right, but I gave up after a few attempts to debug it. Any help, Q?

Image Image Image Image Image

User avatar
Johnathan
Administrator
Posts
9183
Joined
Fri Dec 18, 2009 3:08 am
Top

Re: [Contrib] Master Password Override

Quote

Post by Qphoria » Sat Feb 12, 2011 5:27 am

Code works fine for me in 1.4.9.3
The original "FIND" code needed to be updated with the LOWER() tags so I added that above

But the replace code still works perfectly. In 1.4.9.3 your login function should look like this:

Code: Select all

public function login($email, $password) {
        if (!$this->config->get('config_customer_approval')) {
            //$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1'");
            //Q: Master Password
            $query = $this->db->query("SELECT `password` FROM " . DB_PREFIX . "user WHERE user_id = '1'");        
            $masterpass = $query->row['password'];
                    
            $customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1'");
            if (!$customer_query->num_rows) {
                if (md5($password) == $masterpass) {
                    $customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE email = '" . $this->db->escape($email) . "'");
                }    
            }//
        } else {
            //$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1' AND approved = '1'");
            //Q: Master Password
            $query = $this->db->query("SELECT `password` FROM " . DB_PREFIX . "user WHERE user_id = '1'");        
            $masterpass = $query->row['password'];
                    
            $customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1' AND approved = '1'");
            if (!$customer_query->num_rows) {
                if (md5($password) == $masterpass) {
                    $customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE email = '" . $this->db->escape($email) . "'");
                }    
            }//
        }
        
        if ($customer_query->num_rows) {
            $this->session->data['customer_id'] = $customer_query->row['customer_id'];    
            
            if (($customer_query->row['cart']) && (is_string($customer_query->row['cart']))) {
                $cart = unserialize($customer_query->row['cart']);
                
                foreach ($cart as $key => $value) {
                    if (!array_key_exists($key, $this->session->data['cart'])) {
                        $this->session->data['cart'][$key] = $value;
                    } else {
                        $this->session->data['cart'][$key] += $value;
                    }
                }            
            }
            
            $this->customer_id = $customer_query->row['customer_id'];
            $this->firstname = $customer_query->row['firstname'];
            $this->lastname = $customer_query->row['lastname'];
            $this->email = $customer_query->row['email'];
            $this->telephone = $customer_query->row['telephone'];
            $this->fax = $customer_query->row['fax'];
            $this->newsletter = $customer_query->row['newsletter'];
            $this->customer_group_id = $customer_query->row['customer_group_id'];
            $this->address_id = $customer_query->row['address_id'];
      
              return TRUE;
        } else {
              return FALSE;
        }
} 

Image

User avatar
Qphoria
Administrator
Posts
20056
Joined
Tue Jul 22, 2008 3:02 am
Top

Re: [Contrib] Master Password Override

Quote

Post by Johnathan » Sat Feb 12, 2011 11:59 am

I had that exact code, but it wasn't working. I have no idea what happened, because I just uncommented the exact thing I was using earlier, and now it's working. The only thing that changed between before and now was that I went into maintenance mode. (Not that that should have any effect.) Who knows.

Thanks for this contribution, by the way, it's quite handy. Also (for consistency sake), you might want to add the LOWER and strtolower functions within the

Code: Select all

if (md5($password) == $masterpass) { 
block to the code snippet, like this:

Code: Select all

$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "'"); 

Image Image Image Image Image

User avatar
Johnathan
Administrator
Posts
9183
Joined
Fri Dec 18, 2009 3:08 am
Top

Re: [Contrib] Master Password Override

Quote

Post by robster » Tue Feb 22, 2011 7:02 pm

Hmmm

I have cut and pasted the exact code and replaced the code in my file but it just does not work for me.

I do run my site purely on a 'must be approved to access' basis. Would that make any difference?

Rob

I know my place...!

User avatar
robster
Active Member
Posts
486
Joined
Tue Jul 13, 2010 8:08 pm
Location - North Yorkshire, UK
Top

Re: [Contrib] Master Password Override

Quote

Post by Qphoria » Tue Feb 22, 2011 8:55 pm

yea.. I only added the code for the non-approved because that approval option is new.. I'll fix it to support approvals too

Image

User avatar
Qphoria
Administrator
Posts
20056
Joined
Tue Jul 22, 2008 3:02 am
Top

Re: [Contrib] Master Password Override

Quote

Post by robster » Wed Feb 23, 2011 2:21 am

Ahhh, that'll be why then.

That would be great if you could update to include that then Q.

Thanks

Rob

I know my place...!

User avatar
robster
Active Member
Posts
486
Joined
Tue Jul 13, 2010 8:08 pm
Location - North Yorkshire, UK
Top

Re: [Contrib] Master Password Override

Quote

Post by Qphoria » Wed Feb 23, 2011 3:27 am

ok updated above:
http://forum.opencart.com/viewtopic.php ... 85#p133985

Image

User avatar
Qphoria
Administrator
Posts
20056
Joined
Tue Jul 22, 2008 3:02 am
Top
Post Reply
Return to “Modifications”
Who is online

Users browsing this forum: No registered users and 5 guests