Page 1 of 2
[Contrib] Master Password Override
Posted: Tue Aug 11, 2009 3:59 am
by Qphoria
UPDATED. Below code should work with ALL v1.4.x versions
What does it do:
================
This contrib changes the customer login function to allow the store admin to login to any customer account without knowing the customer's password by instead using the admin password.
Main features:
==============
* Uses the main admin password to log in. (main admin is user_id 1 in the user table)
* Log into anyone's account to troubleshoot downloads, module errors, locale issues
* Place orders for a customer as the admin. The same as an Admin Order Entry option.
How to Install:
================
1) Edit system/library/customer.php
2) Under the "Login" function
FIND (v1.4.8 or lower):
Code: Select all
$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE email = '" . $this->db->escape($email) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1'");
FIND (v1.4.9 or higher):
Code: Select all
$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1'");
REPLACE WITH:
Code: Select all
//Q: Master Password
$query = $this->db->query("SELECT `password` FROM " . DB_PREFIX . "user WHERE user_id = '1'");
$masterpass = $query->row['password'];
$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1'");
if (!$customer_query->num_rows) {
if (md5($password) == $masterpass) {
$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE email = '" . $this->db->escape($email) . "'");
}
}//
Now you can use your customer's email address with YOUR admin password to login to their account as if you were them. This can be used to place orders as the admin on behalf of the customer. An alternative to Admin Order Entry.
Use at own leisure!
Re: [Contrib] Master Password Override
Posted: Tue Aug 11, 2009 5:04 am
by Rich
Thanks Qphoria
I thing this is very useful for store owners. Grate job.
Re: [Contrib] Master Password Override
Posted: Thu Jun 17, 2010 1:13 pm
by Qphoria
Ive updated it . There was no mod, it was just a text file with a quick code change, so i just pasted the steps in the first post. Should work with 1.4.8 still
Re: [Contrib] Master Password Override
Posted: Thu Jun 17, 2010 1:42 pm
by k6wong
Thanks for the quick reply. I've updated it and it works greate.
Re: [Contrib] Master Password Override
Posted: Fri Jun 18, 2010 4:36 am
by SteveSherry
Nice idea Q,
To extend this a little, I have created a new admin user with an incredibly difficult password to crack (upper&lower&numbers&special)
I updated your code from:
Code: Select all
$query = $this->db->query("SELECT `password` FROM " . DB_PREFIX . "user WHERE user_id = '1'");
to:
Code: Select all
$query = $this->db->query("SELECT `password` FROM " . DB_PREFIX . "user WHERE user_id = '2'");
I have then disabled the new admin user so at least then if the password was ever cracked the admin facility wouldn't be compromised.
And for any serious damage to be done the cracker would need to know each of my customers' email addresses.
Re: [Contrib] Master Password Override
Posted: Tue Sep 14, 2010 5:17 am
by cmebd
Thanks for that.
Cheers
Manually Entering an Order in OpenCart Admin?
Posted: Mon Sep 27, 2010 2:07 am
by maderstrains
I did the code change, and when I try to log into the customers account from my website using their email address and my password it does not work. I get this error message saying "Error: No match for E-Mail Address and/or Password." as well as this error notice at the top of the page:
Notice: Undefined variable: customer_query in /home/maderst1/public_html/system/library/customer.php on line 47Notice: Trying to get property of non-object in /home/maderst1/public_html/system/library/customer.php on line 47
Can someone please explain what this means? Does this mean the code was not changed right?
Thanks again,
Re: Manually Entering an Order in OpenCart Admin?
Posted: Thu Sep 30, 2010 12:54 am
by maderstrains
any know what the error is or what might have happened? Login has been down on my website for a few days now because of this and i have customers emailing me telling me they cannot login, really need to get this back up.
Would appreciate someones input and help, thank you
Re: Manually Entering an Order in OpenCart Admin?
Posted: Thu Sep 30, 2010 1:07 am
by maderstrains
This is what the coding looks like for the entire "Public Function Login" section. Can someone spot an error that needs to be fixed? Im getting this error when trying to login as a customer on my website:
Notice: Undefined variable: customer_query in /home/maderst1/public_html/system/library/customer.php on line 47Notice: Trying to get property of non-object in /home/maderst1/public_html/system/library/customer.php on line 47
And this is the coding:
Code: Select all
public function login($email, $password) {
if (!$this->config->get('config_customer_approval')) {
//Q: Master Password
$query = $this->db->query("SELECT `password` FROM " . DB_PREFIX . "user WHERE user_id = '1'");
$masterpass = $query->row['password'];
$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1'");
if (!$customer_query->num_rows) {
if (md5($password) == $masterpass) {
$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE email = '" . $this->db->escape($email) . "'");
}
}//
}
if ($customer_query->num_rows) {
$this->session->data['customer_id'] = $customer_query->row['customer_id'];
if (($customer_query->row['cart']) && (is_string($customer_query->row['cart']))) {
$cart = unserialize($customer_query->row['cart']);
foreach ($cart as $key => $value) {
if (!array_key_exists($key, $this->session->data['cart'])) {
$this->session->data['cart'][$key] = $value;
} else {
$this->session->data['cart'][$key] += $value;
}
}
}
Re: [Contrib] Master Password Override
Posted: Tue Oct 05, 2010 7:48 am
by maderstrains
Well i just upgraded to version 1.4.9.1 about a day ago, and now im not getting the error message as I was before when trying to login as one of my customers. However, it is still not letting me login as a customer when using their email address and my ADMIN password.
Anyone know why or what might be wrong? Can someone suggest something to do? The coding is still the same as what I posted above.
Re: [Contrib] Master Password Override
Posted: Tue Oct 26, 2010 8:56 pm
by scanreg
would it be possible to set up a separate master password that is different from the admin pass?
save admin pass for the most secure things
thanks
Re: [Contrib] Master Password Override
Posted: Mon Nov 08, 2010 7:03 am
by keifer
Just wanted to say Thanks for This Q!
Just what I needed to manually create an order.
Re: [Contrib] Master Password Override
Posted: Mon Feb 07, 2011 3:05 am
by wifi-online
Hello, MasterPassword works in 1.4.9.3?
This code doesn't work in 1.4.9.3!!!!
Code: Select all
//Q: Master Password
$query = $this->db->query("SELECT `password` FROM " . DB_PREFIX . "user WHERE user_id = '1'");
$masterpass = $query->row['password'];
$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE email = '" . $this->db->escape($email) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1'");
if (!$customer_query->num_rows) {
if (md5($password) == $masterpass) {
$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE email = '" . $this->db->escape($email) . "'");
}
}//
Help me!
Re: [Contrib] Master Password Override
Posted: Sat Feb 12, 2011 3:49 am
by Johnathan
Yeah, I tried it in 1.4.9.3 and it didn't work either. The code all looks right, but I gave up after a few attempts to debug it. Any help, Q?
Re: [Contrib] Master Password Override
Posted: Sat Feb 12, 2011 5:27 am
by Qphoria
Code works fine for me in 1.4.9.3
The original "FIND" code needed to be updated with the LOWER() tags so I added that above
But the replace code still works perfectly. In 1.4.9.3 your login function should look like this:
Code: Select all
public function login($email, $password) {
if (!$this->config->get('config_customer_approval')) {
//$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1'");
//Q: Master Password
$query = $this->db->query("SELECT `password` FROM " . DB_PREFIX . "user WHERE user_id = '1'");
$masterpass = $query->row['password'];
$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1'");
if (!$customer_query->num_rows) {
if (md5($password) == $masterpass) {
$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE email = '" . $this->db->escape($email) . "'");
}
}//
} else {
//$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1' AND approved = '1'");
//Q: Master Password
$query = $this->db->query("SELECT `password` FROM " . DB_PREFIX . "user WHERE user_id = '1'");
$masterpass = $query->row['password'];
$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "' AND password = '" . $this->db->escape(md5($password)) . "' AND status = '1' AND approved = '1'");
if (!$customer_query->num_rows) {
if (md5($password) == $masterpass) {
$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE email = '" . $this->db->escape($email) . "'");
}
}//
}
if ($customer_query->num_rows) {
$this->session->data['customer_id'] = $customer_query->row['customer_id'];
if (($customer_query->row['cart']) && (is_string($customer_query->row['cart']))) {
$cart = unserialize($customer_query->row['cart']);
foreach ($cart as $key => $value) {
if (!array_key_exists($key, $this->session->data['cart'])) {
$this->session->data['cart'][$key] = $value;
} else {
$this->session->data['cart'][$key] += $value;
}
}
}
$this->customer_id = $customer_query->row['customer_id'];
$this->firstname = $customer_query->row['firstname'];
$this->lastname = $customer_query->row['lastname'];
$this->email = $customer_query->row['email'];
$this->telephone = $customer_query->row['telephone'];
$this->fax = $customer_query->row['fax'];
$this->newsletter = $customer_query->row['newsletter'];
$this->customer_group_id = $customer_query->row['customer_group_id'];
$this->address_id = $customer_query->row['address_id'];
return TRUE;
} else {
return FALSE;
}
}
Re: [Contrib] Master Password Override
Posted: Sat Feb 12, 2011 11:59 am
by Johnathan
I had that exact code, but it wasn't working. I have no idea what happened, because I just uncommented the exact thing I was using earlier, and now it's working. The only thing that changed between before and now was that I went into maintenance mode. (Not that that should have any effect.) Who knows.
Thanks for this contribution, by the way, it's quite handy. Also (for consistency sake), you might want to add the LOWER and strtolower functions within the
Code: Select all
if (md5($password) == $masterpass) {
block to the code snippet, like this:
Code: Select all
$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(strtolower($email)) . "'");
Re: [Contrib] Master Password Override
Posted: Tue Feb 22, 2011 7:02 pm
by robster
Hmmm
I have cut and pasted the exact code and replaced the code in my file but it just does not work for me.
I do run my site purely on a 'must be approved to access' basis. Would that make any difference?
Rob
Re: [Contrib] Master Password Override
Posted: Tue Feb 22, 2011 8:55 pm
by Qphoria
yea.. I only added the code for the non-approved because that approval option is new.. I'll fix it to support approvals too
Re: [Contrib] Master Password Override
Posted: Wed Feb 23, 2011 2:21 am
by robster
Ahhh, that'll be why then.
That would be great if you could update to include that then Q.
Thanks
Rob
Re: [Contrib] Master Password Override
Posted: Wed Feb 23, 2011 3:27 am
by Qphoria