Permissions to Backend of Shopsite?

General ShopSite user discussion

Permissions to Backend of Shopsite?

Postby tahoemountain » Mon Aug 25, 2008 4:28 pm

Does anybody know if there is a way to have different passwords for the different backend screens in shopsite? For example, is there a way to have a different password for the pages and products area vs the orders and reports area?

We are hiring somebody to help with our product additions and page arrangements and don't want that person to see the orders, reports, or be able to download any of that information.

Is this possible?
tahoemountain
 
Posts: 11
Joined: Tue Apr 01, 2008 12:40 pm

Postby Jim » Mon Aug 25, 2008 6:18 pm

There is only one username and password for each store.

Since you can upload page and product information in a tab delimited or xml format you could have them work off line entering product and pages into an Excel spread sheet and then upload the pages and products from a tab delimited file.
Jim
Site Admin
 
Posts: 4953
Joined: Fri Aug 04, 2006 1:42 pm
Location: Utah

Postby accss » Wed Aug 27, 2008 3:54 pm

I am a new user to shopsite, and came across this same problem. Jim's answer was very discouraging. I then found a solution that works for us:

1) Create a new .htpasswd file with the same username you use to log into your backend, but with a different password. Use a utility like http://www.htaccesstools.com/htpasswd-generator and place the file anywhere on your server (let's call this location X).

2) Add the following text to the end of the .htaccess file found in cgi-bin/ss:

<FilesMatch "^(orderhandler|database_ssl)\.cgi$">
AuthName "View Orders"
AuthType Basic
AuthUserFile [location X]/.htpasswd
require valid-user
</FilesMatch>

Using this method, the original backend password will be used for all sections not explicitly defined (in this case, everything but the orders and download sections). The added section says that orderhandler.cgi and database.cgi are handled by the new password in location X. You can duplicate this section if you wish, so if you want a third password for the products section, you could create a new .htpasswd file in location Y and add the following to your .htaccess file:

<FilesMatch "^products\.cgi$">
AuthName "Products"
AuthType Basic
AuthUserFile [location Y]/.htpasswd
require valid-user
</FilesMatch>

Also, be sure to give anyone who has access to only a portion of the site a direct link to that section, such as
http://domain.com/cgi-bin/ss/orderhandler.cgi since their limited rights may not give them access to the backend start page.
accss
 
Posts: 3
Joined: Wed Aug 27, 2008 3:23 pm

Postby loren_d_c » Wed Aug 27, 2008 4:09 pm

Why database_ssl.cgi? That may prevent the regular user from accessing the menu where the database status is checked and where page and product info is downloaded and uploaded. Note that the tab-delimited order downloads ultimately come from orderhandler.cgi (the menu is on database.cgi, however the form submits to orderhandler.cgi to begin the download of data), so i don't think there is a need to include database.cgi unless you are doing so for some other reason.

Note, however, that XML order downloads can go through db_xml.cgi, so you should include this in your new list.

Also note that this will only work for folks who have access to their ss directories, and who are hosted on apache (UNIX/Linux) webservers.

-Loren
loren_d_c
 
Posts: 2571
Joined: Fri Aug 04, 2006 12:02 pm
Location: Anywhere

Postby accss » Thu Aug 28, 2008 9:51 am

The "download orders" button will not work without database_ssl.cgi. It all depends on which functions you want to protect. Usually, an administrator will have access to the entire backend (and have both passwords), whereas another person will be a limited user. By using this method, you can hand-pick just the areas for the limited user to access. It isn't perfect, but it's a good workaround when the manufacturer provides no other option.

This method is for apache only, but i would imagine that other OS users could use file-level permissions as a workaround as well.
accss
 
Posts: 3
Joined: Wed Aug 27, 2008 3:23 pm


Return to User Forum

Who is online

Users browsing this forum: No registered users and 11 guests