ShopSite Forums

[tahoemountain]

Does anybody know if there is a way to have different passwords for the different backend screens in shopsite? For example, is there a way to have a different password for the pages and products area vs the orders and reports area?

We are hiring somebody to help with our product additions and page arrangements and don't want that person to see the orders, reports, or be able to download any of that information.

Is this possible?

[Jim]

There is only one username and password for each store.

Since you can upload page and product information in a tab delimited or xml format you could have them work off line entering product and pages into an Excel spread sheet and then upload the pages and products from a tab delimited file.

[accss]

I am a new user to shopsite, and came across this same problem. Jim's answer was very discouraging. I then found a solution that works for us:

1) Create a new .htpasswd file with the same username you use to log into your backend, but with a different password. Use a utility like http://www.htaccesstools.com/htpasswd-generator and place the file anywhere on your server (let's call this location X).

2) Add the following text to the end of the .htaccess file found in cgi-bin/ss:

<FilesMatch "^(orderhandler|database_ssl)\.cgi$">
AuthName "View Orders"
AuthType Basic
AuthUserFile [location X]/.htpasswd
require valid-user
</FilesMatch>

Using this method, the original backend password will be used for all sections not explicitly defined (in this case, everything but the orders and download sections). The added section says that orderhandler.cgi and database.cgi are handled by the new password in location X. You can duplicate this section if you wish, so if you want a third password for the products section, you could create a new .htpasswd file in location Y and add the following to your .htaccess file:

<FilesMatch "^products\.cgi$">
AuthName "Products"
AuthType Basic
AuthUserFile [location Y]/.htpasswd
require valid-user
</FilesMatch>

Also, be sure to give anyone who has access to only a portion of the site a direct link to that section, such as
http://domain.com/cgi-bin/ss/orderhandler.cgi since their limited rights may not give them access to the backend start page.

[loren_d_c]

Why database_ssl.cgi? That may prevent the regular user from accessing the menu where the database status is checked and where page and product info is downloaded and uploaded. Note that the tab-delimited order downloads ultimately come from orderhandler.cgi (the menu is on database.cgi, however the form submits to orderhandler.cgi to begin the download of data), so i don't think there is a need to include database.cgi unless you are doing so for some other reason.

Note, however, that XML order downloads can go through db_xml.cgi, so you should include this in your new list.

Also note that this will only work for folks who have access to their ss directories, and who are hosted on apache (UNIX/Linux) webservers.

-Loren

[accss]

The "download orders" button will not work without database_ssl.cgi. It all depends on which functions you want to protect. Usually, an administrator will have access to the entire backend (and have both passwords), whereas another person will be a limited user. By using this method, you can hand-pick just the areas for the limited user to access. It isn't perfect, but it's a good workaround when the manufacturer provides no other option.

This method is for apache only, but i would imagine that other OS users could use file-level permissions as a workaround as well.