Important Notice from AspDotNetStorefront
It is with dismay that we report that we have been forced, through the action of hackers, to shut off write-access to this forum. We are keen to leave the wealth of material available to you for research. We have opened a new forum from which our community of users can seek help, support and advice from us and from each other. To post a new question to our community, please visit: http://forums.vortx.com
Results 1 to 3 of 3

Thread: Admin Security Question

  1. 03-29-2010, 01:07 PM #1
    jwallwork is offline Member
    Join Date
    Sep 2008
    Posts
    38

    Default Admin Security Question

    We have a client that wants to use the ability to create different admin menus for admin login's to limit admin access. However they found a "backdoor" method to access the customer area. The logged in username displayed in the upper left of the admin screen has a hyper link to edit the user profile. From there you can access the customer area. Is there a way to not have the hyper link to the users profile, but still display the username? This is version 8 of ASPDNSF.

    Thanks,

    John
    Last edited by jwallwork; 03-29-2010 at 01:11 PM.
  2. 03-29-2010, 01:36 PM #2
    AspDotNetStorefront Staff - Scott's Avatar
    AspDotNetStorefront Staff - Scott is offline Administrator
    Join Date
    Mar 2007
    Location
    Ashland, OR
    Posts
    2,390

    Default

    If you can do without displaying the name, this is very easy. Just open up /admin/skins/skin_1/main.ascx and remove these lines:

    Code:
                    <tr>
                    <td style="width : 210px"><br /></td>
                    <td class="adminUserIcon"><a href="(!ADMIN_ICON_LINK!)" target="content" title="Edit Account"><img id="imgUserIcon" src="skins/skin_(!SKINID!)/images/usericon.gif" border="0"/></a></td>    
                    <td class="adminUserName">
                        (!ADMIN_USER_NAME!)
                    </td>                 
                </tr>
    If you absolutely have to have the name in there, this becomes a source mod. First, make this change to the same file as above to remove the link on the little image next to the name:

    Code:
                    <tr>
                    <td style="width : 210px"><br /></td>
                    <td class="adminUserIcon"><img id="img1" src="skins/skin_(!SKINID!)/images/usericon.gif" border="0"/></td>    
                    <td class="adminUserName">
                        (!ADMIN_USER_NAME!)
                    </td>                 
                </tr>
    Then in Parser.cs, find:

    Code:
                        if (AppLogic.IsAdminSite)
                    {
                        tmpS = " <a href=\"cst_account.aspx?customerid=" + ThisCustomer.CustomerID + "\">" + ThisCustomer.FullName() + "</a>";
                        m_DynamicTokens.Add("(!ADMIN_USER_NAME!)", tmpS);
    ...and change it to this, then recompile:

    Code:
                        if (AppLogic.IsAdminSite)
                    {
                        tmpS = ThisCustomer.FullName();
                        m_DynamicTokens.Add("(!ADMIN_USER_NAME!)", tmpS);
    ECommerce Shopping Cart
  3. 03-29-2010, 08:16 PM #3
    jwallwork is offline Member
    Join Date
    Sep 2008
    Posts
    38

    Default

    Thanks,

    The client did purchase the source code so I can modify it.

    John