限制无用ecshop商城管理员登陆权限

2016-09-07 22:02 来源:www.chinab4c.com 作者:ecshop专家

由于公司运营管理岗位变动,删除账户会造成操作日志操作人为空的现象,为了保留管理账号完整,又不要他登陆管理,虽然可以更改后台管理的链接,但为了更安全,所以公司要求实现管理员状态设置,可以自由变更管理员的登录状态。一下是删除管理员账号操作日志造成的问题:

下面是添加成功后的展示图:

一、执行数据库语句,添加状态字段:其中ecs_为数据库前缀

ALTER TABLE `ecs_admin_user` ADD `status` SMALLINT( 3 ) UNSIGNED NOT NULL DEFAULT '1' COMMENT '账号状态';

二、编辑/admin/privilege.php验证登录信息代码段,添加账号状态验证,并在其后添加AJAX修改账号状态(查找----验证登陆信息----大约在179行位置,此方法上面添加以下代码)

/*------------------------------------------------------ */
//-- 验证登录信息
/*------------------------------------------------------ */
elseif ($_REQUEST['act'] == 'signin')
{
  if (!empty($_SESSION['captcha_word']) && (intval($_CFG['captcha']) & CAPTCHA_ADMIN))
  {
    include_once(ROOT_PATH . 'includes/cls_captcha.php');

    /* 检查验证码是否正确 */
    $validator = new captcha();
    if (!empty($_POST['captcha']) && !$validator->check_word($_POST['captcha']))
    {
      sys_msg($_LANG['captcha_error'], 1);
    }
  } //www.zuimoban.com

  $_POST['username'] = isset($_POST['username']) ? trim($_POST['username']) : '';
  $_POST['password'] = isset($_POST['password']) ? trim($_POST['password']) : '';

  $sql="SELECT `ec_salt` FROM ". $ecs->table('admin_user') ."WHERE user_name = '" . $_POST['username']."'";
  $ec_salt =$db->getOne($sql);
  if(!empty($ec_salt))
  {
     /* 检查密码是否正确 */
     $sql = "SELECT user_id, user_name, password, last_login, action_list, last_login,suppliers_id,ec_salt,status".
      " FROM " . $ecs->table('admin_user') .
      " WHERE user_name = '" . $_POST['username']. "' AND password = '" . md5(md5($_POST['password']).$ec_salt) . "'";
  }
  else
  {
     /* 检查密码是否正确 */
     $sql = "SELECT user_id, user_name, password, last_login, action_list, last_login,suppliers_id,ec_salt,status".
      " FROM " . $ecs->table('admin_user') .
      " WHERE user_name = '" . $_POST['username']. "' AND password = '" . md5($_POST['password']) . "'";
  }
  $row = $db->getRow($sql);
  if ($row)
  {
    // 检查是否为供货商的管理员 所属供货商是否有效
    if (!empty($row['suppliers_id']))
    {
      $supplier_is_check = suppliers_list_info(' is_check = 1 AND suppliers_id = ' . $row['suppliers_id']);
      if (empty($supplier_is_check))
      {
        sys_msg($_LANG['login_disable'], 1);
      }
    }

    // 检查账号状态
    if ($row['status'] == 0)
    {
      sys_msg($_LANG['login_disable'], 1);
      exit();
    }

    // 登录成功
    set_admin_session($row['user_id'], $row['user_name'], $row['action_list'], $row['last_login']);
    $_SESSION['suppliers_id'] = $row['suppliers_id'];
    if(empty($row['ec_salt']))
    {
      $ec_salt=rand(1,9999);
      $new_possword=md5(md5($_POST['password']).$ec_salt);
       $db->query("UPDATE " .$ecs->table('admin_user').
         " SET ec_salt='" . $ec_salt . "', password='" .$new_possword . "'".
         " WHERE user_id='$_SESSION[admin_id]'");
    }

    if($row['action_list'] == 'all' && empty($row['last_login']))
    {
      $_SESSION['shop_guide'] = true;
    }

    // 更新最后登录时间和IP
    $db->query("UPDATE " .$ecs->table('admin_user').
         " SET last_login='" . gmtime() . "', last_ip='" . real_ip() . "'".
         " WHERE user_id='$_SESSION[admin_id]'");

    if (isset($_POST['remember']))
    {
      $time = gmtime() + 3600 * 24 * 365;
      setcookie('ECSCP[admin_id]',   $row['user_id'],							$time);
      setcookie('ECSCP[admin_pass]', md5($row['password'] . $_CFG['hash_code']), $time);
    }

    // 清除购物车中过期的数据
    clear_cart();

    ecs_header("Location: ./index.php\\n");

    exit;
  }
  else
  {
    sys_msg($_LANG['login_faild'], 1);
  }
}

/*------------------------------------------------------ */
//-- AJAX修改账号状态
/*------------------------------------------------------ */
elseif ($_REQUEST['act'] == 'toggle_status')
{

  $user_id	  = intval($_POST['id']);
  $status	   = intval($_POST['val']);

  if ($exc->edit("status = '$status'", $user_id ))
  {
    clear_cache_files();
    make_json_result($status);
  }
}

三、编辑/admin/templates/privilege_list.htm添加账号状态列表(替换原有的table,之前记得备份)

<table cellspacing='1' cellpadding='3' id='list-table'>
  <tr>
    <th>{$lang.user_name}</th>
    <th>{$lang.email}</th>
    <th>{$lang.join_time}</th>
    <th>{$lang.last_time}</th>
  <th>{$lang.status}</th>
    <th>{$lang.handler}</th>
  </tr>
  {foreach from=$admin_list item=list}
  <tr>
    <td class="first-cell" >{$list.user_name}</td>
    <td align="left">{$list.email}</td>
    <td align="center">{$list.add_time}</td>
    <td align="center">{$list.last_login|default:N/A}</td>
  <td align="center"><img src="images/{if $list.status}yes{else}no{/if}.gif" onclick="listTable.toggle(this, 'toggle_status', {$list.user_id})" /></td>
    <td align="center">
      <a href="privilege.php?act=allot&id={$list.user_id}&user={$list.user_name}" title="{$lang.allot_priv}"><img src="images/icon_priv.gif" border="0" height="16" width="16"></a>  
      <a href="admin_logs.php?act=list&id={$list.user_id}" title="{$lang.view_log}"><img src="images/icon_view.gif" border="0" height="16" width="16"></a>  
      <a href="privilege.php?act=edit&id={$list.user_id}" title="{$lang.edit}"><img src="images/icon_edit.gif" border="0" height="16" width="16"></a>  
      <a href="javascript:;" onclick="listTable.remove({$list.user_id}, '{$lang.drop_confirm}')" title="{$lang.remove}"><img src="images/icon_drop.gif" border="0" height="16" width="16"></a></td>
  </tr>
  {/foreach}
</table>

四、/languages/zh_cn/admin/privilege.php文件尾添加

$_LANG['status'] = '状态';

这样基本就大功告成,基本成功了,当被禁止的时候会提示如下图:

 
(责任编辑:chinab4c)