Difference between revisions of "X-Cart:User Access Control"

From X-Cart 4 Classic
Jump to: navigation, search
(Managing IP address registration requests)
m
Line 1: Line 1:
X-Cart allows you to use a mode of enhanced protection for your store's back end in which you can control, from which IP addresses users can access the store's back end.
+
X-Cart allows the store administrator to enable a mode of enhanced protection for the store's back end in which the store administrator will be able to control, from which IP addresses the store's back end can be accessed. In X-Cart GOLD, the back end corresponds to the store's Admin area; in X-Cart PRO - the Admin area and the Provider area.
  
{{Note1|Note: In X-Cart GOLD, the back end is the store's Admin area; in X-Cart PRO - the Admin area and the Provider area.}}
+
By default, the mode of enhanced protection is disabled. It can be enabled by setting the value of the constant SECURITY_BLOCK_UNKNOWN_ADMIN_IP in X-Cart's main configuration file [[X-Cart:Config.php|config.php]] to "true".  
  
By default, the mode of enhanced protection for your store's back end is disabled. You can enable it by setting the value of the constant SECURITY_BLOCK_UNKNOWN_ADMIN_IP in X-Cart's main configuration file [[X-Cart:Config.php|config.php]] to "true".
+
After the mode of enhanced protection has been enabled, no user will be able to log in to the store's back end until his or her IP address is registered with the system. Log-in attempts of existing back end users will be denied with the following message:
  
{{Note1|Warning: If you are not sure how to edit this file, please request assistance from someone with knowledge of PHP or contact X-Cart's technical support.}}
+
[[Image:warn.gif|663px|center]]
 +
 
 +
Registration of user IP addresses is performed by the store administrator. After enabling the mode of enhanced protection, the store administrator registers his or her own IP address with the system and manages the IP address registration requests of other users who need access to the back end area, if any. The IP addresses from which access to the store's back end is allowed are entered into the list of allowed IP addresses. This list is stored in the database and can be managed by the store administrator on the 'User access control' page of the Admin area.
 +
 
 +
== Managing IP address registration requests ==
 +
 
 +
If you are the store administrator, the first thing you should do after enabling the mode of enhanced protection for the store's back end is register your own IP address with the system so you can log in to the Admin area. To do so, go to the Admin area (make sure this happens from the IP address you wish to register) and log in using your admin user credentials. You will not be logged in; however, you will see a warning message (as seen in the screenshot above) saying that you are not allowed to access the requested resource because your IP address is not registered, and that a request to register your IP address has been sent to the store administrator. This means that an IP address registration request has been sent on your behalf to the email address specified under 'Site administrator email address' in 'General settings/Company options'. Go to the said email account, locate the IP address registration request message and open it. You will see that this message provides information about your own attempt to log in to the Admin area (the time of the log-in attempt, your login name and the IP address that was used) as well as links allowing you to allow or deny access to the store's back end for the respective IP address. Use the link provided in the email message to allow access to the store's back end from your own IP address. As a result, your IP address will be  entered into the store's list of allowed IP addresses. As soon as it happens, you will be able to log in to the Admin area from the registered IP address as usual. If you intend to use more than one IP address to access the store's back end, you can register all of these addresses by adding them to the list of allowed IP addresses using the controls of the 'Allowed IP addresses' section on the 'User access control' page in the store's Admin area.
 +
 
 +
If you are not the only user of the store's back end, you may also receive IP address registration requests from other users. The procedure for registering the IP addresses of other users of the store's back end is exactly the same: when a user attempts to log in to the store's back end using a valid login/password combination, you will receive an IP address registration request by email and will be able to accept or decline it using specially crafted links provided in the email message.
 +
 
 +
You can also manage IP address registration requests through the store's Admin area. In addition to being sent to the site administrator's email address, IP address registration requests appear in the 'IP address registration requests' section of the 'User access control' page. Note that this section is displayed only if there are active requests.
 +
 
 +
[[Image:ip_registration_requests.gif|523px|center]]
  
After you enable this mode, you should log in to the Admin area so that your own IP address is registered with the system. After that, no user will be able to log in to the store's back end until you register his or her IP address: all log-in attempts will be denied and the users will get the following message:
+
You can use this section to accept or delete IP address registration requests.
  
[[Image:warn.gif|663px|center]]
+
To delete an IP address registration request:
  
Provided that the login/password entered by the user attempting to log in correspond to the login/password of an existing user belonging to a user type with permissions to access the respective X-Cart area, a request to register the user's IP address will be sent to the email address specified under 'Site administrator email address' in 'General settings/Company options'. This request will provide you with information about the time of the log-in attempt, the login name of the user who attempted to log in and the IP address that was used. You will be able to consider this information and, if necessary, grant access to the user by clicking on a specially crafted link contained in the email message. As a result, the IP address will be registered with the system (entered into your store's list of allowed IP addresses).
+
# Select the check box next to the IP address whose registration is requested (Select multiple check boxes to delete more than one registration request).
 +
# Click the '''Delete selected''' button. The selected request(s) will be deleted (The selected IP address(es) will be removed from the list). You should see an Information box with a confirmation message.
  
Naturally, it is possible to manage allowed IP addresses and requests for IP address registration through your store's Admin area.
+
To register an IP address:
  
== Managing your store's list of allowed IP addresses ==
+
# Select the check box next to the IP address that needs to be registered (Select multiple check boxes to register more than one IP address).
 +
# Click the '''Register selected''' button. The selected IP address(es) will be moved to the list of allowed IP addresses. You should see an Information box with a confirmation message.
 +
 
 +
== Managing the list of allowed IP addresses ==
  
Your store's list of allowed IP addresses is stored in the database and can be managed through the 'User access control' section of the store's Admin area.
+
The store's list of allowed IP addresses is stored in the database and can be managed on the 'User access control' page in the store's Admin area.
  
 
To view your store's list of IP addresses:
 
To view your store's list of IP addresses:
Line 28: Line 44:
 
[[Image:allowed_ip_addrs.gif|517px|center]]
 
[[Image:allowed_ip_addrs.gif|517px|center]]
  
You can add IP addresses to the list using the 'Add IP address' field:
+
You can add IP addresses to the list:
  
 
# Enter the desired IP address into the 'Add IP address' field.
 
# Enter the desired IP address into the 'Add IP address' field.
Line 37: Line 53:
 
{{Note1|Note: When creating a pattern, be aware that you can use asterisks in non-final IP address octets only if you are going to replace all the octets that follow it by asterisks, too. Patterns formatted differently will be deemed incorrect. For example, patterns like 195.*.*.* or 195.24.*.* are correct; patterns like 195.*.53.* are incorrect.}}
 
{{Note1|Note: When creating a pattern, be aware that you can use asterisks in non-final IP address octets only if you are going to replace all the octets that follow it by asterisks, too. Patterns formatted differently will be deemed incorrect. For example, patterns like 195.*.*.* or 195.24.*.* are correct; patterns like 195.*.53.* are incorrect.}}
  
If the list of allowed IP addresses contains an IP address that needs no longer be allowed for access to the store's back end, you can remove this IP address from the list of allowed IP addresses. To remove an IP address from the list of allowed IP addresses:
+
If the list of allowed IP addresses contains an IP address that needs no longer be allowed access to the store's back end, you can remove this IP address from the list of allowed IP addresses. To remove an IP address from the list of allowed IP addresses:
  
 
# Select the check box next to the IP address that needs to be removed (Select multiple check boxes to remove more than one IP address).
 
# Select the check box next to the IP address that needs to be removed (Select multiple check boxes to remove more than one IP address).
Line 43: Line 59:
  
 
Please note that it is not possible to remove your own IP address from the list. (The check box displayed next to your own IP address is grayed out).
 
Please note that it is not possible to remove your own IP address from the list. (The check box displayed next to your own IP address is grayed out).
 
== Managing IP address registration requests ==
 
 
In addition to being sent to the site administrator's email address, IP address registration requests appear in the dialog box 'IP address registration requests' of the 'User access control' section.
 
 
{{Note1|Note: The dialog box 'IP address registration requests' is displayed only if there are active requests.}}
 
 
The list of requests is a list of IP addresses awaiting registration.
 
 
[[Image:ip_registration_requests.gif|523px|center]]
 
 
If you go to the 'User access control' section and see one or more IP address registration requests in the 'IP address registration requests' list, you need to decide whether you wish to delete them or to register the respective IP addresses with your store system.
 
 
To delete an IP address registration request:
 
 
# Select the check box next to the IP address whose registration is requested (Select multiple check boxes to delete more than one registration request).
 
# Click the '''Delete selected''' button. The selected request(s) will be deleted (The selected IP address(es) will be removed from the list). You should see an Information box with a confirmation message.
 
 
To register an IP address:
 
 
# Select the check box next to the IP address that needs to be registered (Select multiple check boxes to register more than one IP address).
 
# Click the '''Register selected''' button. The selected IP address(es) will be moved to the list of allowed IP addresses. You should see an Information box with a confirmation message.
 
  
 
[[Category:X-Cart user manual]]
 
[[Category:X-Cart user manual]]

Revision as of 19:22, 24 July 2012

X-Cart allows the store administrator to enable a mode of enhanced protection for the store's back end in which the store administrator will be able to control, from which IP addresses the store's back end can be accessed. In X-Cart GOLD, the back end corresponds to the store's Admin area; in X-Cart PRO - the Admin area and the Provider area.

By default, the mode of enhanced protection is disabled. It can be enabled by setting the value of the constant SECURITY_BLOCK_UNKNOWN_ADMIN_IP in X-Cart's main configuration file config.php to "true".

After the mode of enhanced protection has been enabled, no user will be able to log in to the store's back end until his or her IP address is registered with the system. Log-in attempts of existing back end users will be denied with the following message:

Warn.gif

Registration of user IP addresses is performed by the store administrator. After enabling the mode of enhanced protection, the store administrator registers his or her own IP address with the system and manages the IP address registration requests of other users who need access to the back end area, if any. The IP addresses from which access to the store's back end is allowed are entered into the list of allowed IP addresses. This list is stored in the database and can be managed by the store administrator on the 'User access control' page of the Admin area.

Managing IP address registration requests

If you are the store administrator, the first thing you should do after enabling the mode of enhanced protection for the store's back end is register your own IP address with the system so you can log in to the Admin area. To do so, go to the Admin area (make sure this happens from the IP address you wish to register) and log in using your admin user credentials. You will not be logged in; however, you will see a warning message (as seen in the screenshot above) saying that you are not allowed to access the requested resource because your IP address is not registered, and that a request to register your IP address has been sent to the store administrator. This means that an IP address registration request has been sent on your behalf to the email address specified under 'Site administrator email address' in 'General settings/Company options'. Go to the said email account, locate the IP address registration request message and open it. You will see that this message provides information about your own attempt to log in to the Admin area (the time of the log-in attempt, your login name and the IP address that was used) as well as links allowing you to allow or deny access to the store's back end for the respective IP address. Use the link provided in the email message to allow access to the store's back end from your own IP address. As a result, your IP address will be entered into the store's list of allowed IP addresses. As soon as it happens, you will be able to log in to the Admin area from the registered IP address as usual. If you intend to use more than one IP address to access the store's back end, you can register all of these addresses by adding them to the list of allowed IP addresses using the controls of the 'Allowed IP addresses' section on the 'User access control' page in the store's Admin area.

If you are not the only user of the store's back end, you may also receive IP address registration requests from other users. The procedure for registering the IP addresses of other users of the store's back end is exactly the same: when a user attempts to log in to the store's back end using a valid login/password combination, you will receive an IP address registration request by email and will be able to accept or decline it using specially crafted links provided in the email message.

You can also manage IP address registration requests through the store's Admin area. In addition to being sent to the site administrator's email address, IP address registration requests appear in the 'IP address registration requests' section of the 'User access control' page. Note that this section is displayed only if there are active requests.

Ip registration requests.gif

You can use this section to accept or delete IP address registration requests.

To delete an IP address registration request:

  1. Select the check box next to the IP address whose registration is requested (Select multiple check boxes to delete more than one registration request).
  2. Click the Delete selected button. The selected request(s) will be deleted (The selected IP address(es) will be removed from the list). You should see an Information box with a confirmation message.

To register an IP address:

  1. Select the check box next to the IP address that needs to be registered (Select multiple check boxes to register more than one IP address).
  2. Click the Register selected button. The selected IP address(es) will be moved to the list of allowed IP addresses. You should see an Information box with a confirmation message.

Managing the list of allowed IP addresses

The store's list of allowed IP addresses is stored in the database and can be managed on the 'User access control' page in the store's Admin area.

To view your store's list of IP addresses:

  1. Go to the 'Summary' section (Administration menu->Summary).
  2. In the section menu, click the 'User access control' link. The 'User access control' section opens. You should be able to see the list of IP addresses for which access to the back end of your store is permitted in the 'Allowed IP addresses' dialog box.

Before you add any IP addresses of other users to the list, it will contain an only IP address - your own:

Allowed ip addrs.gif

You can add IP addresses to the list:

  1. Enter the desired IP address into the 'Add IP address' field.
  2. Click the Add button. The IP address will be added to the list. You should see an Information box with a confirmation message.

Instead of adding individual IP addresses one by one, it is possible to define patterns that would match multiple IP addresses. Patterns can use numbers (0-255) and the asterisk character. An asterisk matches any number in the range 0-255 and can be used to replace an IP octet. For example, to allow access from any host on the 195.24.53 network, set the pattern as 195.24.53.*.

Note: When creating a pattern, be aware that you can use asterisks in non-final IP address octets only if you are going to replace all the octets that follow it by asterisks, too. Patterns formatted differently will be deemed incorrect. For example, patterns like 195.*.*.* or 195.24.*.* are correct; patterns like 195.*.53.* are incorrect.

If the list of allowed IP addresses contains an IP address that needs no longer be allowed access to the store's back end, you can remove this IP address from the list of allowed IP addresses. To remove an IP address from the list of allowed IP addresses:

  1. Select the check box next to the IP address that needs to be removed (Select multiple check boxes to remove more than one IP address).
  2. Click the Delete selected button. The selected IP address(es) will be removed from the list. You should see an Information box with a confirmation message.

Please note that it is not possible to remove your own IP address from the list. (The check box displayed next to your own IP address is grayed out).