Difference between revisions of "X-Cart:User Access Control"

From X-Cart 4 Classic
Jump to: navigation, search
m
 
(13 intermediate revisions by 2 users not shown)
Line 1: Line 1:
X-Cart allows you to use a mode of enhanced protection for your store's back end in which you can control, from which IP addresses users can access the store's back end.
+
User access control functionality is available in X-Cart versions 4.1.9 and later. This functionality allows the store administrator to restrict access of users to the store's back end by IP address. In X-Cart GOLD and GOLD PLUS, the "back end" is the store's Admin area. Speaking about X-Cart PLATINUM and PRO, by "back end" we mean the Admin area and the Provider area.
  
{{Note1|Note: In X-Cart GOLD, the back end is the store's Admin area; in X-Cart PRO - the Admin area and the Provider area.}}
+
{{Note1|'''Note''': User access control functionality fully blocks access to the store's back end by IP address. If you would like to restrict access not to the entire back end, but just to some of the pages in the back end, see the section [[X-Cart:Protected_Mode|Protected Mode]].}}
  
By default, the mode of enhanced protection for your store's back end is disabled. You can enable it by setting the value of the constant SECURITY_BLOCK_UNKNOWN_ADMIN_IP in X-Cart's main configuration file [[X-Cart:Config.php|config.php]] to "true".
+
By default, user access control functionality is disabled. It can be enabled by setting the value of the constant BLOCK_UNKNOWN_ADMIN_IP (in X-Cart versions prior to 4.5.5 - the constant SECURITY_BLOCK_UNKNOWN_ADMIN_IP) in X-Cart's main configuration file [[X-Cart:Config.php|config.php]] to TRUE.
  
{{Note1|Warning: If you are not sure how to edit this file, please request assistance from someone with knowledge of PHP or contact X-Cart's technical support.}}
+
With user access control functionality enabled, no user can log in to the store's back end unless their IP address is on the list of allowed IP addresses. The only exception to the general rule is the very first user who logs in to the store's back end after user access control functionality has been enabled: it is presumed that the IP address used to log in to the store's back end for the very first time is a trusted IP address, so it is added to the list of allowed IP addresses automatically. Any subsequent log-in attempts from IP addresses other than that IP address are blocked. Instead of being logged in, the user is stopped and shown a warning message like the following:
  
After you enable this mode, you should log in to the Admin area so that your own IP address is registered with the system. After that, no user will be able to log in to the store's back end until you register his or her IP address: all log-in attempts will be denied and the users will get the following message:
+
:[[Image:warn.gif|663px]]
  
[[Image:warn.gif|663px|center]]
+
At the same time an IP address registration request is sent:
 +
* in X-Cart 4.5.5 and later - to the email address of the user trying to log in (provided that they are a registered user with an account type allowed access to the store's back end, with a valid email address and password);
 +
* in earlier X-Cart versions - to the email address specified under 'Site administrator email address' in 'General settings/Company options'.
  
Provided that the login/password entered by the user attempting to log in correspond to the login/password of an existing user belonging to a user type with permissions to access the respective X-Cart area, a request to register the user's IP address will be sent to the email address specified under 'Site administrator email address' in 'General settings/Company options'. This request will provide you with information about the time of the log-in attempt, the login name of the user who attempted to log in and the IP address that was used. You will be able to consider this information and, if necessary, grant access to the user by clicking on a specially crafted link contained in the email message. As a result, the IP address will be registered with the system (entered into your store's list of allowed IP addresses).
+
The email message with the IP address registration request contains information about the login attempt that was blocked and specially crafted links that can be used to either allow or deny access to the back end from the respective IP address. As soon as the link to allow access is clicked, the IP address is added to the list of allowed IP addresses, and the user can freely log in to the back end.
  
Naturally, it is possible to manage allowed IP addresses and requests for IP address registration through your store's Admin area.
+
In addition to being sent via email, IP address registration requests also appear on the 'User access control' page in the Admin area where they can be approved or deleted by any user with access to the page. For details, see [[#Managing IP address registration requests|Managing IP address registration requests]].
  
== Managing your store's list of allowed IP addresses ==
+
It is also possible to add allowed IP addresses manually via the 'User access control' page in the Admin area. For details, see [[#Managing the list of allowed IP addresses|Managing the list of allowed IP addresses]].
  
Your store's list of allowed IP addresses is stored in the database and can be managed through the 'User access control' section of the store's Admin area.
+
== Managing IP address registration requests ==
  
To view your store's list of IP addresses:
+
It is possible to manage IP address registration requests using the 'User access control' page of the store's Admin area (In X-Cart versions 4.4.0 and later, this page can be found at the location Tools menu -> Maintenance -> "See also" tab (right-side menu) -> User access control; in X-Cart versions before 4.4.x, this page can be found at the location Administration menu -> Summary -> "In this section" menu -> User access control). IP address registration requests appear in the 'IP address registration requests' section (This section is displayed only if there are active requests):
  
#  Go to the 'Summary' section (Administration menu->Summary).
+
:[[Image:ip_registration_requests.gif|523px]]
# In the section menu, click the 'User access control' link. The 'User access control' section opens. You should be able to see the list of IP addresses for which access to the back end of your store is permitted in the 'Allowed IP addresses' dialog box.
 
  
Before you add any IP addresses of other users to the list, it will contain an only IP address - your own:
+
To delete an IP address registration request:
  
[[Image:allowed_ip_addrs.gif|517px|center]]
+
# Select the check box next to the IP address that needs to be deleted.
 +
# Click the '''Delete selected''' button. The selected request will be deleted. You should see an Information box with a confirmation message.
  
You can add IP addresses to the list using the 'Add IP address' field:
+
To accept an IP address registration request:
  
# Enter the desired IP address into the 'Add IP address' field.
+
# Select the check box next to the IP address that needs to be registered.
# Click the '''Add''' button. The IP address will be added to the list. You should see an Information box with a confirmation message.
+
# Click the '''Register selected''' button. The selected IP address will be added to the list of allowed IP addresses. You should see an Information box with a confirmation message.
  
Instead of adding individual IP addresses one by one, it is possible to define patterns that would match multiple IP addresses. Patterns can use numbers (0-255) and the asterisk character. An asterisk matches any number in the range 0-255 and can be used to replace an IP octet. For example, to allow access from any host on the 195.24.53 network, set the pattern as 195.24.53.*.
+
== Managing the list of allowed IP addresses ==
  
{{Note1|Note: When creating a pattern, be aware that you can use asterisks in non-final IP address octets only if you are going to replace all the octets that follow it by asterisks, too. Patterns formatted differently will be deemed incorrect. For example, patterns like 195.*.*.* or 195.24.*.* are correct; patterns like 195.*.53.* are incorrect.}}
+
The store's list of allowed IP addresses is stored in the database and can be viewed and managed using the 'Allowed IP addresses' section of the 'User access control' page in the store's Admin area (In X-Cart versions 4.4.0 and later, this page can be found at the location Tools menu -> Maintenance -> "See also" tab (right-side menu) -> User access control; in X-Cart versions before 4.4.x, this page can be found at the location Administration menu -> Summary -> "In this section" menu -> User access control).
  
If the list of allowed IP addresses contains an IP address that needs no longer be allowed for access to the store's back end, you can remove this IP address from the list of allowed IP addresses. To remove an IP address from the list of allowed IP addresses:
+
:[[Image:allowed_ip_addrs.gif|517px]]
  
# Select the check box next to the IP address that needs to be removed (Select multiple check boxes to remove more than one IP address).
+
To add an IP address to the list:
# Click the '''Delete selected''' button. The selected IP address(es) will be removed from the list. You should see an Information box with a confirmation message.
 
  
Please note that it is not possible to remove your own IP address from the list. (The check box displayed next to your own IP address is grayed out).
+
# Enter the desired IP address into the 'Add IP address' field.
 +
# Click the '''Add''' button. The IP address will be added to the list. You should see an Information box with a confirmation message.
  
== Managing IP address registration requests ==
+
Instead of adding individual IP addresses one by one, it is possible to define patterns. Patterns can use numbers (0-255) and the asterisk character. An asterisk matches any number in the range 0-255 and can be used to replace an IP octet. For example, to allow access from any host on the 195.24.53 network, set the pattern as 195.24.53.*.
  
In addition to being sent to the site administrator's email address, IP address registration requests appear in the dialog box 'IP address registration requests' of the 'User access control' section.
+
When creating a pattern, be aware that you can use asterisks in non-final IP address octets only if you are going to replace all the octets that follow it by asterisks, too. Patterns formatted differently will be deemed incorrect. For example, patterns like 195.*.*.* or 195.24.*.* are correct; patterns like 195.*.53.* are incorrect.
  
{{Note1|Note: The dialog box 'IP address registration requests' is displayed only if there are active requests.}}
+
If the list of allowed IP addresses contains an IP address that needs no longer be allowed access to the store's back end, you can remove this IP address from the list of allowed IP addresses. To remove an IP address from the list of allowed IP addresses:
  
The list of requests is a list of IP addresses awaiting registration.
+
# Select the check box next to the IP address that needs to be removed.
 +
# Click the '''Delete selected''' button. The selected IP address will be removed from the list. You should see an Information box with a confirmation message.
  
[[Image:ip_registration_requests.gif|523px|center]]
+
Please note that it is not possible to remove your own IP address from the list. (The check box displayed next to your own IP address is grayed out).
 
 
If you go to the 'User access control' section and see one or more IP address registration requests in the 'IP address registration requests' list, you need to decide whether you wish to delete them or to register the respective IP addresses with your store system.
 
 
 
To delete an IP address registration request:
 
 
 
<div>
 
{| border="0" cellspacing="0" cellpadding="0"
 
|-
 
| 1.
 
| Select the check box next to the IP address whose registration is requested (Select multiple check boxes to delete more than one registration request).
 
|}
 
</div><div>
 
{| border="0" cellspacing="0" cellpadding="0"
 
|-
 
| 2.
 
| Click the '''Delete selected''' button. The selected request(s) will be deleted (The selected IP address(es) will be removed from the list). You should see an Information box with a confirmation message.
 
|}
 
</div>
 
 
 
To register an IP address:
 
 
 
<div>
 
{| border="0" cellspacing="0" cellpadding="0"
 
|-
 
| 1.
 
| Select the check box next to the IP address that needs to be registered (Select multiple check boxes to register more than one IP address).
 
|}
 
</div>
 
  
{| border="0" cellspacing="0" cellpadding="0"
+
==See also==
|-
+
* [[X-Cart:Protected_Mode|Protected Mode]]
| 2.
+
* [[X-Cart:Config.php|Config.php]]
| Click the '''Register selected''' button. The selected IP address(es) will be moved to the list of allowed IP addresses. You should see an Information box with a confirmation message.
 
|}
 
  
 
[[Category:X-Cart user manual]]
 
[[Category:X-Cart user manual]]

Latest revision as of 11:31, 26 March 2013

User access control functionality is available in X-Cart versions 4.1.9 and later. This functionality allows the store administrator to restrict access of users to the store's back end by IP address. In X-Cart GOLD and GOLD PLUS, the "back end" is the store's Admin area. Speaking about X-Cart PLATINUM and PRO, by "back end" we mean the Admin area and the Provider area.

Note: User access control functionality fully blocks access to the store's back end by IP address. If you would like to restrict access not to the entire back end, but just to some of the pages in the back end, see the section Protected Mode.

By default, user access control functionality is disabled. It can be enabled by setting the value of the constant BLOCK_UNKNOWN_ADMIN_IP (in X-Cart versions prior to 4.5.5 - the constant SECURITY_BLOCK_UNKNOWN_ADMIN_IP) in X-Cart's main configuration file config.php to TRUE.

With user access control functionality enabled, no user can log in to the store's back end unless their IP address is on the list of allowed IP addresses. The only exception to the general rule is the very first user who logs in to the store's back end after user access control functionality has been enabled: it is presumed that the IP address used to log in to the store's back end for the very first time is a trusted IP address, so it is added to the list of allowed IP addresses automatically. Any subsequent log-in attempts from IP addresses other than that IP address are blocked. Instead of being logged in, the user is stopped and shown a warning message like the following:

Warn.gif

At the same time an IP address registration request is sent:

  • in X-Cart 4.5.5 and later - to the email address of the user trying to log in (provided that they are a registered user with an account type allowed access to the store's back end, with a valid email address and password);
  • in earlier X-Cart versions - to the email address specified under 'Site administrator email address' in 'General settings/Company options'.

The email message with the IP address registration request contains information about the login attempt that was blocked and specially crafted links that can be used to either allow or deny access to the back end from the respective IP address. As soon as the link to allow access is clicked, the IP address is added to the list of allowed IP addresses, and the user can freely log in to the back end.

In addition to being sent via email, IP address registration requests also appear on the 'User access control' page in the Admin area where they can be approved or deleted by any user with access to the page. For details, see Managing IP address registration requests.

It is also possible to add allowed IP addresses manually via the 'User access control' page in the Admin area. For details, see Managing the list of allowed IP addresses.

Managing IP address registration requests

It is possible to manage IP address registration requests using the 'User access control' page of the store's Admin area (In X-Cart versions 4.4.0 and later, this page can be found at the location Tools menu -> Maintenance -> "See also" tab (right-side menu) -> User access control; in X-Cart versions before 4.4.x, this page can be found at the location Administration menu -> Summary -> "In this section" menu -> User access control). IP address registration requests appear in the 'IP address registration requests' section (This section is displayed only if there are active requests):

Ip registration requests.gif

To delete an IP address registration request:

  1. Select the check box next to the IP address that needs to be deleted.
  2. Click the Delete selected button. The selected request will be deleted. You should see an Information box with a confirmation message.

To accept an IP address registration request:

  1. Select the check box next to the IP address that needs to be registered.
  2. Click the Register selected button. The selected IP address will be added to the list of allowed IP addresses. You should see an Information box with a confirmation message.

Managing the list of allowed IP addresses

The store's list of allowed IP addresses is stored in the database and can be viewed and managed using the 'Allowed IP addresses' section of the 'User access control' page in the store's Admin area (In X-Cart versions 4.4.0 and later, this page can be found at the location Tools menu -> Maintenance -> "See also" tab (right-side menu) -> User access control; in X-Cart versions before 4.4.x, this page can be found at the location Administration menu -> Summary -> "In this section" menu -> User access control).

Allowed ip addrs.gif

To add an IP address to the list:

  1. Enter the desired IP address into the 'Add IP address' field.
  2. Click the Add button. The IP address will be added to the list. You should see an Information box with a confirmation message.

Instead of adding individual IP addresses one by one, it is possible to define patterns. Patterns can use numbers (0-255) and the asterisk character. An asterisk matches any number in the range 0-255 and can be used to replace an IP octet. For example, to allow access from any host on the 195.24.53 network, set the pattern as 195.24.53.*.

When creating a pattern, be aware that you can use asterisks in non-final IP address octets only if you are going to replace all the octets that follow it by asterisks, too. Patterns formatted differently will be deemed incorrect. For example, patterns like 195.*.*.* or 195.24.*.* are correct; patterns like 195.*.53.* are incorrect.

If the list of allowed IP addresses contains an IP address that needs no longer be allowed access to the store's back end, you can remove this IP address from the list of allowed IP addresses. To remove an IP address from the list of allowed IP addresses:

  1. Select the check box next to the IP address that needs to be removed.
  2. Click the Delete selected button. The selected IP address will be removed from the list. You should see an Information box with a confirmation message.

Please note that it is not possible to remove your own IP address from the list. (The check box displayed next to your own IP address is grayed out).

See also