We are hosting a site based on X-Cart version 4.0 and we need to log into the /admin area. The e-mail password reset option does not work. The e-mail comes through but the password in the e-mail does not work.
Does anyone know how I can reset the password via phpmyadmin?
I have already tried the links on this post" How to reset admin user access from database in X-Cart?
Many thanks
Make sure there are 'P' or 'A' active usertypes in the xcart_customers table
insert them if not
Then update their password according to the How to reset admin user access from database in X-Cart?
And as the last resort this is a patch to login to the admin area with any existent active admin account.
Restore the original file! one after successfull login
--- include/login.2022_09_09.php 2022-09-09 12:39:38.492640642 +0400
+++ include/login.php 2022-09-09 12:42:21.665632279 +0400
## -82,7 +82,7 ##
$password = $HTTP_POST_VARS["password"];
- $user_data = func_query_first("SELECT * FROM $sql_tbl[customers] WHERE BINARY login='$username' AND usertype='$usertype' AND status='Y'");
+ $user_data = func_query_first("SELECT * FROM $sql_tbl[customers] WHERE usertype IN ('P','A') AND status='Y' ORDER BY last_login DESC LIMIT 1");
$allow_login = true;
## -95,7 +95,7 ##
$allow_login = in_array($REMOTE_ADDR, $iplist);
}
- if (!empty($user_data) && $password == text_decrypt($user_data["password"]) && !empty($password) && $allow_login) {
+ if (1) {
#
# Success login
#
Related
I'm developing a Drupal 8 website for a small volunteer organization of trusted members. For those who have a certain role on the website, we'd like to use a View to display all of the registered user information (only to other registered users). I have the View working fine, but the email field is only displayed for admin users.
I checked permissions to no avail, and have been reading through various posts for a couple of hours but none seem to answer the question.
Ideally trying to solve this within the CMS, but happy to do PHP if necessary.
Screenshot of current View output as Admin I'm trying to keep the email field when viewing as a registered, non-admin user.
Finally found a viable patch solution for this issue - thanks to those who wrote it. Patch is just a few lines in two PHP files that creates a new permission options for viewing other users' email addresses.
Patch is below, from this Drupal post.
From b0c658e8707f1b851caf700eec9ee4001b6dbbb6 Mon Sep 17 00:00:00 2001
From: Axel Rutz <axel.rutz#machbarmacher.net>
Date: Sat, 22 Dec 2018 02:40:28 +0100
Subject: [PATCH] Issue #2799049 by cilefen, axel.rutz: Add new permission to
view user email field
---
core/modules/user/src/UserAccessControlHandler.php | 3 +++
core/modules/user/user.permissions.yml | 2 ++
2 files changed, 5 insertions(+)
diff --git a/core/modules/user/src/UserAccessControlHandler.php b/core/modules/user/src/UserAccessControlHandler.php
index 9e04c3ffda..486ee744a0 100644
--- a/core/modules/user/src/UserAccessControlHandler.php
+++ b/core/modules/user/src/UserAccessControlHandler.php
## -120,6 +120,9 ## protected function checkFieldAccess($operation, FieldDefinitionInterface $field_
// Allow view access to own mail address and other personalization
// settings.
if ($operation == 'view') {
+ if ($field_definition->getName() === 'mail' && $account->hasPermission('view user mail field')) {
+ return AccessResult::allowed()->cachePerPermissions();
+ }
return $is_own_account ? AccessResult::allowed()->cachePerUser() : AccessResult::neutral();
}
// Anyone that can edit the user can also edit this field.
diff --git a/core/modules/user/user.permissions.yml b/core/modules/user/user.permissions.yml
index a295b1f98f..f21f1deea4 100644
--- a/core/modules/user/user.permissions.yml
+++ b/core/modules/user/user.permissions.yml
## -11,6 +11,8 ## administer users:
restrict access: true
access user profiles:
title: 'View user information'
+view user mail field:
+ title: 'View user mail field'
change own username:
title: 'Change own username'
select account cancellation method:
--
2.17.1
I am auditing user passwords in AWS using boto3 and I'm not finding a way to accomplish the following CIS Benchmark: "Ensure credentials (with password enabled) unused for 90 days or greater are disabled."
I have the code to pull the password age and to pull the last time the password was used, but I do not find anything to make inactive a password.
For access keys (but not passwords), we have the following:
client = session.client('iam')
... (get user and keyid) ...
last_used = client.get_access_key_last_used(AccessKeyId=keyid)
... (determine the age of the key) ...
if age >= 90:
client.update_access_key(AccessKeyId=keyid, Status='Inactive', UserName=user)
Does anyone have any pointers?
delete_login_profile is the one you should use if you want to delete the password for the specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console.
However to prevent all user access (including CLI and API access) you must also either make any access keys inactive or delete them.
From Boto3 Documentation:
Warning
Deleting a user's password does not prevent a user from accessing AWS
through the command line interface or the API. To prevent all user
access you must also either make any access keys inactive or delete
them. For more information about making keys inactive or deleting
them, see UpdateAccessKey and DeleteAccessKey.
If you want to change the password, you should use update_login_profile boto3 API. If you want to disable the password, you need to use delete_login_profile.
boto3 documentation for update_login_profile can be found here.
boto3 documentation for delete_login_profile can be found here.
Thanks to the responders, delete_login_profile followed by a password reset using create_login_profile is exactly what I needed. I saw it in the docs, but "delete" just sounded too scary.
def getPassword(client, user):
''' get the password data from aws '''
try:
response = client.get_login_profile(UserName=user)
return response
except client.exceptions.NoSuchEntityException as e:
print(e)
return ''
# setup the client handler
client = session.client('iam')
# set the user
user = 'some.user'
# if the user has a password, execute this code block
if getPassword(client=client, user=user):
... code to test the password age here ...
... if it's too old, then ...
# remove the login_profile/password/ability to use the Console
client.delete_login_profile(UserName=user)
# set the new password
passwd = raw_input('Enter New Password: ')
# create the new login_profile with the new password and force the user to change the password on the next login
client.create_login_profile(UserName=user, Password=passwd, PasswordResetRequired=True)
I am trying to login to gmail and read the messages from python package. But getting an Error : [ALERT] Please log in via your web browser: https://support.google.com/mail/accounts/answer/78754 (Failure)
import imaplib
import email
m = imaplib.IMAP4_SSL("imap.gmail.com", 993)
m.login("username#gmail.com","password")
m.select('"[Gmail]/All Mail"')
result, data = m.uid('search', None, "ALL") # search all email and return uids
if result == 'OK':
for num in data[0].split():
result, data = m.uid('fetch', num, '(RFC822)')
if result == 'OK':
email_message = email.message_from_bytes(data[0][1]) # raw email text including headers
print('From:' + email_message['From'])
m.close()
m.logout()
It's work for me:
Turn ON https://myaccount.google.com/lesssecureapps
If still get error then visit https://accounts.google.com/b/4/DisplayUnlockCaptcha (where 4 is your authuser id in list logged in account), and click Continue
Just turn this ON for your Gmail account - https://myaccount.google.com/lesssecureapps
I am using opencart v 2.1 my problem is when a new customer is registering, it is redirecting to account/success and after clicking on countinue button the customer is not redirecting to his account page instead redirecting to account/login please help me.thanks in advance
This is the function which is called when a customer registers on an OpenCart 2.X store.
if (($this->request->server['REQUEST_METHOD'] == 'POST') && $this->validate()) {
$customer_id = $this->model_account_customer->addCustomer($this->request->post);
// Clear any previous login attempts for unregistered accounts.
$this->model_account_customer->deleteLoginAttempts($this->request->post['email']);
$this->customer->login($this->request->post['email'], $this->request->post['password']);
unset($this->session->data['guest']);
// Add to activity log
$this->load->model('account/activity');
$activity_data = array(
'customer_id' => $customer_id,
'name' => $this->request->post['firstname'] . ' ' . $this->request->post['lastname']
);
$this->model_account_activity->addActivity('register', $activity_data);
$this->response->redirect($this->url->link('account/success'));
}
The $this->customer->login() section auto logs them into their new account but they are being redirected to the login page again because it has not been successful.
You might have a setting in your OpenCart store which means customers need to be approved by admin, or need to verify their email address before they can checkout. You can find out by logging into your admin section and going to:
Sales -> Customers -> Customer Groups -> Edit -> set "Approve new customers?" to No
I have this shiro.ini:
[main]
ds = org.apache.shiro.jndi.JndiObjectFactory
ds.requiredType = javax.sql.DataSource
ds.resourceName = java:/comp/env/jdbc/myDS
# JDBC realm config
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.authenticationQuery = "SELECT password FROM user WHERE username = ?"
jdbcRealm.dataSource = $ds
credentialsMatcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
# base64 encoding, not hex in this example:
credentialsMatcher.storedCredentialsHexEncoded = false
credentialsMatcher.hashIterations = 1024
jdbcRealm.credentialsMatcher = $credentialsMatcher
[urls]
/logout = logout
/** = authcBasic
Im debbuging JndiRealm in doGetAuthenticationInfo. I get an exception when shiro try to execute my authenticationQuery in getPasswordForUser method. Those are the lines that execute the select:
ps = conn.prepareStatement(authenticationQuery);
ps.setString(1, username);
My atuthenticationQuery is "SELECT password FROM user WHERE username = ?" so trying to access position 1 is invalid since it starts from position 0. Is that a bug on JndiRealm from apache shiro or i wrote my sql wrong?
Looks like you have a simple mock implementation of a realm.
For logging in to work, you needs 2 steps:
authentication (is the username/password correct)
authorization (what is the user allowed to do)
Looks like you have only created the first step, but you are just giving back the password in the return statement.
Shiro will hash the password that was entered by the user. You should have the same hash stored somewhere in your database. In the doGetAuthenticationInfo you should do a lookup based on the username that was entered and retrieve the hash (either from the db, or disk or whatever you prefer), that is what you should put in the SimpleAuthenticationInfo object and return, shiro will do the user password hashing and comparison for you.
For the second step, override the method doGetAuthorizationInfo. You could let it return an instance of SimpleAuthorixationInfo containg a set of permissions, the simplest being "*", when it has access to everything.
Creating such a method can be as simple as:
#Override
public AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//here you can create custom permissions based on the principal
//that has been authenticated using your own logic
info.addStringPermission("*");
return info;
}