RedJumpsuit

jobberBase custom development and support

 

Code School

Multiple Admin Users

admin-usersNote: this hack is for jobberBase 1.8

this will allow you to create unlimited number of admin users who can manage the site for you. the superuser will still be “admin” who will be able to create and delete other accounts, the rest of the users can do the rest of the “admin” user can do.

it should be useful for sites who has more than one person managing all the aspects of their job board and did not want to share their password with others (or using one general password for everybody else.) as this is a just a basic multi-admin user hack, there is still a lot more that can be done with this hack like auditing actions done by all the accounts or restricting access to only certain pieces of the admin site.

1) open /admin/index.php

after this block

case 'password':
	if(!isset($_SESSION['AdminId']))
	{
		redirect_to(BASE_URL);
		exit;
	}
	require_once 'page_password.php';
	$html_title = 'Change password / ' . SITE_NAME;
	$template = 'password.tpl';
	$flag = 1;
	break;

add this block:

case 'users':
	if (!isset($_SESSION['AdminId']) || (isset($_SESSION['AdminId']) && $_SESSION['AdminId'] > 1))
	{
		redirect_to(BASE_URL);
		exit;
	}
	require_once 'page_users.php';
	$html_title = 'Add new users / ' . SITE_NAME;
	$template = 'users.tpl';
	$flag = 1;
	break;

2) create a file called “page_users.php” on the /admin folder and add the code below:

<?php
/*
 * jobberBase job board platform
 *
 * @author		RedJumpsuit <myredjumpsuit@gmail.com>
 * @web		http://www.redjumpsuit.net
 * 
 * Manage multiple admin users
 */
 
$smarty->assign('current_category', 'users');
 
require_once '_includes/class.Admin.php';
$ad = new CAdmin();
 
$smarty->assign('error', '');
 
if ($extra == 'delete')
{
	if ($ad->delete($id, $_SESSION['AdminId']))
	{
		$smarty->assign('success', 'User was deleted.');
	}
	else
	{
		$smarty->assign('error', 'User could not be deleted.');
	}
}
 
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
	if (empty($_POST['username'])) {
		$smarty->assign('error', 'The username is empty. Please type in a new username.');
	} elseif (empty($_POST['new_password'])) {
		$smarty->assign('error', 'The password is empty. Please type in a new password.');
	} elseif ($_POST['new_password'] != $_POST['verify_password']) {
		$smarty->assign('error', 'The password and verification password do not match.');
	} else {
 
		if($ad->create($_POST['username'], $db->real_escape_string($_POST['new_password']), $_SESSION['AdminId']))
		{
			$smarty->assign('success', 'New user has been created!');
		}
		else
		{
			$smarty->assign('error', 'User already exists.');
		}
	}
}
 
$smarty->assign('users', $ad->listusers());	
?>

3) create a file called “users.tpl” under /admin/_templates/ and add the code below:

{include file="header.tpl"}
<div id="content">
		<h3>Add new Admin user</h3>
 
		<form id="publish_form" action="{$smarty.server.REQUEST_URI}" method="post">
			<fieldset>
				<table cellspacing="2" cellpadding="2" border="0">
					{if $error}
					<tr>
						<td colspan="2">
							<img src="{$BASE_URL_ADMIN}img/exclamation.png" alt="" /> {$error}
						</td>
					</tr>
					{elseif $success}
					<tr>
						<td colspan="2">
							<img src="{$BASE_URL_ADMIN}img/icon_accept.gif" alt="" /> {$success}
						</td>
					</tr>
					{/if}
					<tr>
						<td>Username:</td>
						<td><input type="username" name="username" size="30" /></td>
					</tr>
					<tr>
						<td>New password:</td>
						<td><input type="password" name="new_password" size="30" /></td>
					</tr>
					<tr>
						<td>Verify password:</td>
						<td><input type="password" name="verify_password" size="30" /></td>
					</tr>
				</table>
			</fieldset>
			<p>
				<button type="submit" class="submit_button">Add new user</button>
			</p>
		</form>
 
<h2>List of Admin Users</h2>
<table id="job-posts" class="job-posts" cellspacing="0">
<tr class="alt">
	<td>ID</td>
	<td>Username</td>				
	<td>Action</td>
</tr>
{foreach from=$users item=list}
<tr>
	<td class="center">{$list.id}</td>
	<td>{$list.username}</td>
	<td class="center"><a href="{$BASE_URL_ADMIN}users/{$list.username}/delete/">Delete</a></td>
</tr>
{/foreach}
</table>
 
</div><!-- #content -->

{include file="footer.tpl"}

4) create a file called “sidebar.tpl” under /admin/_templates/ and add the code below:

<div id="sidebar">
<ul>
{if $smarty.session.AdminId == 1}
<h3>Add-Ons</h3>
<li {if $current_category == 'users'}class="selected"{/if}><a href="{$BASE_URL_ADMIN}users/">Manage Users</a></li>
{/if}
</ul>
</div>

5) open /admin/_templates/header.tpl and add this at the very end of the page:

{if $smarty.session.AdminId}
<div id="sidebar">
	{include file="sidebar.tpl"}
</div><!-- #sidebar -->
{/if}

6) lastly, open /admin/_includes/class.Admin.php and after this block:

public function getId()
 	{
 		return $this->userId;
 	}

add this:

public function create($username,$password,$id)
 	{
		if ($id == 1) 
		{
			global $db;
			$md5password = md5($password);
			$sql = 'SELECT id FROM '.DB_PREFIX.'admin WHERE username="'.$username.'"';
			$result = $db->query($sql);
			$row = $result->fetch_assoc();
			if (empty($row))
			{
				$sql = 'INSERT INTO '.DB_PREFIX.'admin (
							username, password)
						VALUES (
							"'. trim($username) .'",
							"'. $md5password .'")';
				$db->query($sql);
				return true;
			} 
			else
			{
				return false;
			}
		} 
		else 
		{
			return false;
		}
 	}
 
	public function listusers()
	{
		global $db;
		$sql = 'SELECT * FROM '.DB_PREFIX.'admin WHERE id > 1';
		$result = $db->query($sql);
		while ($row = $result->fetch_assoc())
		{
			$users[] = $row;
		}
 
		if (isset($users))
		{
			return $users;
		}
	}
 
	public function delete($username,$id)
	{
		if ($id == 1) 
		{
			global $db;
			$sql = 'DELETE FROM '.DB_PREFIX.'admin WHERE username = "'. trim($username) .'"';
			if ($db->query($sql))
			{
				return true;
			}
			else
			{
				return false;
			}
		} 
		else 
		{
			return false;
		}
	}

like i said, there is more that can be done to extend this hack, but at least you will have a good place to start on.

Tagged as: , , ,

3 Comments

Code School

  1. Thanks for this hack. I applied it for 1.91 and it works fine.

    BR.
    The JobNAVY.com Team.

  2. I applied it too for 1.9.1 and then noticed that your admin is not fully protected,
    if you want to limit user’s access to certain area you need “permissions” and of course beside “delete”
    also “edit” (new) user.

    “Permissions levels” like i.e. Administrator(s) • Employers • Employees

    Tnaks anyway…

    BR
    Mario

Trackbacks

  1. Bundled Add-Ons for jobberBase 1.8 | RedJumpsuit

Leave a Response