Encrypted Master Password for Zen Cart v1.5.3 to v1.5.5

Version 2.2.1 by lat9. Copyright © 2013-2016, Vinos de Frutas Tropicales

Current Support Thread at Zen Cart Forums: www.zen-cart.com/showthread.php?179888-Encrypted-Master-Password-support

Usage Notes

1. Starting with v2.2.0, this plugin drops support for Zen Cart versions prior to v1.5.3. If your store is using an older Zen Cart version, please use an earlier version of EMP.

What it does

Encrypted Master Password (EMP) allows one or more of your store's administrators to login to any customer account using their administrator password in conjunction with a customer's email address.

Configuration->My Store

Once you have have installed the plugin, two configuration values are available in your admin's Configuration->My Store to provide customization as described below.

Encrypted Master Password: Single Admin ID. If you want a single admin user to have EMP privileges, you'll set this value to the admin_id of that admin user. The default (1) selects the first admin user in your store. To find the admin_id value that you want to use, log into your store's admin and click Admin Access Management->Admin Users. The left-hand column will be titled ID, look for the number that identifies the admin account you've selected.

Encrypted Master Password: Admin Profile ID. If you want multiple admin users to have EMP privileges, they must be associated with one of the admin User Profiles that you select. Set this value to a packed, comma-separated list of profile ids (e.g. 1,2,3) and all admins in the specified profiles will have EMP authority. The default value (1) selects all Superuser admins for your store. To find the profile_id values that you want to use, log into your store's admin and click Admin Access Management->Admin Profiles. The left-hand column will be titled ID, look for the numbers that are associated with the admin user profiles want to configure.

The two configuration values can be used in combination, so that you can specify:

• One single admin that has EMP privileges: Single Admin ID set to a non-zero admin_id, Admin Profile ID set to 0.
• Only admins in the given profiles have EMP privileges: Single Admin ID set to 0, Admin Profile ID set to a non-zero profile_id.
• All admins in the given profiles and one admin outside those profiles have EMP privileges: Single Admin ID set to a non-zero admin_id, Admin Profile ID set to a non-zero profile_id.
• No admins have EMP privileges: Single Admin ID set to 0, Admin Profile ID set to 0.

Customers->Customers

When an admin with EMP permissions views the Customers->Customers screen, there is an additional button available for the currently-selected customer: Place Order. Clicking that button will open a new window, taking the admin to your store's login page. From that page, the admin enters his/her Zen Cart admin password to log into the customer's account!

Note Versions 1.6.0 through 1.8.0 of this plugin provided an "automatic" login to the customer's account; version 2.0.0 changed this behavior, now requiring the admin-level password to log into the customer's account. This change was made to enable the use of the additional password validation methods introduced in Zen Cart v1.5.3 and in light of potential PCI concerns. With the previous behavior, if someone broke into your Zen Cart admin they would have "the keys to the kingdom" — access to all your customers' accounts.

In Your Store

When an EMP admin logs into a customer account, two session variables are set to identify this condition for future, additional plugins:

1. $_SESSION['emp_admin_login'] is set to true.
2. $_SESSION['emp_admin_id'] is set to the admin_id of the currently signed-in admin

In addition, an entry is written to the admin_activity_log to record the event. If an order is placed by the EMP admin on the customer's behalf, the updated_by field in the order's status history is set to identify the admin that placed the order (if that field has been added).

Starting with v2.1.0 of this plugin, a signed-in EMP admin can also change the customer's password on their behalf.

• For v2.1.0, the admin navigates to the account_password page, enters their admin password as the current password and the customer's new password in the other two fields. Upon successful change, an admin_activity_log record is written to record that event.
• For v2.2.0, the Zen Cart v1.5.5 base provides this functionality. Navigate to your admin's Customers->Customers and you'll see a reset pwd button for the currently-selected customer, which you can use to change that customer's password directly from your admin-console.

Installing and Upgrading

There are core-file overwrites in this plugin; you should always backup your cart’s database and files prior to making any changes. The files identified using this color are part of the "Common Orders-Status Update" interface and are subject to separate change!

1. If you are upgrading from Encrypted Master Password v2.1.0:
   1. The ability to change a customer's password from the customer's account, introduced in EMP v2.1.0, has been replaced by a similar feature introduced in Zen Cart v1.5.5 admin's Customers->Customers handling. That functionality, included in EMP v2.2.0 and later, enables a Zen Cart admin to change a customer's password using that admin-level page.
   2. As such, this plugin's change to /includes/modules/pages/account_password/header_php.php is no longer required (or wanted). When you upgrade from EMP v2.1.0, you'll need to back-out the changes introduced to that file — most likely a simple replacement of your current Zen Cart's version of that core-file.
2. Compare the plugin's /YOUR_ADMIN/customers.php with the one currently being used at your store. EMP currently provides the as-shipped Zen Cart 1.5.5 version of this file within its distribution. When integrating with changes to your pre-ZC1.5.5 store's files, the important line to merge is found at line #1266:
   
   $zco_notifier->notify('NOTIFY_ADMIN_CUSTOMERS_MENU_BUTTONS', $cInfo, $contents);
   
   Simply ensure that this line of code is present in your customized version of customers.php at the same point in the processing as in the distribution copy.
3. Rename /YOUR_ADMIN to match the name of your Zen Cart admin directory.
4. Upload the plugin's files to your store's file system:
   1. /includes/auto_loaders/config.emp_login_link.php
   2. /includes/classes/observers/class.emp_order_observer.php
   3. /YOUR_ADMIN/customers.php (This is the Zen Cart v1.5.5 version of the file)
   4. /YOUR_ADMIN/includes/auto_loaders/config.emp_customers_button.php
   5. /YOUR_ADMIN/includes/auto_loaders/config.zc154_compatibility.php
   6. /YOUR_ADMIN/includes/classes/observers/class.emp_admin_customers_observer.php
   7. /YOUR_ADMIN/includes/functions/extra_functions/init_emp_configuration.php
   8. /YOUR_ADMIN/includes/init_includes/init_zc154_compatibility.php
   9. /YOUR_ADMIN/includes/languages/dutch/customers.php (This is the Zen Cart v1.5.5 English version of the file)
   10. /YOUR_ADMIN/includes/languages/dutch/extra_definitions/emp_button_definitions.php
   11. /YOUR_ADMIN/includes/languages/dutch/images/buttons/button_placeorder.gif
   12. /YOUR_ADMIN/includes/languages/english/customers.php (This is the Zen Cart v1.5.5 version of the file)
   13. /YOUR_ADMIN/includes/languages/english/extra_definitions/emp_button_definitions.php
   14. /YOUR_ADMIN/includes/languages/english/images/buttons/button_placeorder.gif
5. Sign into your admin-console or, if you are already signed in, click the Admin Home link at the top of the page. Navigate to Configuration->My Store and you'll see the two new configuration values for the EMP plugin.

Un-install

Replace the core files that were previously overwritten with the backup version that you created. You did make a backup, didn't you? Delete the other files copied during the installation. Finally, run the /docs/encrypted_master_password/uninstall/emp_uninstall.sql to remove the configuration keys from your database.

Version History:

• v2.2.1, 2016-05-05 (lat9):
  • BUGFIX: Debug-log generated on login.
  • The following files were changed:
    1. /includes/classes/observers/class.emp_order_observer.php
• v2.2.0, 2016-04-14 (lat9):
  • CHANGE: Use Zen Cart v1.5.5 as the core-file overwrite change-basis.
  • CHANGE: Use Zen Cart 1.5.5 notifier to add the "Place Order" button on the Customers->Customers page.
  • CHANGE: Remove support for Zen Cart versions prior to v1.5.3.
  • CHANGE: Remove full integration with Orders Status History -- Updated By plugin.
  • CHANGE: Updated to include the Dutch translations, provided by @Xray2000.
  • The following files were changed/added/removed:
    1. /before_zc153/*.*
    2. /includes/classes/observers/class.emp_order_observer.php
    3. /includes/functions/extra_functions/osh_updated_by_functions.php
    4. /includes/modules/pages/account_password/header_php.php (Removed from this distribution, only!)
    5. /YOUR_ADMIN/customers.php
    6. /YOUR_ADMIN/orders.php (Removed from this distribution, only!)
    7. /YOUR_ADMIN/includes/auto_loaders/config.emp_customers_button.php
    8. /YOUR_ADMIN/includes/classes/observers/class.emp_admin_customers_observer.php
    9. /YOUR_ADMIN/includes/functions/extra_functions/osh_updated_by_admin_functions.php
    10. /YOUR_ADMIN/includes/languages/dutch/customers.php (Added)
    11. /YOUR_ADMIN/includes/languages/dutch/extra_definitions/emp_button_definitions.php
    12. /YOUR_ADMIN/includes/languages/dutch/images/buttons/button_placeorder.gif
    13. /YOUR_ADMIN/includes/languages/english/customers.php (Added)
    14. /YOUR_ADMIN/includes/languages/english/extra_definitions/osh_updated_by.php
• v2.1.0, 2015-09-28 (lat9):
  • Update the plugin's processing, enabling a signed-in EMP admin to change the associated customer's password.
  • Change all class constructor function names to __construct (PHP 7 compliance). Changed/added:
    1. /includes/classes/observers/class.emp_order_observer.php
    2. /includes/modules/pages/account_password/header_php.php (Added)
• v2.0.2, 2015-05-28 (lat9):
  • Update orders-status-history processing to properly convert CRLF characters in the status-update message. Changed:
    1. /includes/functions/extra_functions/osh_updated_by_functions.php
• v2.0.1, 2014-12-20 (lat9):
  • Use Zen Cart v1.5.4 as the core-file overwrite code basis. Changed/added:
    1. /YOUR_ADMIN/customers.php
    2. /YOUR_ADMIN/orders.php
    3. /YOUR_ADMIN/includes/auto_loaders/config.zc154_compatibility.php
    4. /YOUR_ADMIN/includes/init_includes/init_zc154_compatibility.php
• v2.0.0, 2014-07-05 (lat9):
  • Conditionally incorporate changes introduced in Zen Cart v1.5.3 to support the improved password handling and to address PCI concerns. Changed:
    1. /YOUR_ADMIN/customers.php
    2. /includes/auto-loaders/config.emp_login_link.php
    3. /includes/classes.class.base.php. This file is required only for pre-Zen Cart v1.5.3 installations, present in the plugin's /before_zc153 folder.
    4. /includes/classes/observers/class.emp_order_observer.php
    5. /includes/init_includes/init_emp_login_link.php. File now contains only comments and can be safely removed from your installation.
    6. /includes/modules/pages/login/header_php.php. This file is required only for pre-Zen Cart v1.5.3 installations, present in the plugin's /before_zc153 folder.
• v1.9.0, 2014-04-12 (lat9):
  • Updates to support multiple EMP admin profiles.
    1. The initialization .sql script is now imbedded in a PHP script (/YOUR_ADMIN/includes/functions/extra_functions/init_emp_configuration.php).
    2. A minor update to the core-file change to /includes/modules/pages/login/header_php.php.
• v1.8.0, 2013-11-29 (lat9):
  • Incorporate downwardly-compatible changes introduced in Zen Cart v1.5.2.
  • Update the "Common Orders-Status Update Interface" to v1.1.0.
• v1.7.0, 2013-09-08 (lat9):
  • Added an updated_by column to the orders_status_history table.
  • When an order is placed by an EMP admin, that admin's ID and name will appear in the updated_by field of the initial orders_status_history record for the order.
  • When an EMP admin logs into a customer account, a record is created in the admin_activity_log database table.
• v1.6.0, 2013-07-08 (lat9):
  • Added SQL statements to move the two configuration values for the plugin into the database.
  • Added "Place Order" button in your admin's Customers->Customers to allow an enabled EMP admin to automatically log into a customer's account.
• v1.5.2, 2013-05-16 (lat9):
  • BUGFIX: White-screen-of-death due to unclosed parentheses.
• v1.5.1, 2013-04-30 (lat9):
  • Updated EMP code to use a define (in preparation for moving it to a configuration setting) for a single admin ID.
  • Added code to allow all admins in a specified admin_profile group to perform the EMP function.
  • When an EMP admin signs into a customer account, set session variables indicating the type of login and the admin_id of the EMP admin.
  • Modified this readme to reflect the current implementation.
• v1.5.0, 2012-01-19 (dbltoe):
  • Added EMP code to the header_php.php as modified in the new Zen Cart 1.5.0.
  • Modified this file to reflect the current information.
• v1.2.0, 2007-12-01 (Dennis Sayer):
  • Added new code that appeared with Zen Cart 1.3.8.
• v1.1.0, 2007-01-16 (Dennis Sayer):
  • Added new code that appeared with Zen Cart 1.3.7.
  • A few wording changes in this document.
• v1.0.0, 2006-07-04 (Dennis Sayer, aka stagebrace):
  • Initial release; sponsored by Brand Name Batteries for Less.