Encrypted Master Password for Zen Cart v1.5.5 (and later)

Version 2.4.2 by lat9. Copyright © 2013-2019, Vinos de Frutas Tropicales

Current Support Thread at Zen Cart Forums: www.zen-cart.com/showthread.php?179888-Encrypted-Master-Password-support

Usage Notes

1. Starting with v2.2.0, this plugin drops support for Zen Cart versions prior to v1.5.3. If your store is using an older Zen Cart version, please use an earlier version of EMP.
2. Starting with v2.3.0, this plugin drops support for Zen Cart versions prior to v1.5.5. If your store is using an older Zen Cart version, please use an earlier version of EMP.

What it does

Encrypted Master Password (EMP) allows one or more of your store's administrators to login to any customer account using their administrator password in conjunction with a customer's email address.

Configuration->My Store

Once you have have installed the plugin, two configuration values are available in your admin's Configuration->My Store to provide customization as described below.

Encrypted Master Password: Single Admin ID. If you want a single admin user to have EMP privileges, you'll set this value to the admin_id of that admin user. The default (1) selects the first admin user in your store. To find the admin_id value that you want to use, log into your store's admin and click Admin Access Management->Admin Users. The left-hand column will be titled ID, look for the number that identifies the admin account you've selected.

Encrypted Master Password: Admin Profile ID. If you want multiple admin users to have EMP privileges, they must be associated with one of the admin User Profiles that you select. Set this value to a packed, comma-separated list of profile ids (e.g. 1,2,3) and all admins in the specified profiles will have EMP authority. The default value (1) selects all Superuser admins for your store. To find the profile_id values that you want to use, log into your store's admin and click Admin Access Management->Admin Profiles. The left-hand column will be titled ID, look for the numbers that are associated with the admin user profiles want to configure.

The two configuration values can be used in combination, so that you can specify:

• One single admin that has EMP privileges: Single Admin ID set to a non-zero admin_id, Admin Profile ID set to 0.
• Only admins in the given profiles have EMP privileges: Single Admin ID set to 0, Admin Profile ID set to a non-zero profile_id.
• All admins in the given profiles and one admin outside those profiles have EMP privileges: Single Admin ID set to a non-zero admin_id, Admin Profile ID set to a non-zero profile_id.
• No admins have EMP privileges: Single Admin ID set to 0, Admin Profile ID set to 0.

Customers->Customers

When an admin with EMP permissions views the Customers->Customers screen, there is an additional button available for the currently-selected customer: Place Order. Clicking that button will open a new window, taking the admin to your store's login page. From that page, the admin enters his/her Zen Cart admin password to log into the customer's account!

Note Versions 1.6.0 through 1.8.0 of this plugin provided an "automatic" login to the customer's account; version 2.0.0 changed this behavior, now requiring the admin-level password to log into the customer's account. This change was made to enable the use of the additional password validation methods introduced in Zen Cart v1.5.3 and in light of potential PCI concerns. With the previous behavior, if someone broke into your Zen Cart admin they would have "the keys to the kingdom" — access to all your customers' accounts.

In Your Store

When an EMP admin logs into a customer account, three session variables are set to identify this condition for future, additional plugins:

1. $_SESSION['emp_admin_login'] is set to true.
2. $_SESSION['emp_admin_id'] is set to the admin_id of the currently signed-in admin
3. $_SESSION['emp_customer_email_address'] is set to the email address of the customer for whom the admin is shopping; added in v2.4.0.

In addition, an entry is written to the admin_activity_log to record the event. If an order is placed by the EMP admin on the customer's behalf, the updated_by field in the order's status history is set to identify the admin that placed the order (if that field has been added).

Starting with v2.1.0 of this plugin, a signed-in EMP admin can also change the customer's password on their behalf.

• For v2.1.0, the admin navigates to the account_password page, enters their admin password as the current password and the customer's new password in the other two fields. Upon successful change, an admin_activity_log record is written to record that event.
• For v2.2.0, the Zen Cart v1.5.5 base provides this functionality. Navigate to your admin's Customers->Customers and you'll see a reset pwd button for the currently-selected customer, which you can use to change that customer's password directly from your admin-console.

Installing and Upgrading

Starting with v2.3.0 of EMP, there are no core-file overwrites in this plugin; you should always backup your cart's database and files prior to making any changes.

1. Rename /YOUR_ADMIN to match the name of your Zen Cart admin directory.
2. Upload the plugin's files to your store's file system:
   1. /includes/auto_loaders/config.emp_login_link.php
   2. /includes/classes/observers/class.emp_order_observer.php
   3. /includes/languages/dutch/extra_definitions/encrypted_master_password_messages.php (Added for v2.4.0)
   4. /includes/languages/english/extra_definitions/encrypted_master_password_messages.php (Added for v2.4.0)
   5. /YOUR_ADMIN/includes/auto_loaders/config.emp_customers_button.php
   6. /YOUR_ADMIN/includes/classes/observers/class.emp_admin_customers_observer.php
   7. /YOUR_ADMIN/includes/functions/extra_functions/init_emp_configuration.php
   8. /YOUR_ADMIN/includes/languages/dutch/extra_definitions/emp_button_definitions.php
   9. /YOUR_ADMIN/includes/languages/dutch/images/buttons/button_placeorder.gif
   10. /YOUR_ADMIN/includes/languages/english/extra_definitions/emp_button_definitions.php
   11. /YOUR_ADMIN/includes/languages/english/images/buttons/button_placeorder.gif
3. Sign into your admin-console or, if you are already signed in, click the Admin Home link at the top of the page. Navigate to Configuration->My Store and you'll see the two new configuration values for the EMP plugin.

Un-install

Delete the plugin's added files (see above) copied during the installation. Finally, run the /docs/encrypted_master_password/uninstall/emp_uninstall.sql to remove the configuration keys from your database.

Version History:

• v2.4.2, 2019-07-24 (lat9):
  • BUGFIX: Debug-log issued when invalid EMP password supplied.
  • CHANGE: Enable stores to customize the severity for the storefront message.
  • The following files were changed:
    1. /includes/classes/observers/class.emp_order_observer.php
    2. /includes/languages/dutch/extra_definitions/encrypted_master_password_messages.php
    3. /includes/languages/english/extra_definitions/encrypted_master_password_messages.php
• v2.4.1, 2019-06-01 (lat9):
  • BUGFIX: Correct non-HTML5 align attribute for zc156+.
  • The following files were changed:
    1. /YOUR_ADMIN/includes/classes/observers/class.emp_admin_customers_observer.php
• v2.4.0, 2019-03-12 (lat9):
  • CHANGE: Zen Cart 1.5.6 interoperability, use a Bootstrap-styled button in admin Customers->Customers.
  • CHANGE: When an EMP admin is logged into a customer's account, display a storefront header message identifying who the admin is shopping for.
  • The following files were changed/added:
    1. /includes/classes/observers/class.emp_order_observer.php
    2. /includes/languages/dutch/extra_definitions/encrypted_master_password_messages.php (Added)
    3. /includes/languages/english/extra_definitions/encrypted_master_password_messages.php (Added)
    4. /YOUR_ADMIN/includes/classes/observers/class.emp_admin_customers_observer.php
    5. /YOUR_ADMIN/includes/languages/dutch/extra_definitions/emp_button_definitions.php
    6. /YOUR_ADMIN/includes/languages/english/extra_definitions/emp_button_definitions.php
• v2.3.1, 2018-04-20 (lat9):
  • BUGFIX: Admin passwords with "special" characters are rejected during EMP customer login.
  • The following files were changed:
    1. /includes/classes/observers/class.emp_order_observer.php
• v2.3.0, 2017-08-08 (lat9):
  • BUGFIX: Activity log doesn't show customer's account.
  • BUGFIX: Disabled "admin-profile" setting caused single admin-id setting to be inoperative.
  • CHANGE: Drop support for Zen Cart versions prior to 1.5.5
  • The following files were changed or removed:
    1. /includes/classes/observers/class.emp_order_observer.php
    2. /includes/init_includes/init_emp_login_link.php (It was a stubbed-out file, anyway!)
    3. /YOUR_ADMIN/customers.php (Removed from this distribution, only!)
    4. /YOUR_ADMIN/includes/auto_loaders/config.zc154_compatibility.php
    5. /YOUR_ADMIN/includes/classes/observers/class.emp_admin_customers_observer.php
    6. /YOUR_ADMIN/includes/init_includes/init_zc154_compability.php
    7. /YOUR_ADMIN/includes/languages/dutch/customers.php (Removed from this distribution, only!)
    8. /YOUR_ADMIN/includes/languages/english/customers.php (Removed from this distribution, only!)
• v2.2.1, 2016-05-05 (lat9):
  • BUGFIX: Debug-log generated on login.
  • The following files were changed:
    1. /includes/classes/observers/class.emp_order_observer.php
• v2.2.0, 2016-04-14 (lat9):
  • CHANGE: Use Zen Cart v1.5.5 as the core-file overwrite change-basis.
  • CHANGE: Use Zen Cart 1.5.5 notifier to add the "Place Order" button on the Customers->Customers page.
  • CHANGE: Remove support for Zen Cart versions prior to v1.5.3.
  • CHANGE: Remove full integration with Orders Status History -- Updated By plugin.
  • CHANGE: Updated to include the Dutch translations, provided by @Xray2000.
  • The following files were changed/added/removed:
    1. /before_zc153/*.*
    2. /includes/classes/observers/class.emp_order_observer.php
    3. /includes/functions/extra_functions/osh_updated_by_functions.php
    4. /includes/modules/pages/account_password/header_php.php (Removed from this distribution, only!)
    5. /YOUR_ADMIN/customers.php
    6. /YOUR_ADMIN/orders.php (Removed from this distribution, only!)
    7. /YOUR_ADMIN/includes/auto_loaders/config.emp_customers_button.php
    8. /YOUR_ADMIN/includes/classes/observers/class.emp_admin_customers_observer.php
    9. /YOUR_ADMIN/includes/functions/extra_functions/osh_updated_by_admin_functions.php
    10. /YOUR_ADMIN/includes/languages/dutch/customers.php (Added)
    11. /YOUR_ADMIN/includes/languages/dutch/extra_definitions/emp_button_definitions.php
    12. /YOUR_ADMIN/includes/languages/dutch/images/buttons/button_placeorder.gif
    13. /YOUR_ADMIN/includes/languages/english/customers.php (Added)
    14. /YOUR_ADMIN/includes/languages/english/extra_definitions/osh_updated_by.php
• v2.1.0, 2015-09-28 (lat9):
  • Update the plugin's processing, enabling a signed-in EMP admin to change the associated customer's password.
  • Change all class constructor function names to __construct (PHP 7 compliance). Changed/added:
    1. /includes/classes/observers/class.emp_order_observer.php
    2. /includes/modules/pages/account_password/header_php.php (Added)
• v2.0.2, 2015-05-28 (lat9):
  • Update orders-status-history processing to properly convert CRLF characters in the status-update message. Changed:
    1. /includes/functions/extra_functions/osh_updated_by_functions.php
• v2.0.1, 2014-12-20 (lat9):
  • Use Zen Cart v1.5.4 as the core-file overwrite code basis. Changed/added:
    1. /YOUR_ADMIN/customers.php
    2. /YOUR_ADMIN/orders.php
    3. /YOUR_ADMIN/includes/auto_loaders/config.zc154_compatibility.php
    4. /YOUR_ADMIN/includes/init_includes/init_zc154_compatibility.php
• v2.0.0, 2014-07-05 (lat9):
  • Conditionally incorporate changes introduced in Zen Cart v1.5.3 to support the improved password handling and to address PCI concerns. Changed:
    1. /YOUR_ADMIN/customers.php
    2. /includes/auto-loaders/config.emp_login_link.php
    3. /includes/classes.class.base.php. This file is required only for pre-Zen Cart v1.5.3 installations, present in the plugin's /before_zc153 folder.
    4. /includes/classes/observers/class.emp_order_observer.php
    5. /includes/init_includes/init_emp_login_link.php. File now contains only comments and can be safely removed from your installation.
    6. /includes/modules/pages/login/header_php.php. This file is required only for pre-Zen Cart v1.5.3 installations, present in the plugin's /before_zc153 folder.
• v1.9.0, 2014-04-12 (lat9):
  • Updates to support multiple EMP admin profiles.
    1. The initialization .sql script is now imbedded in a PHP script (/YOUR_ADMIN/includes/functions/extra_functions/init_emp_configuration.php).
    2. A minor update to the core-file change to /includes/modules/pages/login/header_php.php.
• v1.8.0, 2013-11-29 (lat9):
  • Incorporate downwardly-compatible changes introduced in Zen Cart v1.5.2.
  • Update the "Common Orders-Status Update Interface" to v1.1.0.
• v1.7.0, 2013-09-08 (lat9):
  • Added an updated_by column to the orders_status_history table.
  • When an order is placed by an EMP admin, that admin's ID and name will appear in the updated_by field of the initial orders_status_history record for the order.
  • When an EMP admin logs into a customer account, a record is created in the admin_activity_log database table.
• v1.6.0, 2013-07-08 (lat9):
  • Added SQL statements to move the two configuration values for the plugin into the database.
  • Added "Place Order" button in your admin's Customers->Customers to allow an enabled EMP admin to automatically log into a customer's account.
• v1.5.2, 2013-05-16 (lat9):
  • BUGFIX: White-screen-of-death due to unclosed parentheses.
• v1.5.1, 2013-04-30 (lat9):
  • Updated EMP code to use a define (in preparation for moving it to a configuration setting) for a single admin ID.
  • Added code to allow all admins in a specified admin_profile group to perform the EMP function.
  • When an EMP admin signs into a customer account, set session variables indicating the type of login and the admin_id of the EMP admin.
  • Modified this readme to reflect the current implementation.
• v1.5.0, 2012-01-19 (dbltoe):
  • Added EMP code to the header_php.php as modified in the new Zen Cart 1.5.0.
  • Modified this file to reflect the current information.
• v1.2.0, 2007-12-01 (Dennis Sayer):
  • Added new code that appeared with Zen Cart 1.3.8.
• v1.1.0, 2007-01-16 (Dennis Sayer):
  • Added new code that appeared with Zen Cart 1.3.7.
  • A few wording changes in this document.
• v1.0.0, 2006-07-04 (Dennis Sayer, aka stagebrace):
  • Initial release; sponsored by Brand Name Batteries for Less.