How does Prestashop Authenticate its users? Session / Cookie?

[uddhava]

Is there some php code that where i can test if a admin user is logged in?
I am trying to restrict CKfinder so that Admins only can use it.
I need some code where i can check if they are logged in.

How does Prestashop work with authentication ?
Anybody tried to get CKfinder / CKeditor to work in that way ?

[Burhan BVK]

Try checking the files in your admin directory. The init.php should automatically handle this, though that will be difficult to use with CKfinder. There is also pdf.php file, The first few lines show you how to check for employee login, copying that should help.

[uddhava]

Yes,

I tried to include the config file and init.php file and then check for a cookie.. But that didnt work.
Good idea about the admin files.. Will check that.

[Burhan BVK]

Don't forget that the file needs to be in the admin folder.

[rocky]

You can check whether an employee is logged in by checking $cookie->id_employee.

[uddhava]

If i want to check the cookie, then do i need to include some config file(s) from prestashop?
Can you 'just' read a cookie ?
Or is this cookie-> a 'global' from prestashop?

ys

[rocky]

The $cookie is a global variable defined on line 22 of init.php (in PrestaShop v1.3):

$cookie = new Cookie('ps');

As long as you've included init.php, you can read the cookie.

[uddhava]

I will try to use the cookie global.
I hope i can include the init.php file inside the ckfinder code... Lets see

[Burhan BVK]

The $cookie is a global variable defined on line 22 of init.php (in PrestaShop v1.3):

$cookie = new Cookie('ps');

As long as you've included init.php, you can read the cookie.

$cookie = new Cookie('ps');

This will give the customer cookie, and won't work on an admin page. The admin cookie is accessed with this:

$cookie = new Cookie('psAdmin');

[uddhava]

So if i understand correctly:
> Prestashop uses cookies to authenticate its sessions / users ?
> There are 2 cookies used. One for the customer and one for the admin users?

I would basically try to include the init.php file and then access the correct cookies?
I have to find a good example on how to do that.

[Burhan BVK]

There are two init files, one in the root directory, one in the admin directory. Each one creates one cookie respectively. To access the admin cookie from a file you created, you should put it under the admin directory and include the init file or do it manually, like in the pdf.php file.

I would suggest putting the CKFinder file in the admin folder, and copying over the beginning of pdf.php up until and including the line that reads Tools::redirect('login.php');.

[uddhava]

I looked into the pdf.php file.
First the cookie gets defined and then the ID is checked..

define('PS_ADMIN_DIR', getcwd());

include(PS_ADMIN_DIR.'/../config/config.inc.php');

/* Header can't be included, so cookie must be created here */
$cookie = new Cookie('psAdmin');
if (!$cookie->id_employee)
   Tools::redirect('login.php');

So the code to include and check authentication would be something like this :

include('/admin/init.php');

define('PS_ADMIN_DIR', getcwd());

include(PS_ADMIN_DIR.'/../config/config.inc.php');

/* Header can't be included, so cookie must be created here */
$cookie = new Cookie('psAdmin');
if (!$cookie->id_employee)
   return false;
else
   return true;

CKfinder just needs a true to be enabled.

[uddhava]

I would suggest putting the CKFinder file in the admin folder, and copying over the beginning of pdf.php up until and including the line that reads Tools::redirect('login.php');.

I was planning to add the CKeditor/CKfinder into a module to make it more upgrade-proof.
Any thought how the authentication is checked when files are not inside the admin folder?

[Burhan BVK]

You don't have to include the init and the config together. You can drop the init if you don't plan to use the additional functionality it provides.

If you want to display some information without all the tabs and other default text and layout of the BO, you will have to add a new file to the admin folder. Otherwise it will only display with all the other layout. But as long you name it specific enough that the future updates don't override the file, updates should be ok.

[uddhava]

I tried to include this simple (ugly) code to test it.

echo '';echo getcwd();echo '';
   include('/../../../../../config/config.inc.php');

But i get errors like this : include() [function.include]: open_basedir restriction in effect.
When you try to include a php file within CKfinder it will not be allowed.....
Lets search more...

[Burhan BVK]

I think you are trying to go too much down the directory tree. Try to use less "../".

[uddhava]

:-)

The current path when CKfinder executes is that long. Cannot use less ../.. But the open_basedir restriction is actually defined in the php.ini settings.
Cannot change that. It is generally not allowed to execute php scripts from a different path.
You can override this in the php.ini file if i am correct, but that is not an option.

I have to find another way.

[Burhan BVK]

The open_basedir restriction means that you are trying to include a file that is not under your own directory. That means you have gone deeper than the root. You are definitely not using the right path.

Besides, if your file is not directly under the admin directory, you won't have access to the admin cookie because your path will be different. From what I gather you don't know enough about the cookies to fix that problem on your own.

To be able to access to the admin cookie, you will need to have the script run under the admin directory. That is the easiest way you can achieve it. If you can't have CKfinder under admin, you will have to have another file that includes CKFinder, than you can do the authentication in CKfinder.

[uddhava]

Thanks for the reply. I guess you are right about the basedir... And you are also right about my knowlegde concerning cookies.
I dont know enough and i am trying things out by trial/error. Usually i find good pieces of example code to learn from.
But i cant find them for this particular problem.

It is of course no problem to copy the whole code under the admin folder. I will at least try it out :-)
All this including ontop of including and then more including by all these scripts does not make it easier...
Although my test install of ckeditor & ckfinder do work, there are some strange by-effects... ;-)

[prestashop_forum_account]

The $cookie is a global variable defined on line 22 of init.php (in PrestaShop v1.3):

 

$cookie = new Cookie('ps');

 

As long as you've included init.php, you can read the cookie.

 

Where is the $cookie global variable defined in PrestaShop™ 1.5.2.0?