Hey, thanks Isaac, > Wow, looks great Nick! =) Nice to see someone putting FreeTrade to good > use. The idea of seperating the store and admin pages is great > (especially with your live store, where you CAN'T access admin pages at > all through index.php, unlike your demo store where you can).
I guess you're referring to edit_user there? No problem...I've just not yet changed that store link to a new store page called edit_profile (same as edit_user without the admin stuff). Also you must be accessing admin files I've not yet deleted from the store modules...that will be done. > I'd suggest you disallow ANY access to admin screens without > authorization. i can still browse around and see what admin pages exist, > even if i can't access the contents. maybe put the admin access check > into admin.php itself. Ah yes thanks, I had kept a login screen in the administration module screen directory pondering whether to use it or not. You've just highlighted where it's needed...i.e. if someone tries to access admin.php directly they should be sent to a plain login screen. > and this doesn't seem like a good thing (make sure you're not logged in > as admin): > > http://www.nextwavehosting.com/demostore/index.php?SCREEN=create_index > > ...even if it doesn't really directly compromise security, it gives you > listing all screens to start poking for vulnerabilities. Yeah as above that's just a left-over admin screen in the store modules section...will delete soon. Funnily enough you're probably highlighting security problems in the current default Freetrade set-up. I just visited a previous site built on Freetrade and can do exactly what you just did, all the more reason to separate admin and store modules! > and this: > > http://www.canvasdesigns.com.au/admin.php?SCREEN=create_index > > makes it look like create_index doesn't know where the *store* screens are > (which are the only ones it should be searching anyway -- not the admin > ones). Actually, it doesn't; again I've not yet switched that over...it's a similar situation for the logging system i.e. I need these functions to "watch" the store files NOT the admin files. > You also might want to use something other than the invoice number to > check order status, as I can easily check the status of other people's > orders (not a HUGE deal). Maybe you should require people to log in when > they click on the order status button, and then show the status of ALL > their orders (with the ability to see the details of them). In fact what happens is that the order status link changes according to whether the user is logged in or not...logged in users are sent to the order_history page. As for security I did think about that but really couldn't see much harm in being able to view the status details provided for someone elses order...? > And the "Hot Item" should probobly do a check to make sure an image exists > (no "Item Coming Soon" graphics showing up there). Yeah, that's really just there for internal use; the site is not really released yet and those are there to remind us to get the graphics done!! > On a usability note, you might want to put an "Add to Cart" button > next to "More info". Less clicking for those who already know what they > want. Yeah, we did think about that but here's the problem: Take the Boot Bag in Canvas Designs...It comes in two different sizes and different colours so to list all that on the department page becomes somewhat more complicated and to some degree hinders the usability. It's kind of a trade off of usability in terms of number of clicks -v's- usability in information flow. I think!? > I understand how you might want to keep some things proprietary, but I > hope you'll consider submitting the admin interface improvements (and > perhaps even the demo store data/graphics!) back to the main FT project. > i think a very polished looking demo would get more developers interested > in FT, and improve the tech for all of us. I had thought a lot about that...another thing that had occured to me was that there have been a lot of good contributions to this project that have no home except in this mailing list. Understandably Leon and crew have enough on their plate with the core system which leaves a gap for "add-ons" as in the PHP-Nuke and Nuke-addons situation. Mmmm...something to think about. > Anyway, great work! Thanks again for taking the time to go through all that Isaac, it's MUCH appreciated. Nick >> A couple of FreeTrade 1.4 based sites for public scrutiny: >> >> http://www.nextwavehosting.com/demostore >> http://www.canvasdesigns.com.au >> >> The former is a development/demo implementation so will undoubtedly be error >> ridden when visited! We will allow general access to the admin section after >> a few security filters have been implemented. >> >> I actually wanted to mention a method we employed here to speed up >> implementation/maintenance. We've separated the modules into administration >> and store and the web root files to index.php and admin.php. This allows the >> admin section to remain standardised across installations while the store >> section can be customised. >> >> It is particularly relevant when a team member messes up the config or >> language files when designing the site. With the above method it's not as >> much of a bother since the sections are independent. >> >> Please lay the boot in where necessary, we need feedback of all kinds. >> >> Thanks, >> >> Nick >> >> ---------------------- >> Lab2 Design-Unit >> URL: http://www.lab2.com.au >> e-mail: [EMAIL PROTECTED] >> ---------------------- >> >> >> _______________________________________________ >> FreeTrade-dev mailing list >> [EMAIL PROTECTED] >> http://share.whichever.com/mailman/listinfo/freetrade-dev >> > > > |----------------------------|\ | | | /|----------------------------| > Isaac Reuben | \| | |/ | [EMAIL PROTECTED] > ------------------------- > "Maybe she's just pieces of me you've never seen" - Tori Amos > |-------------------------------------------------------------------| _______________________________________________ FreeTrade-dev mailing list [EMAIL PROTECTED] http://share.whichever.com/mailman/listinfo/freetrade-dev
