Quote:
|
Originally Posted by cflsystems
Doing an upgrade from 4.1.9 to 4.6.0. The new security features are really pain in the ass. QT - PLEASE revised them and also make sure the config.php in the installation and the one in the upgrade packs have these features OFF by default - ALL of them.
|
We will not roll back all the security improvements or disable them by default per the request of a single user from the forum (even if this user is you, Steve - despite we do respect your opinion . We consider that enhanced security IS improvement and IS required. It should protect most merchants from being hacked.
At the same time, there's a way for developers like you to finish the upgrade, let me please try to help.
Quote:
|
Originally Posted by cflsystems
I had to do the upgrade on a separate server and once db upgraded move it back to the production server - apparently the new security features are tied to IP (otherwise I don't see why login will fail) and generate the signatures in customers tables based on that... Please correct me if I am wrong
This causes failed logins once db is moved to a different server. While the 4.6.0 installation can be done with most of these features being OFF an upgrade cannot - the config.php in the upgrade packs has them all set to IP or ON and modifying them in the file causes MD5 checksum to fail so the upgrade cannot be performed...
|
If you upgrade the database on a dev server, when you move the upgraded DB back to production server you need to edit config.php of production copy as follows:
1)copy $blowfish_key and security keys ($xc_security_key_session, $xc_security_key_config, $xc_security_key_general) from dev copy
or
2) Set these constants to 'false' so that the secret keys will not be checked:
const CHECK_CUSTOMERS_INTEGRITY
const CHECK_XAUTH_USER_IDS_INTEGRITY
const CHECK_RESET_PASSWORDS_INTEGRITY
const CHECK_CONFIG_INTEGRITY
We consider that #1 is a better choice, but it's up to you to decide.
And since you're editing config.php, you may also want to disable the 'block unknown admin IP' feature, (const BLOCK_UNKNOWN_ADMIN_IP is responsible for it) or expand the list of allowed admin IPs ( const ADMIN_ALLOWED_IP).
Quote:
|
Originally Posted by cflsystems
The only way to login was to go through "reset password" which by the way caused the following sql error
Code:
[24-Jun-2013 19:46:32] SQL error:
Site : URL
Remote IP : IP
Logged as : LOGIN
SQL query : REPLACE INTO xcart_login_history (`userid`, `date_time`, `usertype`, `action`, `status`, `ip`) VALUES ('27124', '1372128392', 'P', 'check_critical_config_values_authenticity: * Notify the site administrator about SQL errors in the store by email *Possible fake allowed IP addresses and/or the list of IP addresses awaiting registration *Check if payment gateway response is coming from the IP's specified here (enter a comma separated list) *Login error notification to site administrator *Possible fake allowed IP addresses and/or the list of IP addresses awaiting registration *Site administrator email address *SMTP server *Notify the site administrator by email if unallowed request to site occurs *Use SMTP server instead of internal PHP mailer *IP addresses for X-Payments callbacks (optional)', 'restricted', '1136079444')
Error code : 1064
Description : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's specified here (enter a comma separated list) *Login error notification t' at line 1
Request URI: /store/xcart/admin/home.php
Backtrace:
/store/xcart/include/func/func.db.php:320
/store/xcart/include/func/func.db.php:217
/store/xcart/include/func/func.db.php:711
/store/xcart/include/func/func.user.php:1580
/store/xcart/include/func/func.security.php:141
/store/xcart/admin/auth.php:103
/store/xcart/admin/home.php:44
-------------------------------------------------
|
Ildar has prepared a patch for this issue, please download it
here
Quote:
|
Originally Posted by cflsystems
I continue to see this error as well
Code:
[24-Jun-2013 18:03:13] Error: Smarty error: [in main/orders_list.tpl line 54]: [plugin] modifier 'order_status_color' is not implemented (core.load_plugins.php, line 11 in /include/lib/smarty/Smarty.class.php on line 1093
|
This error was fixed in version 4.5.5.
Quote:
|
Originally Posted by cflsystems
Also doing an upgrade from 4.5.x to 4.6.0 results in no sql or php errors on the 4.6.0 cart but installing new unmodified 4.6.6 gold+ shows this php error
Code:
[24-Jun-2013 19:52:16] PHP Fatal error: Cannot call method self::arg1PlusArg2() or method does not exist in /include/func/func.product.php on line 663
and this sql
Code:
SQL query : SELECT DISTINCT xcart_products.productid FROM xcart_products INNER JOIN xcart_products_lng_en ON xcart_products_lng_en.productid = xcart_products.productid INNER JOIN xcart_products_categories ON xcart_products_categories.productid = xcart_products.productid AND xcart_products_categories.avail = 'Y' LEFT JOIN xcart_category_memberships ON xcart_category_memberships.categoryid = xcart_products_categories.categoryid LEFT JOIN xcart_product_memberships ON xcart_product_memberships.productid = xcart_products.productid WHERE (xcart_category_memberships.membershipid = '0' OR xcart_category_memberships.membershipid IS NULL) AND (xcart_product_memberships.membershipid = '0' OR xcart_product_memberships.membershipid IS NULL) AND xcart_products.forsale='Y' AND xcart_products_categories.main='Y' AND xcart_products_categories.categoryid='9871' AND price >= '399.00' AND product >= 'Bronze Lite Class: H.264 8 Channel DVR - Apple IPHONE MAC OSX Windows PC Compatible' ORDER BY price ASC, xcart_products_lng_en.product ASC LIMIT 2
Error code : 1054
Description : Unknown column 'price' in 'where clause'
Request URI: /store/xcart/product.php?productid=53748&cat=0&featured=Y
Backtrace:
/store/xcart/include/func/func.db.php:320
/store/xcart/include/func/func.db.php:217
/store/xcart/include/func/func.db.php:516
/store/xcart/include/func/func.product.php:1527
/store/xcart/include/func/func.product.php:555
/store/xcart/include/func/func.product.php:459
/store/xcart/include/func/func.product.php:425
/store/xcart/product.php:327
|
This error is specific for PHP v.5.2. Ildar has provided the patches for both problems in this discussion earlier,
see post #43 of this very thread
[quote=cflsystems]
@Ksenia - I was not complaining although it will be a reasonable complain - RE product configurator. There are many XC owners with old carts which either bought this module before or had it included free with the cart and using it. The new XC line took this module out (fine) but not one upgrade pack checks if this module is in modules table and if it is ON and in the upgraded db and if not some sort of notification at least to turn it OFF. Every single upgrade I have done since this new line was introduced has the module (or the comparation module) ON and this causes the cart to not work after an upgrade - until this module is turned off or files are uploaded. The least the upgrade pack can do is turn off these module - not to delete their reference but so they don't load, and a note for admin on first login.... just an idea [quote]
Thank you for this observation. The adding of these 2 modules has just been removed from 'db_upgrade_packs' of versions:
4.1.12
4.2.3
4.3.2
In DB upgrader from 4.4.5 ( where the modules were available out of the box) they will be disabled by default.
Thus this issue should no longer bother you.
Quote:
|
Originally Posted by cflsystems
Another one - not sure how you want to handle this - but since 4.6.0 has some module's new info like tags, url, author... with an upgrade the modules already in the db do not have this info - maybe it is not a bad idea to allow admin to re-categorize modules so the existing ones do not receive just generic "ALL" tag.... just something to think about, not a bug or anything....
|
The idea is nice, I've forwarded it to X-Cart architects, however the fixes of bugs are of higher priority in our next version.
Steve, thank you for digging into it. We appreciate your help.
Have a nice day.