Hi and thank you to anyone that posts a reply.
We have been working with nopCommerce ver 2-2.20 for about three months now, and have been making good progress. Our current environment is in 2.20 at the moment.
Today, a strange thing began happening on our production environment. The "Administration" link in the navigation menu (to be specific, where it normally shows your account name, register, login, shopping cart, wish list, etc.) disappeared. This is only happening on our production environment, not on the local/development machine. Even when logged in as the Admin, any attempt to go to an administrative URL (yourdomain.com/admin etc.) meets with a re-direct back at the administrative login page. (I.e., youdomain.com/login?ReturnUrl=%2fadmin which is what you get when you try to access any administration pages but you are not an administrator.)
Having looked over forums, we do not think that this is an issue with improper entry of administrator account login/pw etc. (There is no error that the credentials are incorrect.) There are some other, seemingly less likely, possibilities in the forums but basically we've exhausted the easy stuff.
There is another twist to this mystery. Here is where it gets weird. When this was first noticed, we changed passwords for FTP access, went into the database to set the store as closed, reset the application pool to force a shutdown, etc. I.e., just in case the administrator account was somehow hacked, we wanted to cut off access. While in the database, one of us pulled up the Customer table; the Admin account had been either deleted or overwritten. (And not 'soft' deleted, but actually removed from the table.) How that was done, we have no idea. Also, see below about all the other records in Customer which hadn't been there before.
Following the suggestion about resetting an Admin account that is found on 2-3 of the forum threads, we registered a new account and then went into the database and changed that account to IsSystemAdministrator = true, etc. In fact, we compared it field-by-field with the (good) Admin account on our local database, and made sure it matched in all respects. This error with not being able to see the Administration pages/nav link continues, even though we are as certain as we can be that our new Admin account is itself good.
Incidentally, there seem to be an ever-increasing number of what are probably guest accounts (no name, no email) that are added to the site/database at a rate of about one every 15 minutes. (Even when the store is closed, which seems worrisome.) Having seen other forum discussions about guest accounts being registered for polls, reviews, contact us, etc.... we hope that this is not part of the problem. (Although, currently nearly all functionality where a guest registration could be created -- polls, reviews, etc. -- is disabled. Only Contact Us is enabled, and there have been no emails.) Furthermore, to make sure that someone wasn't botting their way into having huge numbers of empty accounts in our system, we switched things over to an email confirmation for registration setting (via the database.) Nevertheless, new (guest?) accounts keep getting added.
We've reset the system several times, (temporarily) deleted Web.Config to make sure that no one could access any pages, etc., looked through the code to make sure that nothing is missing and so on & so forth. We've also restored the database (unfortunately to a point that is not earlier that these problems -- there have been no backups because our site is not yet online for business, only early Alpha testing.)
Right now, the most likely problem source & solution is that our currently Admin account is somehow, not correct. (The most troubling problem will always remain how the original admin account got deleted without any interaction.) Does anyone have any insight or suggestions to make certain that the account that we've created will be treated as the legitimate Admin account?
Final note: I suppose we could upload a fresh, empty DB and start over. But there is some work in the current production database (enough that, in hindsight, it should have been backed up earlier.) Also, since we don't know how/why this happened, it could be that we'll start a new DB and then have this issue again. We'd rather solve the problem directly, at least as much as it can be solved.
Thanks for reading this long & overly-complicated thread,
and all assistance will be greatly (greatly) appreciated,
Ed Hunkin
IARM
Administration no longer available to my Admin account
Team Member
- 16630
- 156065
- 10/22/2008
- Armenia
Ed,
An "empty" guest account is created for each guest session. But no worries about it. All guest account older than one day are automatically deleted from the system. You can also do it manually. Just go to admin area > system > maintenance and you'll see 'Deleting guest customers' option.
As for your admin account. Actually, I don't know. It needs some debugging. There could be a lot of reasons. For example, a hacker deleted it, you disabled 'admin access' on 'Access control list' page, you removed a user from 'administrators' role, you disabled 'administrators' role, etc
An "empty" guest account is created for each guest session. But no worries about it. All guest account older than one day are automatically deleted from the system. You can also do it manually. Just go to admin area > system > maintenance and you'll see 'Deleting guest customers' option.
As for your admin account. Actually, I don't know. It needs some debugging. There could be a lot of reasons. For example, a hacker deleted it, you disabled 'admin access' on 'Access control list' page, you removed a user from 'administrators' role, you disabled 'administrators' role, etc
- 16
- 210
- 8/18/2011
- United States
a.m. wrote:
Hi Andrei, and thanks for getting back to me. And for the insight on guest accounts; I'm not going to worry about them anymore. (A lot of them had my local IP address, and even my local/development machine version has some.)
Can you help me figure out what steps will need doing here in order to debug some of your suggestions?
One thing that I've found (with a little bit of help) to check on is in the Settings table, where "securitysettings.hideadminmenuitemsbasedonp" should be set to false? It is.
Where, in the database, could I check on disabled Admin access? Disabled user from Admin role? Disabling of entire administrators role?
Ed,
As for your admin account. Actually, I don't know. It needs some debugging. There could be a lot of reasons. For example, a hacker deleted it, you disabled 'admin access' on 'Access control list' page, you removed a user from 'administrators' role, you disabled 'administrators' role, etc
As for your admin account. Actually, I don't know. It needs some debugging. There could be a lot of reasons. For example, a hacker deleted it, you disabled 'admin access' on 'Access control list' page, you removed a user from 'administrators' role, you disabled 'administrators' role, etc
Hi Andrei, and thanks for getting back to me. And for the insight on guest accounts; I'm not going to worry about them anymore. (A lot of them had my local IP address, and even my local/development machine version has some.)
Can you help me figure out what steps will need doing here in order to debug some of your suggestions?
One thing that I've found (with a little bit of help) to check on is in the Settings table, where "securitysettings.hideadminmenuitemsbasedonp" should be set to false? It is.
Where, in the database, could I check on disabled Admin access? Disabled user from Admin role? Disabling of entire administrators role?
- 16
- 210
- 8/18/2011
- United States
Success!
It turns out that if you have this problem. simply re-creating the Customer record of Admin lacks a step.
That step is in the Customer_CustomerRole_Mapping table. Normally, that table has a value for CustomerId 1 having a role with an Id of 1 (Admin account gains Admin rights.) However, if your CustomerId of 1 is deleted, and you enter an entirely new registration, your newly created Id will only have normal role/permissions.
Simply flipping the value of IsSystemAdministrator in the Customer table (as I had done) is insufficient.
Thanks again, Andrei, for your quick response.
If I ever figure out how my Admin account got deleted, I will post on it. Otherwise, we are all now hoping for smooth sailing with nopCommerce!
Ed
It turns out that if you have this problem. simply re-creating the Customer record of Admin lacks a step.
That step is in the Customer_CustomerRole_Mapping table. Normally, that table has a value for CustomerId 1 having a role with an Id of 1 (Admin account gains Admin rights.) However, if your CustomerId of 1 is deleted, and you enter an entirely new registration, your newly created Id will only have normal role/permissions.
Simply flipping the value of IsSystemAdministrator in the Customer table (as I had done) is insufficient.
Thanks again, Andrei, for your quick response.
If I ever figure out how my Admin account got deleted, I will post on it. Otherwise, we are all now hoping for smooth sailing with nopCommerce!
Ed