Locked out.

[Framemonkey]

We had an employee set up our site and is no longer with us. He had the password?!  How do we get access back?.

Thanks!

Edited February 28, 2023 by Framemonkey

[datakick]

What kind of access you do have? FTP/SSH/MySQL ? 

[Framemonkey]

Just this, We don't know the password he used.  Ugh. When we hit forgot password, It tells us that this is not the email.

Edited February 28, 2023 by Framemonkey

[Framemonkey]

3 hours ago, datakick said:

What kind of access you do have? FTP/SSH/MySQL ? 

Just this, We don't know the password he used.  Ugh. When we hit forgot password, It tells us that this is not the email.

[30knees]

Do you know what company is hosting the website? Do you have login details for the management of your account with that company? 

Edited March 1, 2023 by 30knees

[datakick]

9 hours ago, Framemonkey said:

Just this, We don't know the password he used.  Ugh. When we hit forgot password, It tells us that this is not the email.

If you don't have access to back office, and you don't even know what email address was used for administration account, then you need to use FTP and upload unlock php script to your store.

You should have some access to your hosting provider control panel. If you don't know access credentials, contact them, and ask them to provide one.

Using control panel you should be able to set up FTP access. It might even be possible to directly upload files using web interface.

Script to reset passwords for all employees is here:

File to download: reset-admin.php

Content:

<?php
include_once __DIR__ . '/config/config.inc.php';

header("Content-Type: text/plain");
$employees = new PrestaShopCollection('Employee');
/** @var Employee $employee */
foreach ($employees as $employee) {
    $newPassword = Tools::passwdGen(8);
    $employee->passwd = Tools::hash($newPassword);
    echo $employee->email . " = " . $newPassword . "\n";
    $employee->save();
}

Upload this script into root directory of your thirty bees installation under file name reset-admin.php

And then visit your shop www.domain.com/reset-admin.php

The script will change passwords for all employees, and displays the new passwords on the screen. Very dirty and unsafe 🙂

After you do that, delete the script from your store!!!!

[nickz]

With access to the Database it should'nt be an issue to get in.

[datakick]

25 minutes ago, nickz said:

With access to the Database it should'nt be an issue to get in.

That's true, and it's terrifying. We will "fix" this issue 

[Framemonkey]

OK, I just received access to our account @ 123cheapdomains.com. phew.. Now what?. sorry all the questions..

 

Thanks!

[datakick]

6 hours ago, Framemonkey said:

OK, I just received access to our account @ 123cheapdomains.com. phew.. Now what?. sorry all the questions..

 

Thanks!

So you probably have access to some control panel. It should contain some SQL tool (PHPMyAdmin or similar). Use this to connect to your database, and run this query:

SELECT * FROM tb_employee;

That will list all employees in your database. If this does not work, you have different database table prefix -- the table can be named like tb123_employee, ps_employee, or whatever.

Look into the list of employees, and find the employee email address for which you want to change password. Let's say it's [email protected]

Then run this SQL query (change email address with the one you chose in previous step)

UPDATE tb_employee SET passwd = '$2y$10$tGwJd/0V1mZJM0ZlHYdUkebHMr/5dJzl3N0UAt2e3IfWwQP.JJPmC' WHERE email = '[email protected]';

that will change passwords for this employee to changeme1234

Now you can go to your admin login page, enter the employee email address and this new password, and you will be able to log in. Then go to your preferences in upper right corner dropdown menu, and change your password to something more secure.

[datakick]

Note: previous suggestion no longer works for bleeding edge / thirty bees 1.5.

Employee record in database now contains 'signature' column that ensures employee password/email/role is not modified externally. This is to prevent attackers from accessing your back office in case of SQL injection vulnerability.

 If you are locked-out, you can use auto login script from this thread: