http://www.tomatocart.com

customer url : http://<ip>

admin url : https://<ip>:8080

admin username : admin

admin passwd : admin

 

base : Turnkey LAMP Lucid or Turnkey LAMP Hardy

Forum: 
Tags: 

Working on Lucid too

Liraz Siri's picture

I was initially skeptical of Tomato Cart but it seems the main reason so few people have heard of it is that it's so new (about a year old). It's actually an extremely impressive piece of software. It has to be one of the most beautiful and modern ecommerce web applications I have come across. It may not be popular yet, but I think it's going to be and we can help make that happen.

Only a couple of things caught my attention with regards to the TKLPatch:

  • We need to figure out how to make sure the admin interface is accessible only via SSL. This is an e-commerce application where such things matter.
  • The patch embeds an example e-mail for the admin account: admin@tomato-turnkeylinux.org. It's better to use example.com for example e-mails for security reasons. Otherwise it would be possible for an attacker to register the unregistered domain, and use that to compromise any appliance that hadn't yet been fully configured. We should assume are routinely scanning the Internet for vulnerable machines.
  • We'll need to document how to change the admin e-mail or write a di-live hook that does it on installation. Example di-live hooks can be found in the domain-controller, ejabberd, projectpier and torrentserver appliances.

Both https and http are working on admin-login URL

admin 's email changed :-D

sed -i "s/admin@tomato-turnkeylinux.org/admin@example.com/" Tomato/overlay/root/config.ini.php
sed -i "s/admin@tomato-turnkeylinux.org/admin@example.com/" Tomato/overlay/root/dbtomato.sql

Tested , working !

Liraz Siri's picture

The problem is that it's easy to access the admin interface from a non-encrypted HTTP connection by mistake. Sometimes you have to try and help protect users from themselves. If we can figure out how to automatically redirect attempts to access the admin interface via http to https.

>>It would be better if HTTP didn't work for the Admin interface

You really meant it ?? :-o why ?

Liraz Siri's picture

I can't tell you how many times I've typed http instead of https. Especially when I'm tired. Woops! Just transmitted my admin password in the clear over the Internet.

Sorry , yesterday I wrote it in my night shift , I was sleepy , I read that wrongly .... :D

Only HTTPS is allowed for Admin URL

Jeremy Davis's picture

Unless you have manually altered your template files you can skip step 3 (which is 3 quarters of the instructions). Even then, even though it looks involved; if you use an advanced text editor such as Notepad++ or BlueFish it's a simple (although perhaps time consuming) job of find-replace the code.

Before I go any further, I'd like to suggest that it may be best to start a new thread, as this line of query is not quite relevant to the thread here (other than we are talking about TomatoCart) and the thread is very old.

The first thing I would do is do a full backup of your site. Actually probably what i would do would be take a TKLBAM backup and restore to a clean instance (I'd be inclined to use a fresh local VM to test the upgrade). That way you are not working on your 'real' site so if something goes wrong you haven't lost anything. This has the bonus of ensuring that your backup works ok OOTB.

If the backup restores flawlessly all well and good, otherwise you could do a manual backup by copying all the files from /var/www/tomatocart (or something similar) and a DB dump. To ensure that none of your files accidentally get overwritten I would also simply copy this whole folder on your server.

service apache2 stop
cp /var/www/tomatocart /var/www/backup # or whatever the tomatocart folder is called
service apache2 start

Step 1 can be achieved using phpMyAdmin (which can be found on port 12322) or from the MySQL commandline (I would suggest an SSH client so you can copy paste - rather than type it all manually). Or you cold put it all in a .sql file and upload it to your server (again either via phpMyAdmin or upload and execute via commandline).

Step 2 can be acheived using SFTP to update (and overwrite the files). Then just copy your your includes/configure.php, ext/piwik/config/config.ini.php and the templates/glass_gray apparently (according to step 2 on the post you linked to).

I don't use TomatoCart so I probably won't be a lot of really practical TC specific help but may be some assitance if you get stuck. As suggested above, ideally it would be best to start a new forum thread for this work you can put in a link back here if you want). Ideally it would be good to script the solution, then others could follow your lead. Even better would be a TKLPatch that others could apply. But even if you can just report back on how successful it went.

Your suggestion/perspective on the updating of the appliance image etc are somewhat covered with a recent blog post by the core devs (a response to another community member's forum post). And even though you may be using a "paid TurnkeyCloud instance" keep in mind that most of that money doesn't go to TKL, and the bit that does (only applies if you are using TKL on AWS), pays for the costs associated with running this site and creating the images and custom code etc used by TKL. There are only 2 core devs running TKL and they certainly aren't making a killing out of TKL... This is a small free (as in freedom, as well as in beer if you run it locally on your own hardware or virtual infrastructure) open source project.

[update] I had a quick look on the TomatoCart forums and found what may perhaps be some useful info. This looks like an updater script, although it is almost 2 years old so I'm not sure whether it still applies? Also there is a thread concerning an upgrade from v1.1.5 to v1.1.8.x that may be relevant to you (I haven't read through these threads, just found them). If you get stuck you may be able to get some help by posting (a new thread) over there.

Add new comment