I can't find the option to enable this confiuguration on Magento 2:
allow magento frontend to run in frame
on magento 1 was in system > configuration > admin > security
This old post shows how to do on magento 1: old post
configurationmagento2system-configuration
I can't find the option to enable this confiuguration on Magento 2:
allow magento frontend to run in frame
on magento 1 was in system > configuration > admin > security
This old post shows how to do on magento 1: old post
I went into one of our Enterprise installs to check this.
In app/code/core/Enterprise/Pci/Model/Observer.php
there is a function called adminAuthenticate
in the Observer.
public function adminAuthenticate($observer)
{
First, it updates the locking information:
// update locking information regardless whether user locked or not
if ((!$authResult) && ($user->getId())) {
$now = time();
$lockThreshold = $this->getAdminLockThreshold();
$maxFailures = (int)Mage::getStoreConfig('admin/security/lockout_failures');
if (!($lockThreshold && $maxFailures)) {
return;
}
$failuresNum = (int)$user->getFailuresNum() + 1;
if ($firstFailureDate = $user->getFirstFailure()) {
$firstFailureDate = new Zend_Date($firstFailureDate, Varien_Date::DATETIME_INTERNAL_FORMAT);
$firstFailureDate = $firstFailureDate->toValue();
}
Then it determines if the admin account is locked out by checking the lockExpires
field from admin_user
against the current time.
// check whether user is locked
if ($lockExpires = $user->getLockExpires()) {
$lockExpires = new Zend_Date($lockExpires, Varien_Date::DATETIME_INTERNAL_FORMAT);
$lockExpires = $lockExpires->toValue();
if ($lockExpires > time()) {
throw new Mage_Core_Exception(
Mage::helper('enterprise_pci')->__('This account is locked.'),
self::ADMIN_USER_LOCKED
);
}
}
Then it pulls the latest password and checks to see if the admin has to complete a forced password change.
$latestPassword = Mage::getResourceSingleton('enterprise_pci/admin_user')->getLatestPassword($user->getId());
if ($latestPassword) {
if ($this->_isLatestPasswordExpired($latestPassword)) {
if ($this->isPasswordChangeForced()) {
$message = Mage::helper('enterprise_pci')->__('Your password has expired, you must change it now.');
} else {
$myAccountUrl = Mage::getSingleton('adminhtml/url')->getUrl('adminhtml/system_account/');
$message = Mage::helper('enterprise_pci')->__('Your password has expired, please <a href="%s">change it</a>.', $myAccountUrl);
}
Mage::getSingleton('adminhtml/session')->addNotice($message);
if ($message = Mage::getSingleton('adminhtml/session')->getMessages()->getLastAddedMessage()) {
$message->setIdentifier('enterprise_pci_password_expired')->setIsSticky(true);
Mage::getSingleton('admin/session')->setPciAdminUserIsPasswordExpired(true);
}
}
}
If the getPciAdminUserIsPasswordExpired
session variable is set, then it is caught in the forceAdminPasswordChange function in controller_action_predispatch
.
public function forceAdminPasswordChange($observer)
{
if (!$this->isPasswordChangeForced()) {
return;
}
$session = Mage::getSingleton('admin/session');
if (!$session->isLoggedIn()) {
return;
}
$actionList = array('adminhtml_system_account_index', 'adminhtml_system_account_save',
'adminhtml_index_logout');
$controller = $observer->getEvent()->getControllerAction();
if (Mage::getSingleton('admin/session')->getPciAdminUserIsPasswordExpired()) {
if (!in_array($controller->getFullActionName(), $actionList)) {
if (Mage::getSingleton('admin/session')->isAllowed('admin/system/myaccount')) {
$controller->getResponse()->setRedirect(Mage::getSingleton('adminhtml/url')
->getUrl('adminhtml/system_account/'));
$controller->setFlag('', Mage_Core_Controller_Varien_Action::FLAG_NO_DISPATCH, true);
$controller->setFlag('', Mage_Core_Controller_Varien_Action::FLAG_NO_POST_DISPATCH, true);
} else {
/*
* if admin password is expired and access to 'My Account' page is denied
* than we need to do force logout with error message
*/
Mage::getSingleton('admin/session')->unsetAll();
Mage::getSingleton('adminhtml/session')->unsetAll();
Mage::getSingleton('adminhtml/session')->addError(
Mage::helper('enterprise_pci')->__('Your password has expired, please contact administrator.')
);
$controller->getRequest()->setDispatched(false);
}
}
}
If the Admin user has a forced password flag set and is allowed to access My Account then they'll be able to update their password themselves. If not, then they'll be logged out with the message Your password has expired, please contact administrator.
Magento uses the file called view.xml
which is maintained at the theme level of the application.
So for example, if you are using the default theme luma
you should find the view.xml
under vendor/magento/theme-frontend-luma/etc/view.xml
In this file, you would see <images/>
node inside the <media>
node.
<view xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Config/etc/view.xsd">
<media>
<images module="Magento_Catalog">
<image id="bundled_product_customization_page" type="thumbnail">
<width>140</width>
<height>140</height>
</image>
<image id="cart_cross_sell_products" type="thumbnail">
<width>200</width>
<height>248</height>
</image>
<image id="cart_page_product_thumbnail" type="small_image">
<width>165</width>
<height>165</height>
</image>
........
</images>
</media>
......
</view>
The dimension of the images is maintained here under the <image/>
node.
The id
attribute value of the <image/>
node is referenced in the codebase.
For example:
<image id="related_products_list" type="small_image">
<width>152</width>
<height>190</height>
</image>
The id value is used in the view file vendor/magento/module-catalog/view/frontend/templates/product/list/items.phtml
case 'related':
/** @var \Magento\Catalog\Block\Product\ProductList\Related $block */
if ($exist = $block->getItems()->getSize()) {
$type = 'related';
$class = $type;
$image = 'related_products_list';
$title = __('Related Products');
$items = $block->getItems();
$limit = 0;
$shuffle = 0;
$canItemsAddToCart = $block->canItemsAddToCart();
$showWishlist = true;
$showCompare = true;
$showCart = false;
$templateType = null;
$description = false;
}
break;
Here the $image
refers to the value of the image size here:
<?php echo $block->getImage($_item, $image)->toHtml(); ?>
In case the theme does not have a view.xml
, then it might be using a fallback theme (parent theme) which has the view.xml
file.
<theme xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Config/etc/theme.xsd">
<title>Magento Luma</title>
<parent>Magento/blank</parent>
.....
</theme>
Here Magento/blank
is the parent theme.
In case of changing/overwriting the values of the view.xml
file you need to completely copy the entire view.xml
file to your custom theme and change the values.
view.xml
does not have a node value fallback system, means if a value of a node is not present in you custom theme'sview.xml
it will not fallback to its parent theme's view.xml value, that's why entire file needs to be copied.
Once the values changes have been done, you will have to run
php bin/magento catalog:images:resize
Update: As of Magento 2.4 this command supports synchronous (default) and asynchronous modes. Asynchronous means that images will not be processed immediately on command execution. Using the Magento queue functionality, these images will be scheduled for resizing and then processed in the background. To enable asynchronous mode, use the -a or --async option.
php bin/magento catalog:images:resize -a
To speed up the job while in asynchronous mode, you may manually run several instances of a consumer with the command in each instance:
php bin/magento queue:consumer:start media.storage.catalog.image.resize
Best Answer
Open the
env.php
file and putMagento wants this in
env.php
because they claim that it’s more secure than setting a value in the Magento Admin.Possible values for
x-frame-options
are threeDENY It prevents your site page from being included in an iFrame.
SAMEORIGIN If a parent page is from the same domain as your site page, the site page can be included in the iFrame.
ALLOW-FROM You can specify a single URI that is allowed to frame your site page e.g.
ALLOW-FROM http://www.somedomain.com/
Add asterisk If you add an asterisk
'x-frame-options' => '*'
it will allow all domains to access your Magento URL in the iframe. NOT RECOMMENDED BUT WORKING