63 replies to this topic

[Cris D.]

I've been using this method in some of my snippets. Is there any security issues in doing it this way for showing data on the same page (not a URL re-direction)?

$doc=$etomite->documentIdentifier;
$show=$etomite->checkPermissions($doc);
if($show==1){
run code for logged in, validated user with permissions to edit this page;
}else{
run code for non-logged in visitors or logged in users without permissions for editing this page;
}

EDITED:
1st of all, I just noticed in the checkPermissions() code, that the documentIdentifier is set to $this->documentIdentifier by default, which makes the $doc call obselete.

2nd: If I have read the API code correctly user roles MUST be enabled for this work, otherwise if document permissions aren't in use, everyone will have access to the logged in code because the function returns true by default in this case. Therefore, it looks like I have answered my own question again. No, this is NOT OK (unless the site has document permissions enabled).

Therefore, to write snippets for users who may or may not have document permissions enabled I should be using something like...

$show=0;
$permission=0;
$permission=$etomite->checkPermissions();
if($_SESSION['validated'] && $permissions==1){$show=1;}
if($show==1){
run secure code;
}else{
run unsecure code;
}

Please correct me if I am wrong.

Edited by Cris D., 14 July 2007 - 10:03 AM.

[Ralph]

@Cris D.

Your method should work with simple authentications as well... When visitor permissions are not enabled checkPermissions() should check against the documents authenticate flag... Hence, simple authentication... The method I use is displayed below...If you are only checking the current document you can omit $id but I generally keep it in place because most of the time I am using this for conditional menu item generation and I use whatever variable suits my needs in place of $id... Because checkPermissions() always returns TRUE or FALSE, any additional code is just wasting server clock cycles...

if($etomite->checkPermissions($id))
{
  ...do something...
}
else
}
  ...do whatever needs to be done on failure, or omit this part...
}

[darren]

Ok here's a nub question. I've read this and the authenticate_visitor thread over and over and can't log in sucessfully
using 0.6.1 Final (PL:4) (Prelude) both IE/FF, PHP Version 5.1.3, IIS
have user groups, doc groups and user/doc links set up
I have a role created, and a user with that role and permissions for the doc group checked.
I have a document, with Authenticate checked and document group checked under 'permissions'
When I log in with authenticate_visitor nothing happens. it is checking the user/password and captcha correctly, just doesn't give me permission to view the document.

I know this is something easy but I'm missing it.and open for sugestions. willing to pm my login, even. It's just a testing/development site but do want to include this on a site next month. thx

[Ralph]

darren, on Sep 5 2007, 05:35 PM, said:

Ok here's a nub question. I've read this and the authenticate_visitor thread over and over and can't log in sucessfully
using 0.6.1 Final (PL:4) (Prelude) both IE/FF, PHP Version 5.1.3, IIS
have user groups, doc groups and user/doc links set up
I have a role created, and a user with that role and permissions for the doc group checked.
I have a document, with Authenticate checked and document group checked under 'permissions'
When I log in with authenticate_visitor nothing happens. it is checking the user/password and captcha correctly, just doesn't give me permission to view the document.

I know this is something easy but I'm missing it.and open for sugestions. willing to pm my login, even. It's just a testing/development site but do want to include this on a site next month. thx

How about taking baby steps... See if simple authentication works first - then move on to full-blown visitor permissions... Although I haven't written a tutorial on how to work your way through this, it probably wouldn't be a bad idea... But that doesn't mean I have necessarily time to write one this evening either...

First, simple authentication... Do you know if the login is working...??? If so, move on to checking for simple authentication which is based on whether or not a visitor is logged in (authenticated)... Do you get any errors to this point...???

Post back with your results and we can go form there... Worst case scenario, PM me login spec's and I'll take a hands-on look at your install...

[darren]

I just threw the welcomeguest snippit on the page since it performs the simple authentication and it will not recognize me as logged in. also tried with loginout just for fun, without success

[Cris D.]

If you are talking about my welcomeGuest snippet, it does not perform any kind of login, it simply is a page redirection snippet that first checks if a user is logged in or not to display the required text (login or logout).

What Ralph means from above (I believe) is to simplify your login procedure by doing this:
create a page which is NOT an member of a permissions group, in the "publishing" tab (when editing the page), check the "authenticate" box. Now create a user that has NO permissions assigned to it [EDIT, better stilll make it an admin level acount]. If you log in with this account, can this user view the authenticated page?

This is simple authentication. It does not check a users permissions or check what permissions a document has, it simply checks if a user has a valid username and password, if so, they can view a simple authenticated page. Get this working first before going on to user and document permissions.

Edited by Cris D., 06 September 2007 - 12:35 AM.

[darren]

(Chris D. ) If you are talking about my welcomeGuest snippet, it does not perform any kind of login, it simply is a page redirection snippet that first checks if a user is logged in or not to display the required text (login or logout).

Yes, so I was using your snippet to check if I was logged in or not (taking document permissions out of the equation)

(Chris D. ) What Ralph means from above (I believe) is to simplify your login procedure by doing this:
create a page which is NOT an member of a permissions group, in the "publishing" tab (when editing the page), check the "authenticate" box. Now create a user that has NO permissions assigned to it [EDIT, better stilll make it an admin level acount]. If you log in with this account, can this user view the authenticated page?

tried this and could not view the authenticated page - with both no permissions and admin level




one thing maybe worth mentioning is that while trying all this, and after trying to log in using authenticate_visitor, I went back to the manager window and tried to edit a page. I got the "you don't have permissions to edit this document" error. so I logged out and back into the manager, and went on to editing. (meaning.....?)

thanks for your time and help with this, I do really appreciate it. I know there's a 'aha!' moment around here somewhere.

D

[Cris D.]

Quote

I was using your snippet to check if I was logged in or not

OK, makes sense

Quote

I got the "you don't have permissions to edit this document" error

This is not really an error, it is an indication that the page you are trying to view has permissions attached to it and the authentication is working.

I have had problems with testing using different accounts at the same time. Before testing anything, I recommend logging OUT and the manager first and checking your ability to log in with authenticate_visitor, you can't have two windows open in the same browser with different accounts logged in. If you log out of one, it will log out of all (possibly your "error", if you tried logging out using authenticate_visitor in a different window it would log you out of manager also.

You say the captcha is being checked correctly, when you log in are you getting a "logout" button? If not, how do you know it is logging you in if you can't access an authenticated page and welcomGuest does not show you are logged in?

Try logging in with authenticate_visitor with this as the only page open and ?useCapthca=0, failing that, I'd let Ralph have a poke around.

Edited by Cris D., 06 September 2007 - 01:59 AM.

[darren]

yeah, saying that's an error isn't accurate... my bad.

tried logging out of the manager, dumping temp files/cookies, logging in with authenticate_visitor ( no captcha), still with no success.

captcha is being checked correctly, meaning if I intentionally spell it wrong it catches it, as well as logging in with a bogus user/password.

"when you log in are you getting a "logout" button? If not, how do you know it is logging you in if you can't access an authenticated page and welcomGuest does not show you are logged in?"

- well I guess i assume i'm being logged in bc i get redirected to the success page. However I don't get a logout button, can't access an authenticated page and welcomeGuest states "welcome: guest" so I'm not technically getting logged in. ...sigh

[Ralph]

@darren

Exactly which login snippet are you using...??? There are several different ones floating around, all of which have several revisions... I use authenticate_visitor and Login|Logout for my own site and for customer sites without any problems... Most sites use simple authentication but mine uses full permissions authentication... Without checking, I'm pretty sure both snippets have snippet call parameters which control the logout prompt as well as login and logout redirects...

[darren]

Aauthenticate_visitor....Last Modified: 2006-04-24 found here: http://www.etomite.com/index.php?showtopic=4867


i've set parameters for use_logout, captcha, and url

[Ralph]

darren, on Sep 6 2007, 10:04 AM, said:

Aauthenticate_visitor....Last Modified: 2006-04-24 found here: http://www.etomite.com/index.php?showtopic=4867
i've set parameters for use_logout, captcha, and url

That link should point to: http://www.etomite.com/index.php?ac...ost&id=1660

// Snippet Name: authenticate_visitor
//
// Version: 1.1
//
// Created By: Ralph Dahlgren
//
// Last Modified: 2007-07-02

If you aren't using this newer version, upgrade to it and see if it works better...

[Swarm]

Ralph, on Sep 6 2007, 04:23 PM, said:

That link should point to: http://www.etomite.com/index.php?ac...ost&id=1660

// Snippet Name: authenticate_visitor
//
// Version: 1.1
//
// Created By: Ralph Dahlgren
//
// Last Modified: 2007-07-02

If you aren't using this newer version, upgrade to it and see if it works better...

How much is different between V1 and 1.1? Having had a quick glance at it - all I notice is the lack of tables in the output. Is there anything else major that we, who use v1, should be aware of?

Cheers,

[darren]

no, that didn't do it.
to minimize the 'hand-holding' through this Chris D. will be poking around my install.



Going to do a clean install on another server, linux - and we'll see if I have the same issue.

Edited by darren, 15 September 2007 - 12:44 AM.

[darren]

Works perfectly on new/different server... no code changes.

[Cris D.]

Quote

That link should point to: http://www.etomite.c...c...ost&id=1660

// Snippet Name: authenticate_visitor
//
// Version: 1.1
//
// Created By: Ralph Dahlgren
//
// Last Modified: 2007-07-02

If you aren't using this newer version, upgrade to it and see if it works better...

This is a dead link...
I've had a search, but don't know which is the latest version or authenticate_visitor...anyone?

[pixelstyle]

Cris D., on Oct 12 2007, 02:26 PM, said:

This is a dead link...
I've had a search, but don't know which is the latest version or authenticate_visitor...anyone?

I think this one's the latest. The startpost is updated with the latest version. Just installed it and it works fine in 0.6.1 final PL4.
http://www.etomite.c...?showtopic=4867

[deadline]

Hi all,

Still having the same problem downloading "loginout.php" attachment file on here...

Is this link broken ?

Ps : can't find this snippet in the New Snippet Gallery, nor via the search engine ;-)
Deadline.

[Ralph]

deadline, on Nov 23 2007, 05:52 PM, said:

Hi all,

Still having the same problem downloading "loginout.php" attachment file on here...

Is this link broken ?

Ps : can't find this snippet in the New Snippet Gallery, nor via the search engine ;-)
Deadline.

Here is my most recent copy...

// Login|Logout
//
// For use with Etomite Prelude Final or newer ONLY
//
// Last Modified: 2007-09-17 by Ralph Dahlgren
//
// Purpose: Provides a visitor authentication login interface
//
// Parameters: ( All Are Optional )
//   use_logout: [0=false|1=true]
//   login_url: url to be redirected to on success
//   login_id: id of document to be redirected to on success
//   login_alias: alias of document to be redirected to on success
//   logout_url: url to be redirected to on logout
//   logout_id: id of document to be redirected to on logout
//   logout_alias: alias of document to be redirected to on logout
// Examples of Use:
//   [!Login|Logout!]
//   [!Login|Logout?login_alias=success&use_logout=1&logout_url=http://www.mysite.com!]
//
// Passing no parameters in the snippet call will cause the parser to return
// to the same page on either success or failure
//

// should a logout prompt replace the login prompt [0=false|1=true(default)]
$use_logout = isset($use_logout) ? $use_logout : 1;

// PROCESSING STARTS HERE

// if the user is authenticated and no destination was provided, provide a logout button.
// this conditional code block is optional and can be remarked or bypassed
if($_SESSION['validated'] && $use_logout)
{
  if(isset($_POST['login_logout'])) $etomite->userLogout($logout_url,$logout_id,$logout_alias);

	$output =
<<<LOGOUTFORM
\n
<form action="" method="post">
  <div style="margin:auto auto;">
	<p style="text-align:center;"><input type="submit" name="login_logout" value="Logout" class="button" /> [ {$_SESSION['shortname']} ]</p>
	<p style="text-align:center;"><b>{$_SESSION['fullname']}</b></p>
  </div>
</form>
\n
LOGOUTFORM;

	return $output;
}

// if the form has been submitted, attempt to validate the user
if(isset($_POST['login_logout_submit']))
{

  // get only the forms $_POST variables we want based on the prefix "login_logout_"
  $fields = $etomite->getFormVars($method="POST",$prefix="login_logout_",$trim=1,$REQUEST_METHOD);

  // extract the variable array into plain variables
  extract($fields);

  // prepare a url for redirect upon successful login if no snippet call param was sent
  if(($login_url=="") && ($login_id=="") && ($login_alias=="")) $login_url = $etomite->makeUrl($etomite->documentIdentifier, $alias=0, $args='');

  // perform the user login attempt
  $etomite->userLogin($username,$password,$rememberme,$login_url,$login_id,$login_alias,$use_captcha,$captcha_code=$captcha);

}
else
{
// if all else fails, generate the user authentication form
$output =
<<<LOGINFORM
\n
<form id="LoginLogout" action="" method="post">
  <div>
	<table style="width:100%; margin:auto auto;">
	  <tr>
		<td><label id="login_logout_username_lbl" for="login_logout_username">Username:</label></td>
		<td><input type="text" id="login_logout_username" name="login_logout_username" value="" /></td>
	  </tr>
	  <tr>
		<td><label id="login_logout_password_lbl" for="login_logout_password">Password:</label></td>
		<td><input type="password" id="login_logout_password" name="login_logout_password" value="" /></td>
	  </tr>
	  <tr>
		<td colspan="2" style="text-align:center;"><input type="submit" id="login_logout_submit" name="login_logout_submit" value="Submit" class="button" /></td>
	  </tr>
	  <tr>
		<td colspan="2" style="text-align:center;"><input type="reset" id="login_logout_reset" name="login_logout_reset" value="Reset" class="button" /></td>
	  </tr>
	  <tr>
		<td colspan="2" style="text-align:center;"><a href="requestNewPassword.html" title="Request New Password">Forget your password?</a></td>
	  </tr>
	</table>
  </div>
</form>
\n
LOGINFORM;

// return to caller for display
return stripslashes($output);
}
// THE END

[darren]

can we set a visitor to be logged out after a set amount of time? I thought i had seen a setting for this in one of the snippets here but cant find it in authenticate_visitor.... not to say it isn't there.