Thread: Change to community logins

Change to community logins

From
Magnus Hagander
Date:
I've done some minor hacking on some changes to the community login
system, based on nagging (eh, sorry, feedback) from mainly JD ;-)

Specifically, not using http auth, but instead using forms auth and a
session cookie. This is so we can eventually have a separate login link
for those who don't understand systems that ask you to login only when a
login is necessary.

It will also make it possible to have pages change depending on if
you're logged in or not - but that requires code to run on wwwmaster,
which we're trying to avoid, so I'm not sure much of that will happen...

Anyway. Attached is a patch that does this, you can test the system out
on http://magnus-master.pgadmin.org. Thoughts and comments?

//Magnus
Index: handler.php
===================================================================
RCS file: /usr/local/cvsroot/pgweb/portal/system/handler.php,v
retrieving revision 1.20
diff -c -r1.20 handler.php
*** handler.php    12 Mar 2007 14:51:43 -0000    1.20
--- handler.php    12 Aug 2007 12:45:05 -0000
***************
*** 25,30 ****
--- 25,35 ----

  require_once './global/settings.php';

+ // Override config that really must be set
+ ini_set('session.use_cookies','1');
+ ini_set('session.use_only_cookies','1');
+
+
  try {
      if (isset($_GET['page']) && $_GET['page'] == 'submitthanks') {
          // Special case. Ugly, but backwards compatible ;-)
Index: form/login.php
===================================================================
RCS file: form/login.php
diff -N form/login.php
*** /dev/null    1 Jan 1970 00:00:00 -0000
--- form/login.php    12 Aug 2007 12:45:05 -0000
***************
*** 0 ****
--- 1,54 ----
+ <?php
+ class Form_Login extends PgForm {
+    function __construct() {
+       $this->title = 'Community login';
+    }
+
+    function SetupForm() {
+       $this->form->addElement('static',     null, null, gettext("Accessing this resource requires a community login.
Moretext to go here in a bit")); 
+       if (isset($_GET['badpwd']) && $_GET['badpwd'] == '1') {
+           $this->form->addElement('static', null, null, '<font color="red">' . gettext("Userid or password was
incorrect.Please try again.") . '</font>'); 
+       }
+
+       $this->form->addElement('text',       'userid', gettext("Userid:"), array('size' => 40, 'maxlength' => 100));
+       $this->form->addElement('password',   'password', gettext("Password:"), array('size' => 40, 'maxlength' =>
100));
+       $this->form->addElement('hidden', 'p', isset($_GET['p'])?$_GET['p']:'');
+
+       // Make the fields required
+       $this->form->addRule('userid', gettext("The userid is required."), 'required', null, 'client');
+       $this->form->addRule('password', gettext("The password is required."), 'required', null, 'client');
+    }
+
+    function ProcessForm($f) {
+         global $_SETTINGS;
+
+         $rs = $this->pg_query_params("SELECT userid,fullname,email,authorblurb,communitydoc_superuser FROM users
WHEREuserid=$1 AND password=$2", array($f['userid'], $f['password'])); 
+         if (pg_num_rows($rs) != 1) {
+             if (isset($f['p'])) {
+                 header('Location: /login?badpwd=1&p=' . urlencode($f['p']));
+             }
+             else {
+                 header('Location: /login?badpwd=1');
+             }
+             exit(0);
+         }
+
+         session_start();
+         $this->userinfo = pg_fetch_assoc($rs);
+         foreach ($this->userinfo as $key=>$val) {
+             $_SESSION[$key] = $val;
+         }
+         $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
+         if ($f['p']) {
+             header('Location: ' . $f['p']);
+         }
+         else {
+             header('Location: /');
+         }
+         exit(0);
+    }
+
+    function RenderThanks() {
+    }
+ }
+ ?>
Index: global/dispatcher.php
===================================================================
RCS file: /usr/local/cvsroot/pgweb/portal/system/global/dispatcher.php,v
retrieving revision 1.2
diff -c -r1.2 dispatcher.php
*** global/dispatcher.php    26 Apr 2007 13:23:08 -0000    1.2
--- global/dispatcher.php    12 Aug 2007 12:45:05 -0000
***************
*** 51,56 ****
--- 51,57 ----
          case 'docs/techdocs': return new Page_CommunityDocs('docs',$pargs[0],0,count($pargs)>1?$pargs[1]:null);
          case 'download/mirrors-ftp': return new Page_Mirrors();
          case 'developer/ext': return new Page_FAQ($pargs[1],'developer');
+         case 'login': return new Form_Login();
          case 'search': return new Page_Search();
          case 'support/newprof': return new Form_NewProfService();
          case 'support/submitbug': return new Form_SubmitBug();
Index: global/pgpage.php
===================================================================
RCS file: /usr/local/cvsroot/pgweb/portal/system/global/pgpage.php,v
retrieving revision 1.4
diff -c -r1.4 pgpage.php
*** global/pgpage.php    12 Mar 2007 16:00:46 -0000    1.4
--- global/pgpage.php    12 Aug 2007 12:45:06 -0000
***************
*** 190,224 ****
     }

     function ValidateLogin() {
!        if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
!        {
!            $u = $_SERVER['PHP_AUTH_USER'];
!            $p = $_SERVER['PHP_AUTH_PW'];
!
!            if ($u != pg_escape_string($u))
!                throw new Exception('Invalid character in username');

!            $res = $this->pg_query_params("SELECT userid,fullname,email,authorblurb,communitydoc_superuser FROM users
WHEREuserid=$1 AND password=$2", array($u, $p)); 
!            if (pg_num_rows($res) == 1)
!            {
!                // Both user and password matched, so return.
!                $this->userinfo = pg_fetch_assoc($res);
!                return true;
             }
-            // Otherwise, fall-through to requiring authentication again
-        }

!        // Indicate we need a login
!        header('HTTP/1.0 401 Unauthorized');
!        header('WWW-Authenticate: Basic realm="PostgreSQL Community Login"');

!        // Build a login page using our templates, if we can
!        $pgpnew = new Page_Static('community/requirelogin');
!        $pgpnew->SetLanguage($this->language, $this->language_direction);
!        $pgpnew->PreRender();
!        $pgpnew->DoRender();
!        $pgpnew->Show();
!        exit(0);
     }
  }

--- 190,218 ----
     }

     function ValidateLogin() {
!        session_start();
!        if ($this->check_login()) {
!            return;
!        }
!        // User not authenticated, redirect to login form
!        header('Location: /login?p=' . $this->url);
!        exit(0);
!    }

!    function check_login() {
!        if (isset($_SESSION['userid'])) {
!            if ($_SESSION['ip'] != $_SERVER['REMOTE_ADDR']) {
!                // Different IP, so require a login again
!                return false;
             }

!            // Copy the whole session - easier that way
!            $this->userinfo = $_SESSION;
!            return true; // Authentication succeeded
!        }

!        // No session = not logged in
!        return false;
     }
  }


Re: Change to community logins

From
"Joshua D. Drake"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Magnus Hagander wrote:
> I've done some minor hacking on some changes to the community login
> system, based on nagging (eh, sorry, feedback) from mainly JD ;-)

I love you man :)

> 
> Specifically, not using http auth, but instead using forms auth and a
> session cookie. This is so we can eventually have a separate login link
> for those who don't understand systems that ask you to login only when a
> login is necessary.
> 
> It will also make it possible to have pages change depending on if
> you're logged in or not - but that requires code to run on wwwmaster,
> which we're trying to avoid, so I'm not sure much of that will happen...

We should talk about this. I have some ideas that would make this very
possible.


> 
> Anyway. Attached is a patch that does this, you can test the system out
> on http://magnus-master.pgadmin.org. Thoughts and comments?

Well since you brought me into it ;)


$this->form->addElement('static', null, null, '<font color="red">' .
gettext("Userid or password was incorrect. Please try again.") . '</font>');


This should be calling to the stylesheet ;)

Have we fixed the "other" problem with session management?

Joshua D. Drake

> 
> //Magnus

- --
     === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564   24x7/Emergency: +1.800.492.2240
PostgreSQL solutions since 1997  http://www.commandprompt.com/        UNIQUE NOT NULL
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
PostgreSQL Replication: http://www.commandprompt.com/products/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGvxqwATb/zqfZUUQRAtsNAJ0WceT3JWcDyVAAUOCLR1doNi5GMQCfcnZT
b2H3CRIGiV9SP6efYn9az/0=
=Lrwk
-----END PGP SIGNATURE-----


Re: Change to community logins

From
Magnus Hagander
Date:
Joshua D. Drake wrote:
> Magnus Hagander wrote:
>> I've done some minor hacking on some changes to the community login
>> system, based on nagging (eh, sorry, feedback) from mainly JD ;-)
> 
> I love you man :)

:-)


>> Specifically, not using http auth, but instead using forms auth and a
>> session cookie. This is so we can eventually have a separate login link
>> for those who don't understand systems that ask you to login only when a
>> login is necessary.
> 
>> It will also make it possible to have pages change depending on if
>> you're logged in or not - but that requires code to run on wwwmaster,
>> which we're trying to avoid, so I'm not sure much of that will happen...
> 
> We should talk about this. I have some ideas that would make this very
> possible.

Yeah, but it's a separate issue. But this changes makes it possible to
look into that in the future, yes.


>> Anyway. Attached is a patch that does this, you can test the system out
>> on http://magnus-master.pgadmin.org. Thoughts and comments?
> 
> Well since you brought me into it ;)

;-)


> $this->form->addElement('static', null, null, '<font color="red">' .
> gettext("Userid or password was incorrect. Please try again.") . '</font>');
> 
> 
> This should be calling to the stylesheet ;)

Yeah, if I knew how :) The HTML Quickforms stuff is very inflexible.

> Have we fixed the "other" problem with session management?

No. That's next step.

//Magnus


Re: Change to community logins

From
Jeff MacDonald
Date:
greetings!

On Sunday 12 August 2007 10:34 am, Magnus Hagander wrote:
[...snipped...]
> > $this->form->addElement('static', null, null, '<font color="red">' .
> > gettext("Userid or password was incorrect. Please try again.") .
> > '</font>');
> >
> >
> > This should be calling to the stylesheet ;)
>
> Yeah, if I knew how :) The HTML Quickforms stuff is very inflexible.
>

I am not convinced that QF is all that inflexible. try putting something into 
the "attributes" argument for the "static" element constructor:

void constructor HTML_QuickForm_element::HTML_QuickForm_element ([string 
$elementName = NULL [, mixed $elementLabel = NULL [, mixed $attributes = 
NULL]]])

that last parameter just might do what you want.

regards,
-- 
Jeff MacDonald, 
Zoid Technologies <http://zoidtechnologies.com/>
"Web Applications That Suck Less"


Re: Change to community logins

From
Magnus Hagander
Date:
Jeff MacDonald wrote:
> greetings!
> 
> On Sunday 12 August 2007 10:34 am, Magnus Hagander wrote:
> [...snipped...]
>>> $this->form->addElement('static', null, null, '<font color="red">' .
>>> gettext("Userid or password was incorrect. Please try again.") .
>>> '</font>');
>>>
>>>
>>> This should be calling to the stylesheet ;)
>> Yeah, if I knew how :) The HTML Quickforms stuff is very inflexible.
>>
> 
> I am not convinced that QF is all that inflexible. try putting something into 
> the "attributes" argument for the "static" element constructor:
> 
> void constructor HTML_QuickForm_element::HTML_QuickForm_element ([string 
> $elementName = NULL [, mixed $elementLabel = NULL [, mixed $attributes = 
> NULL]]])
> 
> that last parameter just might do what you want.

I tried just about every combination I could think of for that, and
didn't manage :-( But if someone knows a way to get it done, I'd
certainly prefer that.

//Magnus


Re: Change to community logins

From
Magnus Hagander
Date:
Alexey Borzov wrote:
> Hi,
> 
> Magnus Hagander wrote:
>>> $this->form->addElement('static', null, null, '<font color="red">' .
>>> gettext("Userid or password was incorrect. Please try again.") .
>>> '</font>');
>>>
>>>
>>> This should be calling to the stylesheet ;)
>>
>> Yeah, if I knew how :) The HTML Quickforms stuff is very inflexible.
> 
> Well, it may be inflexible but why aren't you displayiing that as an
> error message in the first place?

I probably would, if I had any idea how to do that. Haven't been able to
find any docs at all about that. Got any good pointers?

> Also you can map element -> template
> block so that your message will be displayed in whatever style you want.

That I think I know how to do, really. Will look at that.

//Magnus



Re: Change to community logins

From
Alexey Borzov
Date:
Hi,

Magnus Hagander wrote:
>> $this->form->addElement('static', null, null, '<font color="red">' .
>> gettext("Userid or password was incorrect. Please try again.") . '</font>');
>>
>>
>> This should be calling to the stylesheet ;)
> 
> Yeah, if I knew how :) The HTML Quickforms stuff is very inflexible.

Well, it may be inflexible but why aren't you displayiing that as an error 
message in the first place? Also you can map element -> template block so that 
your message will be displayed in whatever style you want.


Re: Change to community logins

From
Alexey Borzov
Date:
Hi,

Magnus Hagander wrote:
>>>> $this->form->addElement('static', null, null, '<font color="red">' .
>>>> gettext("Userid or password was incorrect. Please try again.") .
>>>> '</font>');
>>>>
>>>>
>>>> This should be calling to the stylesheet ;)
>>> Yeah, if I knew how :) The HTML Quickforms stuff is very inflexible.
>> Well, it may be inflexible but why aren't you displayiing that as an
>> error message in the first place?
> 
> I probably would, if I had any idea how to do that. Haven't been able to
> find any docs at all about that. Got any good pointers?

That's probably what you are looking for:
http://pear.php.net/manual/en/package.html.html-quickform.html-quickform.setelementerror.php

>> Also you can map element -> template
>> block so that your message will be displayed in whatever style you want.
> 
> That I think I know how to do, really. Will look at that.

Whatever approach you choose, the markup may be kept in the template.


Re: Change to community logins

From
Magnus Hagander
Date:
On Tue, Aug 14, 2007 at 01:26:38AM +0400, Alexey Borzov wrote:
> Hi,
> 
> Magnus Hagander wrote:
> >>>>$this->form->addElement('static', null, null, '<font color="red">' .
> >>>>gettext("Userid or password was incorrect. Please try again.") .
> >>>>'</font>');
> >>>>
> >>>>
> >>>>This should be calling to the stylesheet ;)
> >>>Yeah, if I knew how :) The HTML Quickforms stuff is very inflexible.
> >>Well, it may be inflexible but why aren't you displayiing that as an
> >>error message in the first place?
> >
> >I probably would, if I had any idea how to do that. Haven't been able to
> >find any docs at all about that. Got any good pointers?
> 
> That's probably what you are looking for:
> http://pear.php.net/manual/en/package.html.html-quickform.html-quickform.setelementerror.php

That worked. Thanks!

//Magnus