Thread: Change to community logins
I've done some minor hacking on some changes to the community login system, based on nagging (eh, sorry, feedback) from mainly JD ;-) Specifically, not using http auth, but instead using forms auth and a session cookie. This is so we can eventually have a separate login link for those who don't understand systems that ask you to login only when a login is necessary. It will also make it possible to have pages change depending on if you're logged in or not - but that requires code to run on wwwmaster, which we're trying to avoid, so I'm not sure much of that will happen... Anyway. Attached is a patch that does this, you can test the system out on http://magnus-master.pgadmin.org. Thoughts and comments? //Magnus Index: handler.php =================================================================== RCS file: /usr/local/cvsroot/pgweb/portal/system/handler.php,v retrieving revision 1.20 diff -c -r1.20 handler.php *** handler.php 12 Mar 2007 14:51:43 -0000 1.20 --- handler.php 12 Aug 2007 12:45:05 -0000 *************** *** 25,30 **** --- 25,35 ---- require_once './global/settings.php'; + // Override config that really must be set + ini_set('session.use_cookies','1'); + ini_set('session.use_only_cookies','1'); + + try { if (isset($_GET['page']) && $_GET['page'] == 'submitthanks') { // Special case. Ugly, but backwards compatible ;-) Index: form/login.php =================================================================== RCS file: form/login.php diff -N form/login.php *** /dev/null 1 Jan 1970 00:00:00 -0000 --- form/login.php 12 Aug 2007 12:45:05 -0000 *************** *** 0 **** --- 1,54 ---- + <?php + class Form_Login extends PgForm { + function __construct() { + $this->title = 'Community login'; + } + + function SetupForm() { + $this->form->addElement('static', null, null, gettext("Accessing this resource requires a community login. Moretext to go here in a bit")); + if (isset($_GET['badpwd']) && $_GET['badpwd'] == '1') { + $this->form->addElement('static', null, null, '<font color="red">' . gettext("Userid or password was incorrect.Please try again.") . '</font>'); + } + + $this->form->addElement('text', 'userid', gettext("Userid:"), array('size' => 40, 'maxlength' => 100)); + $this->form->addElement('password', 'password', gettext("Password:"), array('size' => 40, 'maxlength' => 100)); + $this->form->addElement('hidden', 'p', isset($_GET['p'])?$_GET['p']:''); + + // Make the fields required + $this->form->addRule('userid', gettext("The userid is required."), 'required', null, 'client'); + $this->form->addRule('password', gettext("The password is required."), 'required', null, 'client'); + } + + function ProcessForm($f) { + global $_SETTINGS; + + $rs = $this->pg_query_params("SELECT userid,fullname,email,authorblurb,communitydoc_superuser FROM users WHEREuserid=$1 AND password=$2", array($f['userid'], $f['password'])); + if (pg_num_rows($rs) != 1) { + if (isset($f['p'])) { + header('Location: /login?badpwd=1&p=' . urlencode($f['p'])); + } + else { + header('Location: /login?badpwd=1'); + } + exit(0); + } + + session_start(); + $this->userinfo = pg_fetch_assoc($rs); + foreach ($this->userinfo as $key=>$val) { + $_SESSION[$key] = $val; + } + $_SESSION['ip'] = $_SERVER['REMOTE_ADDR']; + if ($f['p']) { + header('Location: ' . $f['p']); + } + else { + header('Location: /'); + } + exit(0); + } + + function RenderThanks() { + } + } + ?> Index: global/dispatcher.php =================================================================== RCS file: /usr/local/cvsroot/pgweb/portal/system/global/dispatcher.php,v retrieving revision 1.2 diff -c -r1.2 dispatcher.php *** global/dispatcher.php 26 Apr 2007 13:23:08 -0000 1.2 --- global/dispatcher.php 12 Aug 2007 12:45:05 -0000 *************** *** 51,56 **** --- 51,57 ---- case 'docs/techdocs': return new Page_CommunityDocs('docs',$pargs[0],0,count($pargs)>1?$pargs[1]:null); case 'download/mirrors-ftp': return new Page_Mirrors(); case 'developer/ext': return new Page_FAQ($pargs[1],'developer'); + case 'login': return new Form_Login(); case 'search': return new Page_Search(); case 'support/newprof': return new Form_NewProfService(); case 'support/submitbug': return new Form_SubmitBug(); Index: global/pgpage.php =================================================================== RCS file: /usr/local/cvsroot/pgweb/portal/system/global/pgpage.php,v retrieving revision 1.4 diff -c -r1.4 pgpage.php *** global/pgpage.php 12 Mar 2007 16:00:46 -0000 1.4 --- global/pgpage.php 12 Aug 2007 12:45:06 -0000 *************** *** 190,224 **** } function ValidateLogin() { ! if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) ! { ! $u = $_SERVER['PHP_AUTH_USER']; ! $p = $_SERVER['PHP_AUTH_PW']; ! ! if ($u != pg_escape_string($u)) ! throw new Exception('Invalid character in username'); ! $res = $this->pg_query_params("SELECT userid,fullname,email,authorblurb,communitydoc_superuser FROM users WHEREuserid=$1 AND password=$2", array($u, $p)); ! if (pg_num_rows($res) == 1) ! { ! // Both user and password matched, so return. ! $this->userinfo = pg_fetch_assoc($res); ! return true; } - // Otherwise, fall-through to requiring authentication again - } ! // Indicate we need a login ! header('HTTP/1.0 401 Unauthorized'); ! header('WWW-Authenticate: Basic realm="PostgreSQL Community Login"'); ! // Build a login page using our templates, if we can ! $pgpnew = new Page_Static('community/requirelogin'); ! $pgpnew->SetLanguage($this->language, $this->language_direction); ! $pgpnew->PreRender(); ! $pgpnew->DoRender(); ! $pgpnew->Show(); ! exit(0); } } --- 190,218 ---- } function ValidateLogin() { ! session_start(); ! if ($this->check_login()) { ! return; ! } ! // User not authenticated, redirect to login form ! header('Location: /login?p=' . $this->url); ! exit(0); ! } ! function check_login() { ! if (isset($_SESSION['userid'])) { ! if ($_SESSION['ip'] != $_SERVER['REMOTE_ADDR']) { ! // Different IP, so require a login again ! return false; } ! // Copy the whole session - easier that way ! $this->userinfo = $_SESSION; ! return true; // Authentication succeeded ! } ! // No session = not logged in ! return false; } }
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Magnus Hagander wrote: > I've done some minor hacking on some changes to the community login > system, based on nagging (eh, sorry, feedback) from mainly JD ;-) I love you man :) > > Specifically, not using http auth, but instead using forms auth and a > session cookie. This is so we can eventually have a separate login link > for those who don't understand systems that ask you to login only when a > login is necessary. > > It will also make it possible to have pages change depending on if > you're logged in or not - but that requires code to run on wwwmaster, > which we're trying to avoid, so I'm not sure much of that will happen... We should talk about this. I have some ideas that would make this very possible. > > Anyway. Attached is a patch that does this, you can test the system out > on http://magnus-master.pgadmin.org. Thoughts and comments? Well since you brought me into it ;) $this->form->addElement('static', null, null, '<font color="red">' . gettext("Userid or password was incorrect. Please try again.") . '</font>'); This should be calling to the stylesheet ;) Have we fixed the "other" problem with session management? Joshua D. Drake > > //Magnus - -- === The PostgreSQL Company: Command Prompt, Inc. === Sales/Support: +1.503.667.4564 24x7/Emergency: +1.800.492.2240 PostgreSQL solutions since 1997 http://www.commandprompt.com/ UNIQUE NOT NULL Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate PostgreSQL Replication: http://www.commandprompt.com/products/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGvxqwATb/zqfZUUQRAtsNAJ0WceT3JWcDyVAAUOCLR1doNi5GMQCfcnZT b2H3CRIGiV9SP6efYn9az/0= =Lrwk -----END PGP SIGNATURE-----
Joshua D. Drake wrote: > Magnus Hagander wrote: >> I've done some minor hacking on some changes to the community login >> system, based on nagging (eh, sorry, feedback) from mainly JD ;-) > > I love you man :) :-) >> Specifically, not using http auth, but instead using forms auth and a >> session cookie. This is so we can eventually have a separate login link >> for those who don't understand systems that ask you to login only when a >> login is necessary. > >> It will also make it possible to have pages change depending on if >> you're logged in or not - but that requires code to run on wwwmaster, >> which we're trying to avoid, so I'm not sure much of that will happen... > > We should talk about this. I have some ideas that would make this very > possible. Yeah, but it's a separate issue. But this changes makes it possible to look into that in the future, yes. >> Anyway. Attached is a patch that does this, you can test the system out >> on http://magnus-master.pgadmin.org. Thoughts and comments? > > Well since you brought me into it ;) ;-) > $this->form->addElement('static', null, null, '<font color="red">' . > gettext("Userid or password was incorrect. Please try again.") . '</font>'); > > > This should be calling to the stylesheet ;) Yeah, if I knew how :) The HTML Quickforms stuff is very inflexible. > Have we fixed the "other" problem with session management? No. That's next step. //Magnus
greetings!
On Sunday 12 August 2007 10:34 am, Magnus Hagander wrote:
[...snipped...]
> > $this->form->addElement('static', null, null, '<font color="red">' .
> > gettext("Userid or password was incorrect. Please try again.") .
> > '</font>');
> >
> >
> > This should be calling to the stylesheet ;)
>
> Yeah, if I knew how :) The HTML Quickforms stuff is very inflexible.
>
I am not convinced that QF is all that inflexible. try putting something into
the "attributes" argument for the "static" element constructor:
void constructor HTML_QuickForm_element::HTML_QuickForm_element ([string
$elementName = NULL [, mixed $elementLabel = NULL [, mixed $attributes =
NULL]]])
that last parameter just might do what you want.
regards,
--
Jeff MacDonald,
Zoid Technologies <http://zoidtechnologies.com/>
"Web Applications That Suck Less"
Jeff MacDonald wrote:
> greetings!
>
> On Sunday 12 August 2007 10:34 am, Magnus Hagander wrote:
> [...snipped...]
>>> $this->form->addElement('static', null, null, '<font color="red">' .
>>> gettext("Userid or password was incorrect. Please try again.") .
>>> '</font>');
>>>
>>>
>>> This should be calling to the stylesheet ;)
>> Yeah, if I knew how :) The HTML Quickforms stuff is very inflexible.
>>
>
> I am not convinced that QF is all that inflexible. try putting something into
> the "attributes" argument for the "static" element constructor:
>
> void constructor HTML_QuickForm_element::HTML_QuickForm_element ([string
> $elementName = NULL [, mixed $elementLabel = NULL [, mixed $attributes =
> NULL]]])
>
> that last parameter just might do what you want.
I tried just about every combination I could think of for that, and
didn't manage :-( But if someone knows a way to get it done, I'd
certainly prefer that.
//Magnus
Alexey Borzov wrote:
> Hi,
>
> Magnus Hagander wrote:
>>> $this->form->addElement('static', null, null, '<font color="red">' .
>>> gettext("Userid or password was incorrect. Please try again.") .
>>> '</font>');
>>>
>>>
>>> This should be calling to the stylesheet ;)
>>
>> Yeah, if I knew how :) The HTML Quickforms stuff is very inflexible.
>
> Well, it may be inflexible but why aren't you displayiing that as an
> error message in the first place?
I probably would, if I had any idea how to do that. Haven't been able to
find any docs at all about that. Got any good pointers?
> Also you can map element -> template
> block so that your message will be displayed in whatever style you want.
That I think I know how to do, really. Will look at that.
//Magnus
Hi,
Magnus Hagander wrote:
>> $this->form->addElement('static', null, null, '<font color="red">' .
>> gettext("Userid or password was incorrect. Please try again.") . '</font>');
>>
>>
>> This should be calling to the stylesheet ;)
>
> Yeah, if I knew how :) The HTML Quickforms stuff is very inflexible.
Well, it may be inflexible but why aren't you displayiing that as an error
message in the first place? Also you can map element -> template block so that
your message will be displayed in whatever style you want.
Hi,
Magnus Hagander wrote:
>>>> $this->form->addElement('static', null, null, '<font color="red">' .
>>>> gettext("Userid or password was incorrect. Please try again.") .
>>>> '</font>');
>>>>
>>>>
>>>> This should be calling to the stylesheet ;)
>>> Yeah, if I knew how :) The HTML Quickforms stuff is very inflexible.
>> Well, it may be inflexible but why aren't you displayiing that as an
>> error message in the first place?
>
> I probably would, if I had any idea how to do that. Haven't been able to
> find any docs at all about that. Got any good pointers?
That's probably what you are looking for:
http://pear.php.net/manual/en/package.html.html-quickform.html-quickform.setelementerror.php
>> Also you can map element -> template
>> block so that your message will be displayed in whatever style you want.
>
> That I think I know how to do, really. Will look at that.
Whatever approach you choose, the markup may be kept in the template.
On Tue, Aug 14, 2007 at 01:26:38AM +0400, Alexey Borzov wrote:
> Hi,
>
> Magnus Hagander wrote:
> >>>>$this->form->addElement('static', null, null, '<font color="red">' .
> >>>>gettext("Userid or password was incorrect. Please try again.") .
> >>>>'</font>');
> >>>>
> >>>>
> >>>>This should be calling to the stylesheet ;)
> >>>Yeah, if I knew how :) The HTML Quickforms stuff is very inflexible.
> >>Well, it may be inflexible but why aren't you displayiing that as an
> >>error message in the first place?
> >
> >I probably would, if I had any idea how to do that. Haven't been able to
> >find any docs at all about that. Got any good pointers?
>
> That's probably what you are looking for:
> http://pear.php.net/manual/en/package.html.html-quickform.html-quickform.setelementerror.php
That worked. Thanks!
//Magnus