Is there a setting somewhere to use the authenticated user information instead of forcing user entry, or do I have to go through the process of creating a custom forum layout to accomplish this?
You don't need a custom layout, you can simply modify the out of the box one.
Related
When a user tries to log in but fails with a bad password and then clicks the forgot password link, they are directed to a URL containing their PII email.
The hint is not injected until the link is clicked, so it can probably be fudged with some custom JS, but we would like to use configuration rather than customisation..
e.g.
https://b2ctenant.b2clogin.com/b2ctenant.onmicrosoft.com/B2C_1A_customflow/api/CombinedSigninAndSignup/forgotPassword?csrf_token=xxxx&tx=StateProperties=xxxx&p=B2C_1A_customflow&hint=blablablah#example.com
This PII has potential to be captured/logged/etc, which we would really like to avoid.
So, can we turn that off?
Yes, we understand this is a convenience/quality-of-life feature to help clients, but revealing their PII seems a poor trade-off.
If you initiate Password Reset by clicking on the "Forgot your password?" link at the sign-in page, clicking this link doesn't automatically trigger a password reset user flow. Instead, the error code AADB2C90118 is returned to your application. Your application needs to handle this error code by running a specific user flow that resets the password. You should be able to handle the URL and forgot password from the application.
The Azure AD B2C guidelines for using custom JS (https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-javascript-overview#guidelines-for-using-javascript) direct prohibit binding the click event on anchors/links, but we can use the mousedown event.
With that, we can use a JS snippet as below to clear the signInName field, and so prevent the link from containing the hint parameter:
$("#forgotPassword").mousedown(function () {
$("#signInName").val("");
});
This addresses the issue with customisation, so now we wait to see if we can replace it with an official configuration option.
I have a full website with two contexts for two different languages. The only public page is the landing page of both languages. The rest should be private/protected. This I have achieved with resource groups and limits on the anonymous users.
On the landing page all the menu entries that are protected should be seen by the anonymous user and if clicked a popup with two login-forms should be displayed. These login-form are from other sites and will return if the users has permission or not when they've entered their credentials. And as long as this session exists the user should be able to view all pages if the user was approved of course.
My guess as a non modx- or php- pro is that I should check if a session exists when the landing page is loaded (and all sub-pages). If no user is logged in all links will point to the popup. The user then logs in, sends info to the external server and is redirected to the private/protected landing page if successful. And this is what I can't find any info about, probably because I'm not entirely sure what to look for.
I need one snippet that checks if a valid session exists for the protected pages, if not display the logins.
The other code I would need is something that creates the session for the user if the external login was successful. Should this be a snippet or just a php document on the server. And how can I start a session for the protected pages?
You could do this in two different ways:
Make a user-system that is not connected to Modx. I find this the easies and I've done this several times before. You'll need to make a table for users with usernames and password, and make an object out of it, so you can use xpdo to do the queries. With this system up and running, it would be no problem to include a snippet in every template to make sure the user is indeed logged in. If not, just redirect him to the correct frontpage/landingpage. This will require some coding, but as I said, it works like a charm.
Download the snippet http://modx.com/extras/package/login (by Spittingred, a true legend), and look at the code. I haven't used this Extra before, but I am pretty sure it uses the same user-system as Modx, and therefor you should be able to achieve what you want. I can't give you any more help than "look at the source and figure out how Spittingred did it".
MODX Revolution checks if the user is logged in when trying to access a protected page, but if you would like to check it manually this snippet would do:
if (!$modx->user->hasSessionContext($modx->context->get('key'))) {
$modx->sendUnauthorizedPage(); // redirect to the informative page for non-logged users
}
If you need to check for the user being logged in and display a login popup if not, then using the output modifier with simple user id check may work:
[[+modx.user.id:if=`[[+modx.user.id]]`:eq:=`0`:then=`Not logged in`:else=`logged in`]]
When it goes to the session creation for the users authenticated from outside of MODX site, I would suggest to write a snippet which checks the status from the eternal page and logs user in. This way the session checking will be ommited but still, the functionality goal should be achieved.
On the panel pages for my user profiles, the titles for each user are their usernames (such as jblow for Joe Blow). The uid is passed to the page and, presently the title is set to %user:name. Is there some way I can use tokens, or some other solution, to get the users specific first and last name to the profile page?
I am using the core profile module, as well, if that helps.
Maybe you can check this modules:
http://drupal.org/project/token_custom
http://drupal.org/project/token_profile
In my Play application, I've added Secure module. But I haven't found a way to check user profile in views. For example, one of the possible roles is "admin". When viewing certain pages, a button should be visible to admin's only. How to do that?
My first idea was to check session variable but I found nothing there. Security object is not available in views. Then I thought about putting data in there by overriding onAuthenticated method in my authentification controller, but I'm not sure that is the best way to proceed.
What do you think?
If you have your own security module that extends controller.secure.Security, then within your view you can do this:
#{if controllers.MySecurity.check("isAdmin") }
...template code...
#{/if}
Have you seen the deadbolt module for role checking?
http://www.playframework.org/modules/deadbolt-1.0/home
I have to login a user through drupal code having userID... basically the scenario is that I have registered a user through e-mail verification. when user clicks the link given in email he/she become active. Now I need to implement that along with becoming user active, he/she should be logged in automatically. I think i made my point clear. Any idea??
Thanks
Check out the User module, specifically the user_external_login and user_authenticate_finalize functions. You can either call those functions or use them as the basis for creating your own functions.
On a related note, there's not enough detail in your question to know for sure, but it sounds like you might be duplicating functionality already in the User module. If you're new to Drupal, you may want to make sure you can't accomplish what you need to do with the existing options under User management > User settings.