I'm making a log-in form where it will be compared to the database and the information that will be shown on the main form would be based on the user logged in.
I was thinking of using a variable that would be passed from the log-in form into the main form. can this solve my problem or is there another method that might seem to be more appropriate?
Can this solve your problem? Yes.
However, it would be easier to check the database directly from the login form, then call the main form if the user has correct credentials.
Related
I have a simple problem and I'm looking for what kind of control I can write on the server side to avoid this case:
Via a form, the user can submit answers to a survey. When sending answers to the server, it therefore transmits the list of answers as well as the id of the survey. But nothing prevents him from modifying the id of the survey to put the answers on another survey... I don't see how to prevent that ?
You can't prevent users from changing the ID. However, there are ways to make sure that they can't do something nefarious by changing the ID:
Use long random IDs that are effectively unguessable. Then changing the ID will not submit to a different survey, but show an error.
Use login authentication and make sure that users have the correct permissions to answer a survey. That way if they change the ID, they could only answer surveys for which they have permission.
Serve a token with each survey. The survey can only be submitted back with a valid token that is tied to the ID (via cryptographic signature or by storing tokens and IDs in a database.)
I'm using passport-facebook for logging into the site using facebook(the implementation is complete and working good) .Now , I want to redirect the user to a page containing a form which they are supposed to fill once they login from fb, and without doing it (that is without filling the form and submitting it) they shouldnt be able to access any other links on the site.
Here is the approach I thought of: Once the user logs in I would make a Database query inside the strategy to see whether they have previously submitted the data, if they have already submitted I would set the session.filledOrNot = true in the object which I'll be returning to the done callback and use this property to either allow them to proceed or redirect back the same page.
Is this a good approach?
This can be done in 2 ways.
1.You can either make the user the fill the form while sign up/registration(whatever you call it). If the user doesn't fill the form, don't let them sign up at all.
2.The second way is what you are suggesting. Let the user sign up with out filling the form and once the user logs in, check in your database where your condition "session.filledOrNot = true" is satisfied or not. The disadvantage is you need to make this query in every api request, not just the login request.
I have a full website with two contexts for two different languages. The only public page is the landing page of both languages. The rest should be private/protected. This I have achieved with resource groups and limits on the anonymous users.
On the landing page all the menu entries that are protected should be seen by the anonymous user and if clicked a popup with two login-forms should be displayed. These login-form are from other sites and will return if the users has permission or not when they've entered their credentials. And as long as this session exists the user should be able to view all pages if the user was approved of course.
My guess as a non modx- or php- pro is that I should check if a session exists when the landing page is loaded (and all sub-pages). If no user is logged in all links will point to the popup. The user then logs in, sends info to the external server and is redirected to the private/protected landing page if successful. And this is what I can't find any info about, probably because I'm not entirely sure what to look for.
I need one snippet that checks if a valid session exists for the protected pages, if not display the logins.
The other code I would need is something that creates the session for the user if the external login was successful. Should this be a snippet or just a php document on the server. And how can I start a session for the protected pages?
You could do this in two different ways:
Make a user-system that is not connected to Modx. I find this the easies and I've done this several times before. You'll need to make a table for users with usernames and password, and make an object out of it, so you can use xpdo to do the queries. With this system up and running, it would be no problem to include a snippet in every template to make sure the user is indeed logged in. If not, just redirect him to the correct frontpage/landingpage. This will require some coding, but as I said, it works like a charm.
Download the snippet http://modx.com/extras/package/login (by Spittingred, a true legend), and look at the code. I haven't used this Extra before, but I am pretty sure it uses the same user-system as Modx, and therefor you should be able to achieve what you want. I can't give you any more help than "look at the source and figure out how Spittingred did it".
MODX Revolution checks if the user is logged in when trying to access a protected page, but if you would like to check it manually this snippet would do:
if (!$modx->user->hasSessionContext($modx->context->get('key'))) {
$modx->sendUnauthorizedPage(); // redirect to the informative page for non-logged users
}
If you need to check for the user being logged in and display a login popup if not, then using the output modifier with simple user id check may work:
[[+modx.user.id:if=`[[+modx.user.id]]`:eq:=`0`:then=`Not logged in`:else=`logged in`]]
When it goes to the session creation for the users authenticated from outside of MODX site, I would suggest to write a snippet which checks the status from the eternal page and logs user in. This way the session checking will be ommited but still, the functionality goal should be achieved.
I have to login a user through drupal code having userID... basically the scenario is that I have registered a user through e-mail verification. when user clicks the link given in email he/she become active. Now I need to implement that along with becoming user active, he/she should be logged in automatically. I think i made my point clear. Any idea??
Thanks
Check out the User module, specifically the user_external_login and user_authenticate_finalize functions. You can either call those functions or use them as the basis for creating your own functions.
On a related note, there's not enough detail in your question to know for sure, but it sounds like you might be duplicating functionality already in the User module. If you're new to Drupal, you may want to make sure you can't accomplish what you need to do with the existing options under User management > User settings.
So how do you maintain the form security about posting data to different page problem? For instance you have a member and he/she tries to change the personal settings and you redirected member to
www.domain.com/member/change/member_id
member changed the values and post the data to another page by changing the action with firebug or something else. For instance
www.domain.com/member/change/member_id_2
How do you handle this problem without using sessions?
This problem arises when there are no server side validations!
So, the solution is to have server side validations.
Why not use Session state? It's designed for that.
Alternatively use cookies or URL's with unique session style ID embedded in it, which allows you to tie it back to a specific user.
How do you handle members without session?
Before modifying anything, check if the current user has the right to do so. For example, if you're user #1 and your details are at /members/change/1, you post to the same url, and with firebug you change the form to point to /members/change/2. When processing the form, you have to check if the userid in the form is the current user's id, and if not, display an error.
You could crypt the identity information (member_id) and add it as parameter or url path. When the request is posted to the member_id form, you can verify that the crypted member_id (which is part of the request) matches the member_id.