On the panel pages for my user profiles, the titles for each user are their usernames (such as jblow for Joe Blow). The uid is passed to the page and, presently the title is set to %user:name. Is there some way I can use tokens, or some other solution, to get the users specific first and last name to the profile page?
I am using the core profile module, as well, if that helps.
Maybe you can check this modules:
http://drupal.org/project/token_custom
http://drupal.org/project/token_profile
Related
Is there a setting somewhere to use the authenticated user information instead of forcing user entry, or do I have to go through the process of creating a custom forum layout to accomplish this?
You don't need a custom layout, you can simply modify the out of the box one.
I am developing a social network and I would like to know if in the profile page of a user I could put the user id stored in database as a parameter in the url or is it a bad idea in terms of security?
I want the url to be bookmarkable. Should I put another thing instead of the user id?
In terms of security there's no problem in putting the user id in a url. For example StackOverflow does it already: https://stackoverflow.com/users/3477044/aliuk
What's important is to verify that the currently authenticated user is allowed to access this url and take actions on its behalf.
most socialnetwork i've been using, use username as url not id, of course it also affects seo, since u have "pretty url".
Security is really depend on how you write your code, say there is a page to edit-profile, if you put on your code something like:
UPDATE .. SET .. WHERE id = $_GET['id']
no question it's dangerous, you should check every user action, like posting/editing profile, etc. who is login, not what's the id on current url
It is secure if you secure your website against sql injection.
But if breach happens all users are vunerable. Only thing that hacker needs to do is find the user profile get his id. Copy output of sql injection. Go to text editor. Press ctrl - f and search for user id.
I have a full website with two contexts for two different languages. The only public page is the landing page of both languages. The rest should be private/protected. This I have achieved with resource groups and limits on the anonymous users.
On the landing page all the menu entries that are protected should be seen by the anonymous user and if clicked a popup with two login-forms should be displayed. These login-form are from other sites and will return if the users has permission or not when they've entered their credentials. And as long as this session exists the user should be able to view all pages if the user was approved of course.
My guess as a non modx- or php- pro is that I should check if a session exists when the landing page is loaded (and all sub-pages). If no user is logged in all links will point to the popup. The user then logs in, sends info to the external server and is redirected to the private/protected landing page if successful. And this is what I can't find any info about, probably because I'm not entirely sure what to look for.
I need one snippet that checks if a valid session exists for the protected pages, if not display the logins.
The other code I would need is something that creates the session for the user if the external login was successful. Should this be a snippet or just a php document on the server. And how can I start a session for the protected pages?
You could do this in two different ways:
Make a user-system that is not connected to Modx. I find this the easies and I've done this several times before. You'll need to make a table for users with usernames and password, and make an object out of it, so you can use xpdo to do the queries. With this system up and running, it would be no problem to include a snippet in every template to make sure the user is indeed logged in. If not, just redirect him to the correct frontpage/landingpage. This will require some coding, but as I said, it works like a charm.
Download the snippet http://modx.com/extras/package/login (by Spittingred, a true legend), and look at the code. I haven't used this Extra before, but I am pretty sure it uses the same user-system as Modx, and therefor you should be able to achieve what you want. I can't give you any more help than "look at the source and figure out how Spittingred did it".
MODX Revolution checks if the user is logged in when trying to access a protected page, but if you would like to check it manually this snippet would do:
if (!$modx->user->hasSessionContext($modx->context->get('key'))) {
$modx->sendUnauthorizedPage(); // redirect to the informative page for non-logged users
}
If you need to check for the user being logged in and display a login popup if not, then using the output modifier with simple user id check may work:
[[+modx.user.id:if=`[[+modx.user.id]]`:eq:=`0`:then=`Not logged in`:else=`logged in`]]
When it goes to the session creation for the users authenticated from outside of MODX site, I would suggest to write a snippet which checks the status from the eternal page and logs user in. This way the session checking will be ommited but still, the functionality goal should be achieved.
I have a Play framework application that has a model like this:
A Company has one and only one User associated with it.
I have URLs like http://www.example.com/companies/1234, http://www.example.com/companies/1234/departments, http://www.example.com/companies/1234/departments/employees and so on. The numbers are the company id's, not the user id's.
I want that normal users (not admins) should only be able to access their own profile pages, not other people's profile pages. So a user associated with the company with id 1234 should not be able to access the URL http://www.example.com/companies/6789
I tried to accomplish this by overriding Secure.check() and comparing the request parameter "id" to the ID of the company associated with the logged in user. However, this obviously fails if the parameter is called anything else than "id".
Does anyone know how this could be accomplished?
You could have a simple #Before function, or if it is only on the view page that you want to apply the security, then you could have a simple bit of code at the beginning that checks the user's id (I assume from the session), and checks that they are allowed to access the page, by getting the User form the id in the session, and the Company from the id passed in, and checking against each other.
If security fails, then either return a badrequest instead of render, or call an action that shows a notAuthorised custom page.
You could make a SecureProfileController class that extends Controller, has a method that does the checkCompanyId-that-is-to-be-viewed against users companyId, and let the controllers that need that logic extend the SecureController.
If the method is an #Before function, like Codemwnci says, then it can intercept all the action methods in the inherited classes.
Alternatively you could have a look at Deadbolt, where you can setup roles for users and restrict access based on those roles: http://www.playframework.org/modules/deadbolt-1.0/home
Hope that helps :)
Using: PHP, Symfony 1.4, Doctrine, sfGuard
I have a site where the majority of pages could be cached as full HTML pages. But there is the traditional 'user account toolbar' that appears at the top right of most sites (shows the logged in username, logout link etc.)
This obviously prevents the page from being fully cached as HTML so I plan on outputting the page as standard HTML and adding in the username etc. after page load, via Javascript.
When the user logs in, I will create an extra cookie storing just the username. Javascript can then check if the cookie exists and create the account toolbar. The username will only be used for display purposes. In order to actually log in the users will have to go through the normal login page, using their password etc.
I've searched for blog posts etc on this but not found much. Can anyone identify any security or other concerns with this?
As long as the user name is only used for display purposes you should be golden. Alternatly you could use an XHR to grab the username from PHP's $_SESSION.
My concerns are that you'd be using the user name to authenticate that user. Or using the user name as a key to access your cache, where by changing the user name would give an attacker access to another's cache.
You should never, ever store anything sensitive in a cookie. To me, that includes usernames.