I setup the following code in my app_controllers.php file to control access to the site when the site is set to OFFLINE (site_status = 0).
function beforeFilter(){
// Site Offline = 0 , Site Online = 1
if($this->Configuration->get_site_status() == 1){
// Allow access to the site to all users and perform all required
// beforeFilter code
}else{
...
// If site is OFFLINE but User is logged in allow access.
// Later I will need to change it to only allow admin access if logged in as I am still developing
// Everyone else will be denied access even if they are able to authenticate
if(!$this->Auth->user() == null){
$this->layout = 'default';
$this->Auth->allow('*');
}else{
$this->layout = 'offline';
$this->Auth->deny('*');
}
...
}
}
Everything works great when the requested address looks like the following:
http://www.mydomain.com/articles
However, when I have the following it does not work properly
http://www.mydomain.com/admin/articles
It prevents access to the site correctly, but it fails to use the $this->layout = 'offline'. It defaults back to the default layout.
What do I need to do to fix this.
Thank you!
Your if conditions look weird. They are:
If site is offline and user logged in
use default layout
otherwise
use offline layout and require authentication on all pages
I.e. you're using offline layout when site is online OR user is not logged in. Are you sure that is what you want?
Well, the first thing that looks out of place to me is:
(!$this->Auth->user() == null)
This looks very wrong and might be causing your problems. I would suggest changing this to something like:
(!is_null($this->Auth->user())
or
($this->Auth->user() !== NULL)
Edits
First, check out the PHP logical operators. You were appending a NOT statement to the return value of $this->Auth->user(). So, with a user logged in you're essentially asking if false is equal to null, which of course it isn't and never will be.
Second, check out the PHP comparison operators. You aren't wanting to check if the value of $this->Auth->user() is equal to the value null, you're wanting to check if the data type of $this->Auth->user() is equal to the type null. In short, null is a data type, not a value. If you did just have to use "=" in your if statement then you would want to use the identical === check or the identical not check !==.
Related
I want to use onsen ui and angularjs to develop a hybird application, but now I meet a problem, this application cannot store user's login information, so user must login everytime after they close the application.
I use $cookies, service, and $rootScope to store user's login information, but all of them can not work at android platform.
Anyone can help me to solve this problem?
On HTML5 mobile framework like Onsenui, I suggest to use localStorage.
You can take a look at these two AngularJs modules:
angular-local-storage
ngStorage
They have very well written instructions and demo codes as references.
use this plugin https://github.com/litehelpers/Cordova-sqlite-storage or something similar to create a sqlite database. Create a table with the information you want to keep (username and password). You can create a hash of the password and store it for better security (md5 or sha1).
You can also keep the timestamp of the login and keep the user logged in for a specific interval of time, so when he opens the app, check if you are inside this interval (e.g. day, week, etc.) from the last login and if yes, log him in automatically else show the login screen again.
if (window.localStorage.getItem("rememberMe") == "true") {
$scope.userEmail = window.localStorage.getItem("userName");
$scope.userPassword = window.localStorage.getItem("password");
document.getElementById("rememberMe").checked = true;
}
else {
document.getElementById("rememberMe").checked = false;
}
if (document.getElementById("rememberMe").checked == true) {
window.localStorage.setItem("rememberMe", "true");
window.localStorage.setItem("userName", $scope.userEmail);
window.localStorage.setItem("password", $scope.userPassword);
}
else if (document.getElementById("rememberMe").checked == false) {
window.localStorage.setItem("rememberMe", "false");
window.localStorage.setItem("userName", "");
window.localStorage.setItem("password", "");
}
Hi! have a look at the above code. It stores in local storage
I did a lot of research, followed many different examples, but still cannot get it to run properly.
So here is a part of the controller action from the registration:
if(!empty($this->request->data)){
$this->request->data['Company']['start_date']= date("Y-m-d");
unset($this->Company->User->validate['company_id']);
if($this->Company->saveAssociated($this->request->data)){
$user = $this->request->data['User'];
$data['User']['password'] = $user[0]['password'];
$data['User']['email'] = $user[0]['email'];
if($this->Auth->login($data)){
$this->redirect($this->Auth->redirect(array('controller'=>'customers', 'action'=>'index')));
}...
So the user is saved and a new array of user's email and password is created. It is then passed to $this->Auth->login. The login seems to pass, but the following error is on redirection to customers controller:
Notice (8): Undefined index: role [APP\Controller\CustomersController.php, line 32]
Notice (8): Undefined index: role [APP\Controller\CustomersController.php, line 36]
Even though the role field is autoset as manager on user creation.
Here is how the CustomerController looks like:
public function isAuthorized($user){
if($user['role'] == 'manager'){
return true;}
if (in_array($this->action, array('add', 'edit', 'index', 'view', 'delete', 'users'))){
if($user['role'] != 'manager'){
return false;
}}return true;}
Any help is very much appreciated.
Check the docs and the source for AuthComponent::login()
http://api.cakephp.org/2.4/class-AuthComponent.html#_login
http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#manually-logging-users-in
http://api.cakephp.org/2.4/source-class-AuthComponent.html#583-606
When passing user data to AuthComponent::login(), you are logging a user in, but no authentication is going to happen! "Logging in" in this case means, the data provided is being stored in the session, and on following requests the user is being treated as logged in in case data is present in the session (in the specific key used by the component), ie you could even just pass 123456, the user would be treated as being logged in.
Authenticating on the other hand would cause a DB lookup, where all the user data would be fetched and consequently being stored in the session.
So the role field is not available because you haven't passed it to AuthComponent::login(), you've only passed email and password, consequently these are the only fields being available later on. Btw, DO NOT supply the password when doing such a manual login! You don't want to carry such sensitive information in the session!
To fix this problem, either pass the role field too, or call AuthComponent::login() without passing any data at all (make sure you are using Form authentication so that the data passed in the request is being used), so that it's going to authenticate the user and fetch its data from the DB.
See also http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html
I have problem with ACL. I read tutorial from here and here, and now I know how to add permission to some user/group to edit his profile, but then all users can edit each other profile. How I can set permission so user can edit just his own profile, not others, or can I somehow put this code in edit function:
function edit($id = null) {
if ($logedUserId != $id) {
// deny access
return;
}
// edit user
}
Assuming that you are using action-based access control (which it appears as though you are), then unless you have an action named after each profile (which would be completely wrong) you will have to do an additional check within the edit() method to ensure that the profile being edited belongs to the currently logged in user.
So you sort of answered your own question--correctly.
I am working on a web app project that has been in development for long time. The app has two sides, the majority of the site is publicly accessible. However, there are sections that require the user to be logged in before they can access certain content.
When the user logs in they get a sessionid (GUID) which is stored in a table in the database which tracks all sort for data about the user and their activity.
Every page of the app was written to look if this session id variable exists or not in the querystring. If a user tries to access one of these protected areas, the app checks to see if this sessiond variable is in the querystring. If i is not, they are redirected to the login screen.
The flow of the site moves has the user moving seamlessly from secured areas to non-secured areas, back and forth, etc.
So we did a test run with the Google Custom Search and it does an awesome job picking up all our dynamic content in these public areas. However, we have not been able to figure out how to pass the sessionid along with the search results IF the user is logged in already.
Is it possible to pas querystring variables that already exist in the url along with the search results?
As far as I know, this is not possible. Google doesn't give you the possibilty to modify the URL's of the Search Results in their Custom Search.
A possible solution would be to store your Session-Key to a Cookie, rather than passing it with every URL.
Use the parseQueryFromUrl function
function parseQueryFromUrl () {
var queryParamName = "q";
var search = window.location.search.substr(1);
var parts = search.split('&');
for (var i = 0; i < parts.length; i++) {
var keyvaluepair = parts[i].split('=');
if (decodeURIComponent(keyvaluepair[0]) == queryParamName) {
return decodeURIComponent(keyvaluepair[1].replace(/\+/g, ' '));
}
}
return '';
}
Select RESULTS ONLY option in the Look & Feel and it will provide you with the code.
www.google.com/cse/
I'm trying to authenticate against the user db of my website (CMS based) and it uses a slightly different approach at storing hashed passwords. It uses a randomly generated salt for each user. The salt is stored in the user db along with the hashed passwords. Hence, direct field-mapped authentication (as the External DB plugin does) won't work for me.
To start off, I just mirrored the DB plugin and modified the user_login() procedure to read the hashed password and the salt from the database and then hash the entered password again with the salt and match it up with the password in the database. Here's the code for my user_login() function
function user_login($username, $password) {
global $CFG;
$textlib = textlib_get_instance();
$extusername = $textlib->convert(stripslashes($username), 'utf-8', $this->config->extencoding);
$extpassword = $textlib->convert(stripslashes($password), 'utf-8', $this->config->extencoding);
$authdb = $this->db_init();
// normal case: use external db for passwords
// Get user data
$sql = "SELECT
*
FROM {$this->config->table}
WHERE {$this->config->fielduser} = '".$this->ext_addslashes($extusername)."' ";
$authdb->SetFetchMode(ADODB_FETCH_ASSOC);
// No DB Connection
if ( !$rs = $authdb->Execute( $sql ) ) {
$authdb->Close();
print_error('auth_dbcantconnect','auth');
return false;
}
// No records returned
if( $rs->EOF ) {
$rs->Close();
$authdb->Close();
return false;
}
// Get password
$db_password = $rs->fields['user_password'];
$salt = $rs->fields['user_salt'];
// Close DB Conn
$rs->Close();
$authdb->Close();
// Return match
return sha1( $extpassword . $salt ) == $db_password;
}
But when I try to login, username / passwords corresponding to the website (CMS) database are failing. However, the password (for the same user) that was stored in Moodle earlier on (before I tried using this custom plugin) is getting me through.
That means, either my authentication routine is failing or moodle's internal db based auth mechanism is taking precedence over it.
I've enabled ADODB debug mode - but that isn't helping either. When I enable the debug output from Server settings, the error messages are being sent prior to the page headers. Thus the login page won't display at all.
I have all other forms of authentication turned off (except for Manual which can't be turned off) and my own.
Any ideas on how to solve this issue?
Can you confirm the order that the authentication pluggins are displayed? This will determine the order in which they are used. See..
http://docs.moodle.org/en/Manage_authentication
Either way, the behaviour you're seeing suggests that your code is returning false and the fall through logic described here...
http://moodle.org/mod/forum/discuss.php?d=102070
... and here...
http://docs.moodle.org/en/Development:Authentication_plugins
... is kicking in.
Have you tried returning "true" always from your plugin to ensure that it's being called. Then, you can start returning "true" based upon other things (hard coded usernames etc). This approach will allow you to get to the point where you are either continuing to fail or seeing more targetted failures. Are you sure, for example, that it's the user_login function and not the subsequent call to update_user_record that is failing?
Finally, are you sure you're generating the salted password in the exact same way that it was created in the first place? This would be, for me, the most likely cause of the problem. Can you take control of the creation of the salted password so that you own both creation of new users and authentication of users - this would ensure that you were in sync with how the salted password and hash were generated.