I have a client that wants to use Concrete5.7 for an employee portal. If they are in the building, he does not want them to have to log in to view the site. However, if they are not in the building, he wants them to be able to access the site via a login. The building has a static IP address. Is there a way to over-ride the login or automatically use a specific credential if the user is accessing the site from a specific IP address?
You can use the concrete5 Application Events
For example-
Events::addListener('on_before_render', function($event) {
$clientIp = Request::getInstance()->getClientIp();
if ($clientIp === YOUR_STATIC_IP) {
$service = Core::make(\Concrete\Core\User\Login\LoginService::class);
$service->loginByUserID(THE_ID_YOU_WANT_TO_USE);
}
});
This is just an example. Please follow the recommended convention on concrete5 documentation.
Related
I am using Meteor user accounts api to create user accounts.
https://github.com/meteor-useraccounts/core/blob/master/Guide.md
How to add email restriction to particular domain such as only #mydomain.org so that only those users with the domain will be allowed to log into the system while other users with other domains such as #gmail.com would not be able to log into the system?
There is this (unfortunately) undocumented Accounts.config which is part of accounts-base. It allows you to set a email domain restriction for accounts creation. This your app won't allow any accounts to be created that are not part of this domain:
Put the following in server and client startup code to configure the accounts package:
Accounts.config({
restrictCreationByEmailDomain: 'mydomain.com'
})
The source documentation says on this particular option
#param {String | Function} options.restrictCreationByEmailDomain If set to a string, only allows new users if the domain part of their email address matches the string. If set to a function, only allows new users if the function returns true. The function is passed the full email address of the proposed new user. Works with password-based sign-in and external services that expose email addresses (Google, Facebook, GitHub). All existing users still can log in after enabling this option. Example: Accounts.config({ restrictCreationByEmailDomain: 'school.edu' }).
Source code of the Account.config method: https://github.com/meteor/meteor/blob/devel/packages/accounts-base/accounts_common.js#L170
I would recommend using accounts-password package to manage user creation and authentication.
With Accounts.createUser method you can easily create an user where you can apply any kind of check. In your case add a regex check to make sure the email address comes from your domain before calling the Account.createUser method.
How can we get the user's IP address when using functions.auth.user().onCreate(...)? Basically, I want to track the IP address from when a user visits our website and the IP address from when they sign up on the app for analytics purposes, unless someone knows a better way! Thanks.
This is not possible in any Cloud Functions background trigger. If you want to attempt to record an IP address (which may not be very accurate or helpful, given that network traffic can go through proxies and VPNs), you will have to use an HTTP type trigger that was invoked from your app or web site running on the the user's computer or device. The request might include a header called x-forwarded-for or fastly-client-ip that contains an IP address. But this isn't documented, so there is no guarantee this will exist.
See also: How to get client IP address in a Firebase cloud function?
The IP information is available from Firebase auth using the EventContext object from auth.user().beforeSignIn() as well as auth.user().beforeCreate()
To use it, you'll first need to upgrade to Firebase Authentication with Identity Platform. It's available in both Spark & Blaze plans and can be enabled by going to 'Firebase Authentication -> Settings' in your project.
The docs give the following use-case for getting, checking, and blocking based on IP from auth.user().beforeSignIn() for example:
exports.beforeSignIn = functions.auth.user().beforeSignIn((user,
context) => {
if (isSuspiciousIpAddress(context.ipAddress)) {
throw new functions.auth.HttpsError(
'permission-denied', 'Unauthorized access!');
}
});
For more details and examples of what else is available in the EventContext, see Getting user and context information.
My application uses user's email address as the user id. Currently it does not allow users to change their email address. They can create a new account if they need to use a different email address. I'm implementing Google Identity Toolkit (GIT) on my site. For users who use Email/Password for login, the Manage Account page of GIT allows users to change their email address and password. I would like to block changing of email address while keeping the change password option.
Is it possible, and if yes, how?
We do not support this option but if you want to do this at your own risk, you can add the following callback in the widget callbacks config field:
callbacks: {
'uiChanged': function(from, to) {
if (to == 'passwordAccountManage' && document.getElementsByClassName('gitkit-id-email-info-container').length) {
document.getElementsByClassName('gitkit-id-email-info-container')[0].style.display = 'none';
}
}
}
I'd like to use the Meteor.loginWithGoogle() tool to authenticate users, but is there any way to limit it to a specific (Google Apps) domain?
I could check after the user is authenticated using the returned email, but is there a way to do this at the login stage with some parameter for Google login?
I dont think its possible right now.
There is a pull resquest to partly add that functionality: https://github.com/meteor/meteor/pull/1332
The issue with that pull request seems to be that it only fixes the client side of thinges (ie. it only shows accounts from the selected domain when the user logs in).
But it does not add any server side checks.
Im using the following workaround:
In a .js file in the sever folder I have the following code:
Accounts.validateNewUser(function (user) {
if(user.services.google.email.match(/example\.org$/)) {
return true;
}
throw new Meteor.Error(403, "You must sign in using a example.org account");
});
This prevents accounts from being made for domains different from example.org.
If you want to only allow certain users from your domain, you could also add a whitelist collection that defines user ids from your Google Apps account. This way you can restrict access to only certain users, get single sign-on functionality, and can pre-set user roles and properties for your app before users even create their accounts.
Use the Accounts.onCreateUser(function(options, user){}) callback for that since it allows you to define additional user properties.
I have a Web application where the users will be authenticated before they use it. The help documentation for this application is maintained using Wordpress installed on a different server (If needed the Wordpress instance can be installed on the same server also). In order to access the documentation also, user must be authenticated and now this is done using a Wordpress plugin.
Now i want to make the authentication process common for all. i.e User comes to the web application, then login to use the application and they can click the 'documentation' link within the application and user automatically login into the Wordpress also. How can i implement this?
I have had to do something similar before where a user had to click a link in an email and it automatically logged them in.
I added the following to my themes header.php
if (!is_user_logged_in())
{
if (isset($_GET['u']) && !empty($_GET['u']))
{
$u = $_GET['u'];
$result = $wpdb->get_row($wpdb->prepare("SELECT * FROM wp_users WHERE md5(concat(user_login,'SOMESECRETPHRASE',user_email)) = '%s' AND user_login != 'admin'",$u));
if (isset($result->ID) && isset($result->user_login))
{
wp_set_current_user($result->ID, $result->user_login);
wp_set_auth_cookie($result->ID);
}
}
}
The the users login link is created by Adding /?u=".md5($user_login."SOMESECRETPHRASE".$user_email)
To the end of the link
They will then automatically be logged into wordpress as the correct wordpress user.