I'm planning to design a website which allows users to register and log into the system.
My idea is that when the user logs into the system, he will be redirected to selfoss (a single-user RSS reader) and he can customise it based on his needs.
Although I have successfully implemented the user registration and login system, I have no idea how to implement the latter, which is to turn selfoss (single-based) into a multiple-user platform where each user can only access his own customised RSS reader when logging in. So, when the user logs into the system next time, all his previous settings for that customised RSS reader will also be reloaded.
Can I have some references and guidance on the implementation of such system? Thanks in advance!
Since you already have login implemented I am assuming you have a way to identify individual users.
You can then extend your data model by adding an rss table with a relation back to your user table, so that you based on userid can associate a customized feed to the logged in user.
Related
I'd like to start a website that provides users with photos editing/storing experience. The initial idea is that the user has his own account where we store the edited photos and some settings. I'm am a WordPress web developer and when I try to consider how to build such a website in WordPress I don't really understand how to provide such a services without having access to user photos. My idea was to create a custom post type and save it with the user as an author. But as an admin of the website, I will have access to all the created/saved photos and I would like to build it in a way that I don't have it. Is it possible?
I've used previously the app to write a diary that saved the data to my Google Drive and if I understand correctly, it never had access to my files.
So my question is: what are the best practices to build such a resource? Is it normal to have access to all of your user photos if you provide such a platform?
In your case, as you will use WordPress and you are the developer you will always have access to the data of everything.
You will always have a way of knowing which data is from user or which data belongs to another user.
You have two options to do this, but this will take some development work:
1 - You must recreate the way WordPress works where the user is not related to an email and not private data that can relate to the user.
Example: You ask the user to register only that only asks for a hash that can be any word, number, or any other information and a second field would be the password.
With this in the backend you get this two information and do some kind of hash I'll give the example using md5 but do not use it.
After that join these two data and this will be the user.
and to login the user needs to repeat this information and will be within the platform. With this you will be able to maintain the anonymity of the user and will not know who the user is.
In this option you will have for each hash and password a different user :)
But I recommend not using wordpress if you choose this option. You can use a framework like CodeIgniter for example which is super simple.
2 - The second way would be to use the normal wp User, not worrying about who the user is and their information. But one way to keep photo information "anonymous" is to generate a unique hash with each user and have some way of relating the user to it.
Example: When uploading a file to edit it will generate a passkey, you must warn the user that when they want to edit this photo or view they will need to type it into an input. With this you will not know which information is from which user. but it requires extra work for the user
This way you will always have anonymity of user information. I hope I helped you somehow.
I'm trying to password protect a page that contains confidential information.
Upon clicking a link, user will be shown a pop-up dialog to enter password.
If successful, redirect user to page. Otherwise, display "Wrong password".
The thing is, this can be easily overcome if user just copies the URL and add "/exec#ConfidentialPage" to the end of the URL.
Any suggestions?
If at all possible I would highly discourage implementing your own authentication system and instead rely on Google login to secure your data. See https://developers.google.com/appmaker/security/secure-your-app. My short recommendation is to:
Create a google group which contains the users you want to access the
data.
Create a role in App Maker which contains that group
Restrict access to both your data and your view to members of that role.
This is much more secure than a password based approach as #1 It's implemented by Google (implementing your own auth correctly is hard) and #2 You have a list of everyone who has access to your data in the form of the Google group.
I'm trying to arrange being able to login with a social network (initially LinkedIn, but it could be any other, or self-generated from FosUserBundle), and then adding new connections to the same user, via Twitter, FB, Github, etc.
The difficulty is connecting the multiple account connections within FosUser and the HWIOauthBundles. In order to collect as much data as I can, and be able to easily add additional connections to services, I'd really like to have each new connection as a one-to-many record. IE: The initial login with LinkedIn creates a FosUser record, and a new row in a 'socialLogin' table, the next (say login with Twitter) adds a new row to the 'socialLogin' table, that refers back to the fosUser.id.
How can I use the currently logged in (Fos)user as part of the new record that HWIOauth would generate? The end result would be, being able to login with any known user to get into the same account.
The solution is actually easy. First check out Symfony2: How to login using OAuth (HWIOAuthBundle) + custom roles (by default and loaded from DB) which is a great how-to for HwiOAuthBundle, and then scroll down and carefully look at public function loadUserByOAuthUserResponse(){ ... } section.
From there, your workflow will be checking the provider name from the response object. And then based on the provider name, you can update your user (use email for searching). However, with twitter you may have problem because twitter doesn't supply user email. So you need to ask your user for that email address and after you get that, you may need to merge current user account (for twitter based reg, consider it as a temporary a/c) with previous user account with this email.
Otherwise, if your user is already logged in using form/other-social-login (before connecting with twitter) you can add his twitter details once he connects with it. But you need to store user's currently logged in details in session (so that you can fetch it after user comes back with twitter token)
Hope it helps
First step would be to create the relation between the user entity and the social_data table and the rest is all about overriding the custom user provider FOSUBUserProvider.php, which I believe you already have started doing as you have FOSUserBundle and HWIOAuthBundle working together.
I will make some edits with actual code later, but I had to answer this to get you on the track until then.
I have a very basic understanding of ASP.NET and I am trying to do the following. I have a home page that is set-up to be a login page. If you could just picture a username and password box that is the extent of that home page. Once the user is logged in they will go to a different page let's say the account page. However, when the user clicks the logo at the top left hand it takes them to the home page again but it shows the username and password boxes again ready to be filled.
The user status at the top of my page still shows that the user is logged in. What I am trying to do is add a piece of code that will change the link of the logo to display the account page once they are logged in and not the login page.
I don't know if this can be done through the web.config file since I read a different article that has something similar to this or if this code can be put directly next to the code where my logo link (default.aspx) sits.
Many thanks in advance!
Research the Membership Provider.
It's an industry standard in ASP.NET session management. It will manage all of your pages and allow you to customize pages, menus, etc. based on roles and permissions. Don't reinvent the wheel if you have the oppertunity to use it.
Straight from MSDN:
ASP.NET membership supports facilities
for:
Creating new users and passwords.
Storing membership information (user
names, passwords, and supporting data)
in Microsoft SQL Server, Active
Directory, or an alternative data
store.
Authenticating users who visit your
site. You can authenticate users
programmatically, or you can use the
ASP.NET login controls to create a
complete authentication system that
requires little or no code.
Managing passwords, which includes
creating, changing, and resetting them
. Depending on membership options you
choose, the membership system can also
provide an automated password-reset
system that takes a user-supplied
question and response.
Exposing a unique identification for
authenticated users that you can use
in your own applications and that also
integrates with the ASP.NET
personalization and role-management
(authorization) systems.
Specifying a custom membership
provider, which allows you to
substitute your own code to manage
membership and maintain membership
data in a custom data store
I have managed to get all the authentication parts working, however i am confused about setting up registration.
By registration i mean that if the OpenID is not attached to an existing account, then a new account must be created.
Should i simply have it return to a registration page (with from fields for registration) and redirect to a different page if the user is registered?
Is there a way to set up a clean and simple registration flow without signing the user in first (formsauthentication.redirectfromloginpage) then checking if they are new on every page?
Sorry if this is worded badly, like most other things i ask it is difficult to explain!
Thanks
Ideally, no registration is required at all beyond simply an OpenID. Does your site require to know more than a user identifier to provide any functionality at all?
If your site can offer any services to users (even just informational) without asking for more than their identifier, which OpenID supplies, then don't have a registration page at all. This is by far the best for the users and will lower the barrier of entry to new users to your site. Then, when the user accesses a page that offers something that requires the user to give up more information about themselves, stick them with a registration page at that time.
If you must stick up a registration page for all new users, I suggest you do a check every time someone logs in with their OpenID. If you recognize the OpenID Claimed Identifier upon successful login, you just let them through... otherwise you create a database entry for them and redirect them to the registration form.
You can optimize the experience by using OpenID extensions such as Simple Registration or Attribute Exchange so that the user might get a pre-filled out registration form courtesy of the OpenID Provider, further streamlining the registration process.