I have a custom user table for managing users.
User:
connection: doctrine
tableName: user
columns:
user_login:
type: string(50)
notnull: true
primary: true
user_pass:
type: string(100)
notnull: true
after user click login with login form, username and password is checked against the database. If it is matched the user is set as authenticated with below line of code..
$this->getUser()->setAuthenticated(true);
Now how would I set the credential of the user using the following function? and is it necessary?
$this->getUser()->addCredential($WHAT ARE_THE_VALUES_THIS_ARRAY_SHOULD_CONTAINS);
what are the values should be in argument of the above method? Please explain more about this.
It's up to you whether to use credentials or not. Credentials just unique strings cached in the session.
$this->getUser()->addCredentials(array('admin', 'user', 'chief', 'asd'));
// or
$this->getUser()->addCredentials('admin', 'user', 'chief', 'asd');
For mode examples look at the tests and/or the sfDoctrineGuardUser plugin.
You can use credentials to secure actions, but it's in the docs.
Related
I'm using functions.auth.user().onCreate() as part of a firestore project, and trying to set up some default data when a new user registers. For the front end, I'm using firebase-ui, with Google and Email/Password providers enabled.
When I sign in with an email and password, the UI widget prompts to enter a name and set a password. I was expecting to see the name as part of the user parameter in the onCreate() function call, but I'm getting practically nothing:
user: { email: 'xxx#yyyy.co.uk',
emailVerified: false,
displayName: null,
photoURL: null,
phoneNumber: null,
disabled: false,
providerData: [],
customClaims: {},
passwordSalt: null,
passwordHash: null,
tokensValidAfterTime: null,
metadata:
UserRecordMetadata {
creationTime: '2018-11-20T15:06:01Z',
lastSignInTime: '2018-11-20T15:06:01Z' },
uid: 'QDJ5OJTwbvNo2QNDVQV9VsxC2pz2',
toJSON: [Function] }
Not even getting the provider info so I can tell which 'kind' of user registered. It's almost like this function is triggered before the user record has been populated (except the email address does get through). Also, registrations via the Google provider come with a fully-populated user record, so I guess this is a problem with Email/Password specifically.
Is this a bug, or am I missing something? I didn't see anything else useful in the context parameter either.
The fact that displayName is not populated in the Cloud Functions onCreate trigger for email+password is expected. The function is triggered from the first API call (createUserWithEmailAndPassword()), while the display name is set with a second API call (updateProfile).
The usual workaround would be to create a Cloud Function to update the user profile, as shown here: Firebase Auth+Functions | create user with displayName
I also highly recommend filing a feature request to be able to have a Cloud Function triggered on profile changes.
I have a Meteor project where users need to confirm their email address before they can login.
When the Meteor.user collection is empty I create a default admin user:
Meteor.startup(function () {
if (Meteor.users.find().count() === 0 ) {
Accounts.createUser({
username: 'admin',
email: 'me#domain.com',
password: 'admin',
profile: {
role: 'admin'
}
});
}
});
Even though the user has been created automatically, the user still needs to verify its email address.
How can I automatically set verified to true for this user?
I have fixed it by using:
Meteor.users.update(user._id, { $set:
{
"emails.0.verified": true
}
});
You need to update that user document to set emails[0].verified to true. That account will be verified but the accounts package will still send out an email asking the user to verify their email address.
Dude, you can add something like this which searches for the username and assigns value according to the db schema you follow for verification (Meteor.users.find({username: 'admin'}).fetch(), ['set your verified to true']);
Something similar is used to assign admin property to user in Allaning:Roles. Check that out for better understanding.
I'm new on LDAP concept and i have to make a integration with LDAP and FosUserBundle.
I've installed both bundles, fosuser and FR3DLdapBundle, fosuser is working but i'm missing something about LDAP login.
I need to login with email.
I have the following config: http://pastebin.com/USkJqtbD
I'm using this website for tests: http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
I'm using email: riemann#ldap.forumsys.com and password: password
But i have the following error
[2015-05-18 16:36:58] ldap_driver.DEBUG: ldap_search(cn=read-only-admin,dc=example,dc=com, (&(objectClass=*)(uid=riemann#ldap.forumsys.com)), uid,mail) [] []
[2015-05-18 16:36:58] security.INFO: User riemann#ldap.forumsys.com not found on ldap [] []
Thank you in advance for you help
With the FR3D Ldap bundle the first attribute that you add in the attributes list is then one that it uses to search by.
In your config the first attribute is uid, so I would suspect that if you used the uid as the username then it would properly. To sort it you will just need to switch up the order so the your mail attribute is first in the list.
fr3d_ldap:
// ...
user:
// ...
attributes: # Specify ldap attributes mapping [ldap attribute, user object method]
- { ldap_attr: mail, user_method: setEmail } # Default
- { ldap_attr: uid, user_method: setUsername }
You have to adapt the search query for find by email.
https://github.com/Maks3w/FR3DLdapBundle/blob/master/Resources/doc/index.md#4-configure-configyml
# app/config/config.yml
fr3d_ldap:
driver:
accountFilterFormat: (&(email=%s)) # Optional. sprintf format %s will be the username
I'm using Meteor's account-entry package to handle the signin-signup action of my web app. To add a Confirm Password field to the sign up form, this is what I've done (in CoffeeScript):
AccountsEntry.config
logo: '/logo.png'
homeRoute: 'main'
dashboardRoute: 'main'
profileRoute: '/profile'
extraSignUpFields: [
field: "confirmPassword"
label: "Confirm Password"
type: "password"
,
field: "name"
label: "Full Name"
placeholder: "Full Name"
type: "text"
required: true
,
field: "position"
label: "Position"
placeholder: "Developer"
type: "text"
]
The problem with this approach is that: it also save the confirmPassword field to the database, so that when someone access the database > users collection, they can clearly see every users' password in confirmPassword field - which is very bad.
I don't know how to fix this problem yet. I think there may be an attribute which decide whether a specific field should be store in the database or not, but I haven't figured it out yet ! (the accounts-entry package documentation seems not detailed enough to me, I have to say :( )
Can you guys help me with this problem ? Thanks so much in advance !
The lack of a password confirmation field is a known issue with accounts-entry.
On the other hand, the publish function for the users collection should only publish the strictly necessary fields. By default, only username, emails and profile are published to the client.
Anyway, you should not store the confirmPassword in the database to begin with. To do that, hook into Accounts.onCreateUser and delete that field before returning the user object:
Accounts.onCreateUser(function (options, user) {
delete user.confirmPassword; // or: delete user.profile.confirmPassword;
return user;
});
I have a user collection with some deny update rules :
// The roles object
Schema.roles = new SimpleSchema({
maker: {
type: Boolean,
denyUpdate: true
},
admin: {
type: Boolean,
denyUpdate: true
}
});
Those datas are in the user profile. And obviously, I don't want the random user to be able to modify profile.roles.admin. But the admin user should be able to.
It works partially : the user cannot modify this boolean. But it should be possible to modify it from the following server side code.
Meteor.users.update({_id: targetID'}, {$set: {'profile.roles.admin': true}});
Is there a way to tell collection2 to trust the code from the server ?
EDIT : the answer
Thanks to the answer below, here's the code I use now for my schema :
admin: {
type: Boolean,
autoValue: function() {
// If the code is not from the server (isFromTrustedCode)
// unset the update
if(!this.isFromTrustedCode)
this.unset();
}
}
The isFromTrustedCode boolean tell if the code should be trusted. Simple. By the way, the autoValue option return a complete object about the update (or insert or set or upsert) action. Here are the parametters :
isSet: true
unset: [Function]
value: true
operator: '$set'
field: [Function]
siblingField: [Function]
isInsert: false
isUpdate: true
isUpsert: false
userId: null
isFromTrustedCode: true
So it is possible to have a really fine-grained management of the writing rights rules.
As provided in the official documentation, you can bypass validation using a simple option:
To skip validation, use the validate: false option when calling insert or update. On the client (untrusted code), this will skip only client-side validation. On the server (trusted code), it will skip all validation.
But if you want more fine-grained control, instead of using a denyUpdate, you can use a custom validation type which has a this context with a isFromTrustedCode property which is true when called on the server.