I'm a new to Drupal but I just want to hack/customize the login function of Drupal 7, like hardcoding. As i have discovered that Drupal 7 login process is handling by user.module and its associated files.
I just wanna know which kinds of values or properties are returning or providing when a user logging/authentication process is done by providing just Username/Password.
The final properties it returns, to provide back to Drupal (along the whole authentication process) that I just noticed so far are:
{uid} of the attempted user
{rid} role id of the user
user email
user is blocked or not
then .. ?
The point is .. what other else?
Can i replace/modify the whole existing authentication process? (as i need)
For example, one of the default auth functions in user.module:
function user_authenticate($name, $password) {
..
return $uid;
}
For example, if i modify (hardcode) that function to connect to my other external database(s) and return {user id}, the Drupal will get one auth requirement {uid}. Then what other else to provide? User Role and .. etc etc ?
Like that .. what other functions and properties else should i touch and provide back to Drupal along the authentication process?
This is not an actual answer but I cannot post this as a comment.
Basically we do not hack core. So looking at the user.module's code will not help you very much than learning the hooks. For an example, It's difficult to get an idea about how to add some magic when a node is created by looking at the code of hook_nodeapi(). But if you check the docs and the return/input arguments, it's much easier to do the job.
I'd start by adding an extra submit handler to login form using hook_form_alter(). I have seen some other threads from you about your use case but unfortunately it's difficult to provide a sample code for you.. You can see how other modules implement extra authentication (e.g: http://bit.ly/LdRcm6). (See how Remember Me module adds a checkbox to login form and twitter module that allows twitter login).
Then, you can have Drupal to authenticate the user as normal, and your new custom functionality in addition the Drupal's authentication.
Drupal can even connect to external databases no matter if it's Drupal or not.
As you can see in many functions, they returns a Boolean value or sometimes, the user ID. user_load() is the function that loads a basic user object.
Remember it's modular. Some modules can include/remove/alter these values using hook_user_load(). user terms module and profile module is a perfect example here. It includes profile field information when other modules require user information.
A single user is not just a set of information. It can be modified during any part of the process. So do that. Use your module to provide information that your external site has.
{uid} of the attempted user
{rid} role id of the user
user email
user is blocked or not
user last login time.
user register date.
...
To see the entire object for your site, enter the following.
<pre>
<?php
$user_account = user_load (1);
print_r($user_account);
?>
</pre>
You can enter this code in a node create page where you have php filter used.
Without hardcoding, you can allow other modules to make use of these values. Even if your source database has no role ID, you can ive them a role ID, a user ID, and such.
Good luck!
Drupal is an extensible system. There is no need to do "hardcoding" in core modules like the "user" module. You should rather explore the hook system that allows extending the core (and also contributed) modules.
And in case you want to fetch user id's from a different database (I am not clear about this usecase), you can still use the roles, and other user data, from Drupal's database.
Related
I'd like to start a website that provides users with photos editing/storing experience. The initial idea is that the user has his own account where we store the edited photos and some settings. I'm am a WordPress web developer and when I try to consider how to build such a website in WordPress I don't really understand how to provide such a services without having access to user photos. My idea was to create a custom post type and save it with the user as an author. But as an admin of the website, I will have access to all the created/saved photos and I would like to build it in a way that I don't have it. Is it possible?
I've used previously the app to write a diary that saved the data to my Google Drive and if I understand correctly, it never had access to my files.
So my question is: what are the best practices to build such a resource? Is it normal to have access to all of your user photos if you provide such a platform?
In your case, as you will use WordPress and you are the developer you will always have access to the data of everything.
You will always have a way of knowing which data is from user or which data belongs to another user.
You have two options to do this, but this will take some development work:
1 - You must recreate the way WordPress works where the user is not related to an email and not private data that can relate to the user.
Example: You ask the user to register only that only asks for a hash that can be any word, number, or any other information and a second field would be the password.
With this in the backend you get this two information and do some kind of hash I'll give the example using md5 but do not use it.
After that join these two data and this will be the user.
and to login the user needs to repeat this information and will be within the platform. With this you will be able to maintain the anonymity of the user and will not know who the user is.
In this option you will have for each hash and password a different user :)
But I recommend not using wordpress if you choose this option. You can use a framework like CodeIgniter for example which is super simple.
2 - The second way would be to use the normal wp User, not worrying about who the user is and their information. But one way to keep photo information "anonymous" is to generate a unique hash with each user and have some way of relating the user to it.
Example: When uploading a file to edit it will generate a passkey, you must warn the user that when they want to edit this photo or view they will need to type it into an input. With this you will not know which information is from which user. but it requires extra work for the user
This way you will always have anonymity of user information. I hope I helped you somehow.
I'm trying to come up with a way to secure a set of Admin CRM pages that control a Meteor application I'm working on. There's just one codebase, with the server, customer facing website and admin facing website in one project.
I need a login page which can verify one username and password pair, and a simple way to check the status of the user on both the client and server side. I also need a way of the admin's authorization timing out if it hasn't been used for x minutes.
I've looked at the meteor accounts package and it's just way too much fluff for what I need. This website will only ever have one admin user, so there will only be one set of admin username and password to store. I don't want it stored in the database, rather loaded with a settings file on the server on application start. It doesn't need roles, emails, password reset functionality.
Any recommendations for a package or approach I could use to implement this?
I know you said that the accounts:password package seemed a little "overkill", but in reality it really isn't. What you are gaining there is pluggable UI (via accounts-ui and other packages that build off it). The approach I have taken is this (which happens to work well even for apps that do support multiple users, since ultimately you still need to bootstrap your start users).
First, I use a combination of accounts:password and alanning:roles. If you absolutely don't need the roles portion, you could probably get away without it, but in all my personal cases I have found it useful to have multiple levels of ACLs for the various users. We could get into a whole philosophical discussion on using roles/groups to lock down individual features, but that's sort of off topic for this discussion.
Next you need to boot-strap the user(s). Somewhere in your /server folder you will do something like:
if (Meteor.users.find({}).count() == 0) {
// No users created...create default users
Accounts.createUser({
username: 'myuser',
email: 'myuser#mydomain.com',
password: 'myp4ssw0rd!',
profile: { profileProp: 'propVal` }
});
// Add new user to whatever roles needed
}
There are some more things I usually do here, like checking to see if my roles exist, and if not, create them before I try to handle the users, but the key here is to do that when the server starts up.
Once you have your user(s) and role(s) created, it's a matter of checking/verifying the user/roles in your app. For menu items you can show/hide stuff based on whether the user is logged in and/or has a certain role, and you should also verify in your application routes that require ACLs, like your admin route. In addition, use the user id in all your publications as well to limit the data your users can see. Don't rely solely on hiding a menu option...security through obscurity just doesn't work.
Why do I suggest doing it this way? First off, it's really not THAT much code. You could literally do this in probably 20 lines, max, and have a full authentication setup. And the benefit of those lines of code greatly outweigh the 30min tops it would take you, as you will now have "real" user authentication in your app and have the ability to do things like OAuth if you ever decide to in the future. Most importantly, you unlock pre-build UI plugins that you don't have to code, built-in and add-on methods to help check ACLs, the ability to lock down data by user, and you don't have to try to implement your own solution.
I am working on a specific case where the user authentication is external from the Drupal site. The external site will authenticate the user and return the basic user related data to the Drupal system.
The catch here is that, we are not supposed to have any user data in the Drupal DB. I have checked the user_external_login_register() but it does not work since it saves the user data in the database. So can someone please direct me as to how this can be done.
Thanks so much in advance,
Vinay
user_external_login (http://api.drupal.org/api/function/user_external_login/6) is probably as close as you can get. It ignores the password stored in the drupal users table, so the passwords could be random data if needed.
You could also mash a bunch of data onto global $user to get some semblance of a normal login.
But, you'll only get so far in a drupal environment without storing user info in the database. Many basic operations call the user_load() function, which depends on useful information being available in the database.
For example, most user-based views ("My Groups", "My Recent Posts", etc) call user_load instead of accessing the global $user object.
My users access Drupal through SSO and everytime the server authorizes them, it returns a set of permissions (groups/roles), according to which I need to dynamically set the User's forum permissions.
So for example if a User logs in and the SSO says that he has enrolled in a course, I need to give him specific permissions for that course's forum.
Obviously I need a custom module for that, but it's a little hard to start.
I'm thinking of using the ACL module's API, but I can find any documentation or tutorial online. Is there any?
Is there a better way to get around this?
I'd appreciate any help :)
(note: I know there are modules with GUI that have similar functionality but I need to do it programmatically)
We just put something exactly like this into place - we used the Rules module (with the User logged in trigger), checking the LDAP groups that the user is enrolled in, and assigned the role accordingly.
Check out Forum Access. It can restrict users based on their roles.
You could have your roles be something like "CSC221 Student". If a user has this role, they will be able to access the CSC221 forum.
Create a hook_user function ( see http://api.drupal.org/api/function/hook_user ) in your module.
Then using http://drupal.org/project/permissions_api set the appropriate permissions on the user.
I'm working on a Drupal 6 module to provide OAuth-based user authentication and registration. I'm already using the OAuth module to authenticate as described on http://oauth.net/core/1.0a/#anchor9. The next step is to create the user account using information provided after authentication using an custom API of the Service Provider.
According to http://drupal.org/node/497612#comment-3047302, I should not use user_external_login_register() but see the OpenID module for how to properly login an external user.
After studying the OpenID module, here is what I plan to do:
Try to load an existing user for a authname build from the custom API result using user_external_load().
If a user exists, use user_external_login() to log the user in.
If not, pretend the registration form has been submitted (like openid_authentication() does) to create a new user account. And redirect to a pre-filled form if any additional information is needed in order for the user to register.
Is this the right way to do it ? Is there another module worth looking at for how to this properly in addition to OpenID ?
You could have a look at the former Drupal module. That module did two entirely different things (hooray for the architecture :)).
* It puplished information to a central "who runs Drupal" directory. (and offered a page to show such a directory yourself!)
* It allowed login with credentials from other Drupal-sites.
The latter is what you are looking for. Note that the module was discontinued, not because the method for logging in was done wrong, but because the DrupalID mechanism itself is flawed. It has been replaced with openID and oauth.
http://drupalcode.org/viewvc/drupal/drupal/modules/drupal/drupal.module?hideattic=0&view=markup
The hooks and methods you would be looking for (in that order) are:
drupal_form_alter -- Adds validate-callback to the login forms.
drupal_form_user_login_alter -- Adds information about alternative login on login form.
drupal_distributed_validate -- Validation callback: calls drupal_auth to see if the user is valid. If so, calls user_external_login_register
drupal_auth -- Helper for validation callback: determines if the credentials are valid.
All other functions are either helper functions for these, or provide that directory-feature, or allow remote sites to authenticate against our database. Neither of which you will be using.