Menu
▾
▴
Re: [phpesp-dev] preliminary patch: respondent landing page
|
From: Bishop B. <ph...@id...> - 2008-01-15 13:17:45
|
Hi Matthew, Quoting Matthew Gregg <mat...@gm...>: > Sounds good except for username,password uniqueness. Currently the way > users are assigned to multiple realms is that they will have 2 entries > with the same userid/password different realms(yes that is ugly, don't > blame me for that :-)). Yeah, the <username,realm>, instead of just <username>, uniqueness =20 issue really gets me. Is the purpose of the realm to host multiple different survey groups =20 with the same code base? That's my intuition, based on the code: the =20 division of css especially alludes to that. If so, can't we just enforce a <username, password, realm> uniqueness? =20 We could implement that transparently (to the user) by salting the =20 password with the realm. In fact, it would be quite easy to implement =20 as there's already that password_upgrade() function that all =20 authentication goes through -- we just hook into that. > Why not require that all the surveys on the landing page be in the same > realm as the user logging in? I can require that, certainly. But, I need to know which realm to use =20 in the first place. Does the user specify the realm from a drop-down =20 (like Windows domains)? Or is the realm part of the system =20 configuration (like Kerberos)? Neither one of those sounded good to me: one forces the user to make a =20 choice (bad), the other relies on an admin to do something right (less =20 bad, but still not optimal). We could just salt the password with the realm, making the <username, =20 password, realm> tuple unique and bingo, problem solved. > Does this patch build on the previous patches you've sent? I hope to > have time tomorrow to work on reviewing them. Unfortunately, yes. I'm doing all my patching to phpESP (that's =20 separate from client-specific coding) on a single branch, so I'm =20 building on the previous patches. In this case, there's some overlap =20 in support files. Let me know about the salt approach. bishop > On Mon, 2008-01-14 at 20:39 -0500, Bishop Bettini wrote: >> All, >> >> Attached is a preliminary patch to support a "landing page" for >> respondents. Here's how it works: If use_landing =3D true in >> configuration, then public/landing.php opens up. That pages shows a >> login box and any public surveys available in the system. >> >> A respondent enters their username and password, and if valid, goes to >> the landing page. The landing page has three sections. The first >> section lists the surveys the respondent can currently complete (based >> on the same availability logic found elsewhere in the app). The >> second section lists the surveys the respondent has had access to, but >> does no longer. For example, surveys that have moved to "done" >> status. The third section are "tools", where the respondent can >> change their password, change their profile, get help, or log out. >> >> I am not quite done with this. I need to test a little more, >> especially the LDAP part. If anyone already has an LDAP environment >> configured, I'd appreciate a test of this against your server. I also >> need to fill out the help pages. Any review you can provide would be >> appreciated. >> >> I hope to have this patch finished in the next 24 hours. >> >> Based on how the system is set up, there is one caveat to using the >> landing page: <username,password> tuples must be unique throughout the >> system. Currently, the database says <username,realm> is unique, so >> when entering a <username,password>, it's possible that the same >> username in two different realms has the same password, in which case, >> it's impossible to tell which user is which. Right now, if the system >> detects that case, the user is not allowed to log in. >> >> >> Thoughts? >> >> bishop >> >> ------------------------------------------------------------------------- >> Check out the new SourceForge.net Marketplace. >> It's the best place to buy or sell services for >> just about anything Open Source. >> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketpl= ace >> _______________________________________________ phpESP-devel =20 >> mailing list php...@li... =20 >> https://lists.sourceforge.net/lists/listinfo/phpesp-devel > > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketpla= ce > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel > --=20 Bishop Bettini ideacode, Inc. (main) +1 919 341 5170 / (fax) +1 919 521 4100 Visit us on the web at: ideacode.com Professional software research and development reviewmysoftware.com Improve sales! Review your software before you release bytejar.com Solutions to those annoying development problems |
