Re: [phpesp-dev] Proposed changes.

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Matthew Gregg wrote:
> I've fielded several problems lately on #phpESP relating to the
> mysql_populate.sql script.  It appears it is failing on mySQL vs 4 and
> above.
> The fix looks to be simply changing all:
> NOT NULL DEFAULT '',
> to:
> NOT NULL,
> 
> See bug #: 890830
> 
> I want to commit these changes to CVS, any commments?

That sounds good.  The only thing I'm worried about is changing the 
behavior.  I think most "NOT NULL DEFAULT ''" clauses are used on 
timestamps, and by doing so causes MySQL3.x to set the field to the time 
the row was inserted.  I think it should be pretty easy to retain this 
behavior ... but I want to be sure it will DTRT on both MySQL 3 & 4.

> Also, I've had a feature request tagged to me for a while to implement
> LDAP respondent accounts.  I have this implemented in a way that works
> for us(MUSC), but it's done in a way that would allow for other
> authentication methods to easily be used.  Instead of extending the
> account/authentication functionality inside ESP, I choose to implement
> the concept of a "valid URI" that a survey can be called from.  Then
> from Apache you can use any authentication method it supports(which is
> huge) to limit access to the Survey.
> 
> For example:
> - The directory .../phpESP/public/access-ldap/ exists
> 
> - The valid URI for a survey is access-ldap
> 
> - Apache is configure as:
> <Location /access-ldap/>
>   AuthName "(LDAP ID and Password)"
>   AuthType Basic
>   AuthLDAP  "some ldap config here"
>   require valid-user
> </Location>
> 
> - The survey is activated.
> 
> - It is accessed by the normal "/public/survey.php?name=blah" url and
> access is denied.
> 
> - It is accessed by the "secured" URL
> "/public/access-ldap/survey.php?name=blah", a "Basic Auth" login is
> prompted by Apache.  If the user has a valid account, they can access
> the survey.
> 
> Do you guys like this approach?  Hope I managed to explain it well
> enough.  If so, I'll clean it up and send out a patch that against CVS
> for testing.  If not, I'll keep it as a local extension.  I'll take no
> response as a "go a head and do it" (-:

Well, the easiest way to do this would be to add a new auth module for 
phpESP, "auth_apache".  That way anyone using the phpesp user db won't 
have to migrate, but anyone who wants to can plug in any apache auth 
module and be ready to go.  I imagine the "auth_apache" plugin would be 
pretty simple (for respondents).

Perhaps the phpESP auth plugin stuff needs to be split into respondent / 
designer though.  So that something like auth_respondent=apache_auth, 
auth_designer=phpesp would be possible.  What do you think?

-James