[Phplib-users] again auth.inc and forms phpnuke like

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I'm again about managing authentication like "phpnuke":

- a login form is displayed only when the user is not auth
- the form is hidden if the user is authenticated

The Auth Class was originally designed mainly by Massimiliano
Masserelli(aka negro) and it's problem to solve was:

- If a page require that a user is authenticated, phplib auth it. And
  was implemented the automated states that changes in order to cover
  all problems related.

Watching Giancarlo Pinerolo patch, I think that you(Giancarlo) have not
understood very well how Auth class work. It is all so simple. There is
no reason to rewrite all...

There is a method in Auth class that was invented to do this:

From now i'm referring to revision

$Id: auth.inc,v 1.7 2002/04/25 02:19:31 richardarcher Exp $

at line 289 the declaretion and comments of a method

  ## This method can authenticate a user before the loginform
  ## is being displayed. If it does, it must set a valid uid 
  ## (i.e. nobody IS NOT a valid uid) just like auth_validatelogin,
  ## else it shall return false.

  function auth_preauth() { return false; }

This method well implemented solve our problem in a clean and tidy way.
My approach is intented to solve this problem in a standard phplib
enviroment without patch nothing and reuse phplib structure.

Procedure to implement the form without automatic auth procedure:
(auth->nobody attribute it intented to be true to use this method)

- First:

We need to modify a line in auth.inc, I propose this change to stable
cvs tree.

at line 65 substitute with:
    if ($this->is_authenticated() and $this->auth["uid"] != "nobody") {

- Second:

in local.inc override the method auth_preauth

class Trial_Auth extends Auth {
...
...
  function auth_preauth() {
    global $HTTP_POST_VARS, $HTTP_GET_VARS;
    if((isset( $HTTP_POST_VARS["username"] ) &&
        isset( $HTTP_POST_VARS["password"] )
      ) ||
      (
        isset( $HTTP_GET_VARS["username"]  ) &&
        isset( $HTTP_GET_VARS["password"]  )
      )) {

      if($uid = $this->auth_validatelogin()) {
        $this->loginfail = false;
        return $uid;
      } else {
        $this->loginfail = true;
        return false;
      }
    }
  }
...
...
}

- Third:

use it. Make a page like what i attacched.

Summarizing how use the auth features:

if($auth->loginfail) {
  to check if the login is went succesfully or not
}

if( $auth->is_authenticated() &&
    $auth->auth["uid"] != "nobody"
  ) {
  watch logoff link
} else {
  watch the form that post/get username and password
}

EOF:)

This is my implementation.

Have Fun:)

Feedbacks are likely apreciated:)

Bye

Matteo

-- 
    Matteo Sgalaberni                  |     Web    : http://www.sgala.com
    --                                 |     E-Mail : ma...@sg...
    System and Application Engineer    |
-------------------------------------------------------------------------------