Re: [Phplib-users] again auth.inc and forms phpnuke like

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

> Masserelli(aka negro) and it's problem to solve was:
> 
> - If a page require that a user is authenticated, phplib auth it. And
>   was implemented the automated states that changes in order to cover
>   all problems related.
> 
> Watching Giancarlo Pinerolo patch, I think that you(Giancarlo) have not
> understood very well how Auth class work. It is all so simple. There is

I know it by heart. It's broken, both in logic and in usability.

The problem is that when  auth[uid] is 'form' it cannot be 'nobody' at
the same time. Why didn't we choose some other variable instead of
auth[uid] to hold that status?
I make you an example: You are in a non-nobody, non-authed (only
session) page, you visit a page that has full auth, your auth[uid] is
then set to 'form'. From this moment you cannot access anymore even
those pages that should be accessible to defaul_auth: case 3.
And don't tell me that the solution is to hit cancel_login. Maybe it's
better to use another status variable, eh?

> 
> There is a method in Auth class that was invented to do this:
> 
> >From now i'm referring to revision
> 
> $Id: auth.inc,v 1.7 2002/04/25 02:19:31 richardarcher Exp $
> 
> at line 289 the declaretion and comments of a method
> 
>   ## This method can authenticate a user before the loginform
>   ## is being displayed. If it does, it must set a valid uid
>   ## (i.e. nobody IS NOT a valid uid) just like auth_validatelogin,
>   ## else it shall return false.
> 
>   function auth_preauth() { return false; }
> 
> This method well implemented solve our problem in a clean and tidy way.

Yeah, not the way the rest of start does!

> My approach is intented to solve this problem in a standard phplib
> enviroment without patch nothing and reuse phplib structure.
> 
> Procedure to implement the form without automatic auth procedure:
> (auth->nobody attribute it intented to be true to use this method)
> 
> - First:
> 
> We need to modify a line in auth.inc, I propose this change to stable
> cvs tree.
> 
> at line 65 substitute with:
>     if ($this->is_authenticated() and $this->auth["uid"] != "nobody") {

> 
> - Second:
> 
> in local.inc override the method auth_preauth
> 
> class Trial_Auth extends Auth {
> ...
> ...
>   function auth_preauth() {
>     global $HTTP_POST_VARS, $HTTP_GET_VARS;
>     if((isset( $HTTP_POST_VARS["username"] ) &&
>         isset( $HTTP_POST_VARS["password"] )
>       ) ||
>       (
>         isset( $HTTP_GET_VARS["username"]  ) &&
>         isset( $HTTP_GET_VARS["password"]  )
>       )) {
> 
>       if($uid = $this->auth_validatelogin()) {

auth_validatelogin already does all the surmentioned checks, and returns
true/false. These are then useless.

>         $this->loginfail = false;
>         return $uid;
>       } else {
>         $this->loginfail = true;
>         return false;
>       }
>     }
>   }
> ...
> ...
> }
> 
> - Third:
> 
> use it. Make a page like what i attacched.
> 
> Summarizing how use the auth features:
> 
> if($auth->loginfail) {
>   to check if the login is went succesfully or not
> }
> 
> if( $auth->is_authenticated() &&
>     $auth->auth["uid"] != "nobody"
>   ) {
>   watch logoff link
> } else {
>   watch the form that post/get username and password
> }
> 
> EOF:)

Gian