Re: [Phplib-users] Mixing Authenticated & unauthenticated Pages

[Nathaniel P. <np...@te...>]

----- Original Message ----- 
From: "T. Riedel" <Te...@Te...>
To: "'Nathaniel Price'" <np...@te...>;
<php...@li...>
Sent: Monday, August 18, 2003 11:54 AM
Subject: RE: [Phplib-users] Mixing Authenticated & unauthenticated Pages


[snip]
> Perhaps I'm just a complete dolt, but the manual doesn't seem very clear
to
> me.  It makes it seem that you need to create an Auth subclass that and
set
> $nobody to true.  Just flipping the nobody flag to true in my MyCustomAuth
> doesn't seem right.  When does the class force authentication and when
does
> it just cruise along as nobody?

From the documentation:
|To use default authentication, create a subclass of My_Auth as shown above
|with the nobody flag set (Note: No need to extend in two steps. The only
|important thing here is that the nobody flag is set.)

In other words, you can just set the $nobody flag to true.

Default auth forces authentication only when the value passed to login_if()
evaluates to true. That means that on a page where you want default auth
functioning and allow some content to be viewed by "nobody", you will need
to provide a link on the page that sets a variable within PHP and pass that
variable to login_if(), as per the documentation.

> The login_if() FORCES a login if you're nobody!  So it's perfect if you
want
> to force users to reauthenticate.  In this case, I'm trying to avoid
> annoying requests to reauthenticate.  If you've logged on once, and then
> decided to click a "no-permissions-required" script, I don't want the
$auth
> object stomped by a $nobody=true version which will forced the user to
> reauthenticate when he returns to a secured page.  (did that make sense?)

It does, but you're confusing two things (which I think is in part due to a
particularly confusing naming convention). The $nobody flag merely tells
Auth that we are in Default Authentication mode. In other words, if the user
is not logged in, Auth will automatically log them in as "nobody". It
doesn't mean that you're /always/ "nobody". It just tells Auth what to do if
it can't authenticate normally. A logged in user will retain their login
even when visiting a default auth page.

There's also the $auth->auth['uid'] == "nobody" setting. /This/ is what the
Auth class uses to determine if the user is "nobody", and it will be
overwritten by the normal data for a logged-in user once they're logged in.
Auth will never overwrite this data unless the user is logged out and then
revisits a default auth page.

The example that I provided of using login_if($auth->auth['uid']=="nobody")
was meant as an example of what you could do to simulate the behavior of a
normal page (without default authentication) while in Default Authentication
mode. In other words a user that hasn't logged in, but is "authenticated" as
"nobody" will always see a login screen. If this isn't what you want, then
by all means, do something else. :)

> I guess what I really want to do is allow a user to have TWO instances of
an
> Auth class - a "normal" version that requires login and a "nobody" auth
> class to browse unsecured pages.  It seems rather strange, but from my
> confused point of view - it seems to make sense.  ...probably just
> succumbing to the madness again....

As I said above, a single class will handle both types of uses... that's why
default auth was created in the first place. Anyway, I understand the
confusion. PHPlib isn't the best documented project in the world (although
it's a /lot/ better now than when I started out with it), or the easiest to
understand, but once I figured out how it works I realized just how
powerful/useful it is for doing what it does.

Also, I've found a flowchart that helped me wrap my head around the whole
authentication process in PHPlib here:
<http://www.drostan.org/Application/webdev/uod/auth_phplib.php>

Hope that helps!

_________________________________
Nathaniel Price
Webmaster <http://www.tesseract.net>