Module: External Authentication
Posted by Joe Curia
Re: Module: External Authentication May 14, 2009 03:57PM |
Registered: 19 years ago Posts: 340 |
Re: Module: External Authentication May 14, 2009 04:43PM |
Registered: 15 years ago Posts: 18 |
Re: Module: External Authentication May 14, 2009 05:52PM |
Registered: 15 years ago Posts: 18 |
Go figure I am not even sure what all I changed but it is working now.
Thank you Joe and David very much for your help on this matter.
I will be back very shortly to document what I did to make this work, Joe. So you can look closer and streamline possibly for other users of the moodle learning system. It is defintiely a growing crowd since it is open source, like phorum!
Go open source and people like yourselves that help move it along.
Thank you Joe and David very much for your help on this matter.
I will be back very shortly to document what I did to make this work, Joe. So you can look closer and streamline possibly for other users of the moodle learning system. It is defintiely a growing crowd since it is open source, like phorum!
Go open source and people like yourselves that help move it along.
Re: Module: External Authentication May 15, 2009 01:52AM |
Admin Registered: 20 years ago Posts: 8,532 |
How big of a security hole were you trying to create there?
Where did you get the idea that taking the username directly from the $_GET array would be a good path for transferring authentication to another application? Maybe I'm missing something here, but that piece of code that you pasted above on its own is lacking proper user session detection and is simply taking any username as its input.
Furthermore, the username and password seem to be transmitted by using query parameters. That means that these would be stored in the browser history. That's considered bad practice.
What needs to be in hook_user_session_restore.php is some code that replicates the session restore functionality of your main application. A part of session restore is that a check is done to see if the visitor provides an authentication credential (e.g. a cookie in the browser or some data that is stored in the PHP session). At first I thought you were transferring a credential in the form of the password query parameter, but that one is not used for checking the user. Instead, it is put in the database.
Think about it. What would happen if I would call the Phorum directly using the query parameters username=admin and password=hacked ?
Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Where did you get the idea that taking the username directly from the $_GET array would be a good path for transferring authentication to another application? Maybe I'm missing something here, but that piece of code that you pasted above on its own is lacking proper user session detection and is simply taking any username as its input.
Furthermore, the username and password seem to be transmitted by using query parameters. That means that these would be stored in the browser history. That's considered bad practice.
What needs to be in hook_user_session_restore.php is some code that replicates the session restore functionality of your main application. A part of session restore is that a check is done to see if the visitor provides an authentication credential (e.g. a cookie in the browser or some data that is stored in the PHP session). At first I thought you were transferring a credential in the form of the password query parameter, but that one is not used for checking the user. Instead, it is put in the database.
Think about it. What would happen if I would call the Phorum directly using the query parameters username=admin and password=hacked ?
Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: Module: External Authentication May 19, 2009 12:35PM |
Registered: 18 years ago Posts: 5 |
Firstly, great work Joe. I'm in the middle of using this module to integrate Symfony users with Phorum, and have got user accounts being created without any problems whatsoever.
One thing I can't see in the documentation though - is there a way to change Phorum's control center so the password and email address cannot be changed? I want to force all updates to be done in the main site's control panel, which I feel makes sense.
If not, how have you handled this on sites you've created? By synchronising the data back to the parent system?
Thanks!
One thing I can't see in the documentation though - is there a way to change Phorum's control center so the password and email address cannot be changed? I want to force all updates to be done in the main site's control panel, which I feel makes sense.
If not, how have you handled this on sites you've created? By synchronising the data back to the parent system?
Thanks!
Re: Module: External Authentication May 19, 2009 01:47PM |
Moderator Registered: 17 years ago Posts: 1,301 |
Peter, glad you found this module helpful. If you look at the Drupal plugin, you will see a hook_user_save.php file which gives an example of how I synchronize the user changes from Phorum back to Drupal. I will have to add that file to the base plugin as I see it was left out. If you have any questions, let me know.
If at all possible, please consider sharing your plugin with the rest of the Phorum community when you have finished it. Thanks!
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
If at all possible, please consider sharing your plugin with the rest of the Phorum community when you have finished it. Thanks!
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
Re: Module: External Authentication May 20, 2009 04:32AM |
Registered: 18 years ago Posts: 5 |
Quote
Joe Curia
If you look at the Drupal plugin, you will see a hook_user_save.php file which gives an example of how I synchronize the user changes from Phorum back to Drupal. I will have to add that file to the base plugin as I see it was left out. If you have any questions, let me know.
Thanks. What I was really after was a way (Phorum config setting?) to disable and hide these parts of the forum control panel. Having the ability to change details in two places is more confusing for a user, and doesn't give the same level of integration I was hoping to achieve. Is this possible? Eventually it would be nice to remove the control panel and use the API to build the control panel into my existing user area as an extra 'tab', so everything is managed from one location.
Quote
If at all possible, please consider sharing your plugin with the rest of the Phorum community when you have finished it. Thanks!
I certainly will once I'm convinced it's stable! I'm working on wrapping Phorum inside Symfony's template as well, as you've done with Drupal.
Re: Module: External Authentication May 20, 2009 06:37AM |
Registered: 19 years ago Posts: 340 |
Re: Module: External Authentication May 20, 2009 08:02AM |
Registered: 18 years ago Posts: 5 |
Quote
DavidVB
To hide the ability to change those settings you can edit the relevant cc.tpl template files. Theoretically, a user could directly link into the edit pages, but that would require someone with a fair amount of knowledge about how the phorum system works.
Indeed, but the fact it's still there and active if someone found it does leave this option open to abuse. Not that it should be a problem, but you never know!
Re: Module: External Authentication May 20, 2009 08:35AM |
Moderator Registered: 17 years ago Posts: 1,301 |
Peter,
I would advise the template edits as David suggested, but go one step further. In the Drupal module, I check to see if the password has been changed in the user_save hook. You could modify this to replace and changes with the originals. With this two-fold approach normal users will never see the password change option and troublesome users will be stopped within the core function of Phorum. Any attempts to change the unchangeable through the Phorum user saving script will have to pass through your user_save hook first.
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
I would advise the template edits as David suggested, but go one step further. In the Drupal module, I check to see if the password has been changed in the user_save hook. You could modify this to replace and changes with the originals. With this two-fold approach normal users will never see the password change option and troublesome users will be stopped within the core function of Phorum. Any attempts to change the unchangeable through the Phorum user saving script will have to pass through your user_save hook first.
Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
Sorry, only registered users may post in this forum.