PmWiki | Cookbook / XesAuthUserDbase

Summary:Stand-Alone version of AuthUserDbase

Version:0.2

Prerequisites:MySQL, AuthUser

Status:deprecated

Maintainer:XES

Categories:Security

Note

Deprecated recipe! The functions provided by this recipe have been updated and rolled back into the parent recipe AuthUserDbase

Questions answered by this recipe

How can I have users sign-on and maintain their own registration and password information, receive email validations, and have their information stored in a database?

Description

Stand-alone MySQL user authentication.

Other database recipes require the admin to either hand-edit entries, or more likely have a separate program or application from which PmWiki is sharing usernames and passwords. This recipe allows the use of MySQL as a stand-alone authentication system, where users can sign up, validate themselves by email, change their password or email address, and request lost password changes.

xes_authuser_dbase.php Δ

Notes

Important: Postgresql is currently NOT supported.

Supercedes and includes all functionality from AuthUserDbase. This is built directly with AuthUserDbase code. If you had AuthUserDbase running, see configuration below to make alterations.

Should support language packs -- mostly. The email validation system is not currently set up for language packs, but can be configured in config.php

Features

add user to database
email validation link to user
validate user
user may update their own password
user may

Installation

Requirements:
- MySQL (suggested table creation SQL in .php file and below)
- config.php changes as below
- edit Site.AuthUser
- sign-in forms (suggested forms below)
- language changes as needed

MySQL

You need a database available for this recipe. The examples given use the following table as described in SQL. Feel free to rename fields or use your own table, as appropriate, but keep in mind you will need to alter other configuration variables as needed.

Suggested SQL:

CREATE TABLE `pmwiki_users` (
  `id` int(11) NOT NULL auto_increment,
  `username` varchar(30) NOT NULL default '',
  `password` varchar(60) default NULL,
  `validatecode` varchar(60) default NULL,
  `signupdate` date default NULL,
  `email` varchar(60) default NULL,
  `validatefield` tinyint(1) default '0',
  PRIMARY KEY  (`id`),
  UNIQUE KEY `username` (`username`)
) ENGINE=MyISAM AUTO_INCREMENT=24 DEFAULT CHARSET=utf8

Note: using the "table prefix" "pmwiki_" is in following with what has become a mysql programming convention so that multiple programs in the same database don't step on each other's toes. You may see "moodle_", "phpbb_", and so on.

config.php

// Set up database settings before calling scripts
$AUDBaseDBase = array(
	  'host'      => 'localhost',
	  'db'        => 'pmwiki',
	  'user'      => 'pmwiki_dbase_user',
	  'password'  => 'myPmWikiP@ssW0rd'
);

// Must be before the xes_authuser_dbase.php call
$AUDBaseTable = array(
	  'user_table' => 'pmwiki_users',
	  'user_field' => 'username',
	  'email' => 'email',
	  'pw_field'   => 'password',
	  'validate_code' => 'validatecode',
	  'validate_field' => 'validatefield',
	  'date_joined' => 'signupdate',
);

// Must come before authuser.php call
include_once ('cookbook/xes_authuser_dbase.php');

// Must come before authuser.php call
$AuthUserFunctions = array('mysql' => 'AuthUserDatabase');

// Must come after the other items!
include_once('scripts/authuser.php');

Site.AuthUser changes

Edit Site.AuthUser and add the following line:

mysql: required for AuthUserDatabase

Forms

Create a sign-up page in Wiki, such as Main/Logins or Site/AccountManagement. You can split the forms out to multiple pages if desired, but the variables and hidden values below need to be assigned, and messages need to be included so that the user knows if their passwords matched, account was found, etc.

(:messages:)

(:title Account Management Page:)

(:if !authid:)
!!!User Login
(:input form {$PageUrl}:)
(:input hidden action login:)
||     Name:||(:input text authid:)    ||
|| Password:||(:input password authpw:) ||
|| ||(:input submit value="OK" class="inputbutton":) ||
(:input end:)

-----
(:div style='text-align:justify; float:left; valign:top; width:48%; padding-right:2%;padding-bottom:5px;':)
!!!New User Registration
(:input form method=post action={$PageUrl} :)
(:input hidden name=xes_AuthUser value=addnew:)
(:input hidden name=xes_returnUrl value={$PageUrl} :)

|| Username:||(:input text xes_username size=20:) ||
|| Password:||(:input password xes_password size=20:) ||
|| Repeat Password:||(:input password xes_dupepassword:) ||
|| Email:||(:input text name=xes_email value="email" size=20:) ||
|| ||(:input submit name=post value="New" accesskey=g:) ||
(:input end:)
(:divend:)
(:div style='text-align:justify; valign:top; float:left; width:48%; padding-right:2%;padding-bottom:5px;':)
!!! Change Password Request
An email with a new validation code will be sent to you.

(:input form method=post action={$PageUrl} :)
(:input hidden name=xes_AuthUser value=reregister:)
(:input hidden name=xes_returnUrl value={$PageUrl} :)

|| Username:||(:input text name=xes_username size=20:) ||
|| Email:||(:input text name=xes_email size=20:) ||
|| New Password:||(:input password xes_newpassword:)||
|| Repeat Password:||(:input password xes_dupepassword:)||
|| ||(:input submit name=post value="Change" accesskey=g:) ||

(:input end:)

(:divend:)
[[<<]]
----

(:ifend:)

(:if authid:)
You are authenticated as '''{$Author}'''.  [[{$FullName}?action=logout | Logout]]

!!!Update User Information
Change your email address and/or password.
(:input form method=post action={$PageUrl} :)
(:input hidden name=xes_AuthUser value=update:)
(:input hidden name=xes_returnUrl value={$PageUrl} :)

|| Username:||(:input text name=xes_username size=20:) ||
|| Current Password:||(:input text name=xes_oldpassword size=20:) ||
|| New Password:||(:input text name=xes_newpassword size=20:) (optional) ||
|| Repeat New Password:||(:input password xes_dupepassword:) ||
|| New Email:||(:input text name=xes_newemail size=20:) (optional) ||
|| ||(:input submit name=post value="Go" accesskey=g:) ||
(:input end:)

(:ifend:)

Language notes

If you're using the language packs, you have my apologies because I don't really know how they work :) The emails don't have this markup. See the source code for the English supplied for the distribution. To translate into your language you will need to define the following array variables in your language:

$xAUDBaseMsgs = array (
		"form_error" => "",
		"username_taken" => "",
		"email_taken" => "",
		"email_invalid" => "",
		"update_invalid" => "",
		"password_invalid" => "",
		"user_not_found" => "",
		"user_not_validated" => "",
		"addnew_loggedin" => "",
		"invalid_register_link" => "",
		"validation_error" => "",
		"password_mismatch" => "",
		"updates_done" => "",
		"email_subject" => "",
		"email_msg" => "",
		"email_sent" => "",
		"validation_done" => "" )
);

Technical Notes

If you need to hand-edit the MySQL database in case of user validation problems:

New user validation: delete the validation code and set the validate_field code to 1
User needs password change: md5sum is the default. Get an md5 checksum of the password, add to the password field, delete validation code, make sure the validate_field is set to 1
User emails: can be changed by hand in the database

Release Notes

0.1.2 2006-09-23

security fix. All users are urged to upgrade.

0.1.1 2006-09-23

changed definition of debug function

0.1 2006-09-20 Initial xes_authuser_dbase.php beta release

tested only with Triad form
postgresql support definitely broken
some mysql hacks need cleaning up!!
it miraculously works in any case
probably needs to be double-checked on security
nearly everything loops back to the original page, so everything on one page works best

To Do

Internationalization broken for email body -- needs fixing
Consider adding username to the validation link & query -- valcodes COULD be duped
Warn if using PGSQL that it's broken?
Eventually add in email notice regarding new user registration to admin option
Allow password length, username length, etc. validation
cleaner SQL and database transactioning?
administration for MySQL database
option to email admin when someone registers
admin "area" where admins can validate users, delete users, freeze accounts, etc.
IP logs, so that bad(!) users can be blocked by IP address?

Comments

Great recipe! First time I could actually make PmWiki talk to a mysql db. I'd been trying for a month, before you developed this. I had to force the code sometimes, tho. When the code says AUDBaseEncryption$type_of_encryption (sorry, can't remember the original code now =/), it wouldnt recognize it as being md5, so I had to change the variable manually to "md5". It worked tho. Also, can't make the email work, it doesnt send anything at all (it complained about some config in php_ini, but even if I force it into the xesAUD code, it doesnt work, any help on this?). Also, can you tell me how to redirect the usual authentication page to the one by this recipe? If I don't login before hitting Edit, I'm sent back to the old auth page. Update the documentation inside the php file! - 9 out of 10, good job! - Renato, Jan 26th, 2007

Thanks! The functionality in this recipe has been rolled back into its parent AuthUserDBase (see link below). It shouldn't matter which form you use for authentication. As for emails, if you can't send email using PHP's mail() function on that server, you won't be able to get the email validations working :/ If other PHP apps are sending email, then that shouldn't be the problem. Regardless, this recipe has been pushed back into the parent app, and also made somewhat more flexible & complicated (but still recognizably similar). If this works for you, you can certainly use it. If you need to upgrade in the future, you may need to look at AuthUserDBase -- this package won't be maintained anymore.
XES January 26, 2007, at 07:11 AM

Contributors

XES

XesAuthUserDbase