• View
• Edit
• History
• Attach
• Print
• Backlinks

UserAdmin-Talk

Please leave new comments at the top of the page (but below this line).

AuthUser page auth should be basis for admin privileges

Does useradmin require users to have superuser/ownership status in order to do user management? It seems in the current version you need "auth admin" status to manage users. But some sites may want to separate ownership from user management. For example, the university IT department might be the superuser/owner for the farm, but not want the workload or responsibility of managing users for every field (department). Since the AuthUser page is being updated, it makes more sense to me to let edit authorization for the AuthUser page determine who can do the user management tasks. After all, ultimately they are just a form-based way to edit the AuthUser page. - RandyB April 04, 2011, at 08:01 PM

Yes, you're right. At least for the authuser module that should be way "admin" status is determined. —Peter Bowers April 05, 2011, at 12:04 AM

Done as of the 2011-04-05 release. —Peter Bowers April 06, 2011, at 03:50 AM

Authentication-Lite

21-Jul-2010 DaveG: I'm looking to emulate some Wordpress(approve links) (and others, like Posterous) functionality in BlogIt, where an unauthenticated user subscribes to a blog-entry, and subsequently receives an email notification if other users comment.

The way this is implemented in WP is to combine the commenter email with a 'large' randomized string (let's call this the authstring), and use that set of parameters as an means to authenticate subsequent management of subscriptions. This way, the commenter does initially confirm the email address is active, and that they wish to receive email updates, but all subsequent management activities are performed using a link containing the email+authstring combination, and do not require the commenter to login.

This is not 100% secure, since in theory some one could guess the email+authstring combination, but is typically secure enough for this use-case, and reduces the burden on blog-commenters, since there is no password management -- simply retain the email containing the email+authstring combination.

Here's how I think the process works, and where I think UA might fit in:

1. Commenter decides to subscribe to a blog-entry, and enters an email address (usually clicks a checkmark as well).
2. UA: Generate a randomized authstring. (WP does a double md5 with a salt return md5(md5($this->settings['salt'] . $data));)
3. UA: Store email address, and authentication-target.
   Somewhere an authentication-target url, or what is being subscribed/authenticated to needs to be stored. Note sure if this should be UA, but I suspect this is going to be needed by other users of UA. Implication is that a user may have more than one entry.
4. (UA): Store the authstring in a cookie.
   Possibly leave this to calling recipes, use some other ID, not authstring
5. UA: Send out an email to the commenter. Email contains an 'approval url' which has parameters of email+authstring.
6. User receives email, and clicks the approval link.
7. UA: Regenerate an authstring based on email, and validate the url email+authstring parameters; set an approval timestamp (acts as an approved-flag). Forward user to the authentication-target.

Based on above, here's some functions that might be required:

1. List of all authentication-targets for an email address.

Looking at the UA code, it seems much (possibly all) of this is already part of UA, although at the moment it seems like the password component is required.

Profiles with AuthUserDbase

I'm using AuthUserDbase but also interested in collecting profile info on users, whether through the database or in conjunction with a profile page approach. Any thoughts on how these might work together? I left a related message on AuthUserDbase-Talk.

~bb June 30, 2010

It will require an authstore module being written, but I would recommend holding off until the development process is complete for -authuser and -profiles -- otherwise any significant re-writes will be painful for you...

It may be that we're at the point with authuser-core that an sqlite or other dbase solution could be developed...

Conflict with Require Summary

This recipe has conflicts with RequireSummary. Because a summary is required to save a page, this action generates the following error message

A summary is required.
Error creating account
Please contact site admin

Also, it's not clear to me if the web site needs to have email capabilities. I think it does, but I'm not sure. R D Jones July 02, 2011, at 05:53 PM