I would like to secure some of my pages with a username and password, so that no-one can access those pages without logging in. Only Registered users can view those pages. And we also want to put registration form for users to enter his/her basic details. Once user registered his details will be saved in database and sent mail to admin.
Could you please suggest me any plugin, or suitable information for making this application?
Wordpress comes with a builtin user management feature. You can create Roles and then assign specific users to these roles. You can then use a plugin (there are several) to manage what those users can or cannot see. Here is one.
http://wordpress.org/extend/plugins/capa/
Related
I'm developing a application with raw PHP. But I have a problem that needs solution. I have two types of user in my application (e.g: Administrator & User).
For administrator, I have following files under "admin" folder,
Admin (Dashboard, Change password, Add User, Profile, User List etc.)
Also for user, I have following files under "account" folder
Account (My account, Change password, Edit Profile etc.)
I want, after login user can't access any files of "admin" folder. Now, after login I check the role first, if use then I redirect him/her to www.example.com/account/my-account.php but, when user hit the following url then he/she can easily access backend functionalities.
www.example.com/admin/dashboard.php, www.example.com/admin/change-password.php, www.example.com/admin/add-user.php, www.example.com/admin/profile.php, www.example.com/admin/user-list.php
Is there any way to close the "admin" folder entrance for user?
TIA
See according to your question you have to assign a role. Though I prefer php frameworks more than a core php but still you could do.
Say you have a form where user and admin shares the same login form for logging purpose.
And you want admin to access all route and restrict few route to the user.
So , the little bit of logic, while you create admin or user you need to assign role as well.
When admin logs in ,according to it, the sql query fetches role and he is routed according to it and same goes with user also.
Set session for user and admin role. And when you enter to target after login the session you have to restrict pages not to acces by user.
I need to add social login to a site that already has a user system that is very simple it only stores an email and a password and that's about it. I need to add facebook and twitter login options but I am facing a difficulty figuring out how to integrate that with the current system because it has an unique index at email so when a user tries to log in using a social account I first get their details and check if that email is already registered, if not then I register them automatically and then log them in and subsequent login requests find the email and log in the user automatically.
The problem comes when a user has been registered through the ordinary registration form, then I could create a fake social media account using a given email and could then log into a user's account on that site simply because they didn't have a social media account using that email.
I suppose I could add a column "regMethod" that would indicate which registration method was used and make that a complex unique key (email, regMethod) and have 0 be the native form, 1 facebook, 2 twitter and compare that when logging a user in but that seems rather hacky to me. Also if a single user uses all login methods for some reason the will have a number of accounts and not just a single account which is a problem.
I am pretty sure there must be a better solution to that problem and someone has overcome it already so I feel like I would be reinventing the wheel trying to solve it. How is this done in reality?
A simple possible solution to your problem I've been using for a site that allows different types of login (local or with a facebook account) was to seperate the user account data from the authentication data by having seperate tables for them.
First I had a table for the user data. You would then have two tables for possible authentcation, one LocalAuthentication containing anything related to you local authentication method like salt, password hashes etc. Then you will also have the table FacebookAuthentication and it only needs to contain a facebook access token. Both of these tables needs to reference the UserTable.
That way a single user could have multiple authentication to the same account.
just add facebook_id and twitter_id to your users table. Then
you'll have two choices :
Each social account is a new account (no merging), you just have to create and persist a new user object.
Once logged (classic way : login / pwd), you provide to users the ability to link their account with social accounts. In that case, you have to update your user table.
Dont forget to store the facebook_id or the twitter_id you'll get when the users uses the API.
In my company we have some technology restrictions. Currently I have a IIS server with PHP. IIS is configured to authenticate users over our Active Directory using NTLM.
I have installed WordPress on this server and am able to login on it using admin user (id=1), and any user is able to read articles and post comments anonymously.
"Thanks" to NTLM, I can retrieve users' login with $_SERVER['REMOTE_USER']. This way I can identify (in a plugin) users. But WP doesn't automatically logs them and identifies them.
What I need now is to control users permissions inside Wordpress. I need to attribute roles to them, define groups of people allowed to publish, post and edit without being allowed to publish, comment and register their login on their comments, and also users that are allowed only to read articles (guests) and users not allowed to read articles. Maybe I'll also need to attribute read access relating roles to categories, so that a given role is allowed to read articles from a category and not from another category.
Users are related to departments and have one charge (job title). Users are frequently moving over departments and changing charge. I need to use both to define some roles. I can develop a plugin to hook on some WP filter, retrieve their data and dynamically set their role.
To retrieve their department, charge and name, I could use LDAP. If not possible, I have a MSSQL database that also has their data. So, if I can't use LDAP, I'd need to make WordPress connect to MSSQL and query it.
It's unpractical to register tens of thousands of users in WordPress, and even more to request them to keep their passwords. I need WordPress to identify users and automatically add new ones to its wp_users table. I also need to be able to manually register a few users without requiring them to first enter the site. I then can manually manage users to WordPress roles.
I see 3 possible solutions here:
1) Use IIS's NTLM to authenticate users, and use $_SERVER['REMOTE_USER'] to retrieve their login and log them into WordPress. If they aren't yet registered on wp_users, that's done so. I then query MSSQL for their data. This seems to be the easiest solution.
2) Use IIS's NTLM to authenticate users, and use $_SERVER['REMOTE_USER'] to retrieve their login. Then retrieve their names from AD using LDAP, and provide these data to authenticate WordPress and handle wp_users. This is the most desired solution, but also the most complex.
3) Ignore NTLM and require users to manually provide their login and password to WordPress's login form, then authenticate them over LDAP and handle wp_users. Provided password is their AD one. HTTPS is already working and being forced inside backend. This is the least desired solution, because users are already used to be authenticated from NTLM and may not want or understand the login form (yes...).
Has anybody done that and could help me? Is there a plugin that solves this need, or some open source code I can use as basis to develop a plugin?
I'm building a website where users can pay for a certain service provided by the owner. It's not an online shop, though the payment process is pretty similar.
The problem I'm facing lies in the different 'login' options during this payment process. One can use a Facebook-account to log in, register for an account/login using his account OR choose to fill in personal info without registering.
I was thinking about a 'consumers' table (one time users without an account), a 'users' table for registered users, a 'facebook_accounts' table with the Facebook info, and a 'user_has_facebook_account' table for linking Facebook accounts to registered users based on a shared email address.
However, what if a user logs in using Facebook without having a registered account with a password... It's really giving me a headache.
Any suggestions how I would go about designing a database to support this?
I would create only one table with customers. There you can have a field with the Facebook user ID. If someone login with Facebook, you can create a new record for him (you have email address etc. from Facebook). Therefore, you can set an empty local password or require the user to set a password for your page.
You should probably be adding people that login with Facebook to the Users table and creating them a default password, as well as storing the OAuth information / keys.
Your "User" objects should be singular and just have a different method for how they became "Users" to simplify things
My client is insistent that there be a single page where both Joomla administrators and users can log in, as opposed to the default Joomla setup where these two groups log in in separate locations (/administrator for the admin). While the reasons for the client's insistence are besides the point, essentially it's a small group where only some users can do CMS type management of articles etc., but they don't want to have to go to separate pages, go figure.
Anyway, is there some sort of extension for this, or would I have to write an authentication plugin to handle? Could the controller for one type of login call the other login and pass through the same credentials, and if so how would that be put into code?
Actually admin users + normal users can log in in the front end (the normal page). Admin users can edit articles their, whereas normal users can't.
All other things (like creating categories etc.) needs to be done in the backend (/administrator/). I suppose you want the following scenario:
1) You log in at your.site.com
2) you click at a link to your.site.com/administrator/
3) and without retyping the password you are logged in into back-end.
As far as I know, a such extension (authentification plugin) does not yet exist. But it should be feasible. At both locations (frontend and backend) the same plugin will be used. So for passing the information that a user is logged in, you could try:
- whether the $_SESSION is the same
- if not, set a cookie with an random id, store this id in the database (together with username), and ask for such a cookie when checking login.
I wouldn't modify the existing login plugin, instead, write a new one with only this alternative login method. All published Authentification Plugins are ORed, i.e. as long as one of them allow to log in, everything is ok.
Tutorial: http://docs.joomla.org/Tutorial:Creating_an_Authentication_Plugin_for_Joomla_1.5