I am tasked with writing a relatively small and simple PHP web app which will use a small database. Authentication for this will be through randomly generated hex keys in the query string which are generated by an administration page and emailed to desired users.
This is all fine so far, but here's the catch:
For various political reasons, we are forced to make this app a Moodle module. I can use the Moodle database in MySQL, but I will be working with my own tables which do not interact with Moodle, and Moodle will not interact with my tables. I must also to use the Moodle database abstraction rather than direct PHP->MySQL access.
I do not want my users to know they are operating within Moodle. They shouldn't need to log in to Moodle to access my web app, and they probably won't have access to Moodle anyway. Those users who do have access to Moodle shouldn't see this web app in their list of Moodle functions.
I've thrown together a few small PHP pages, included some Moodle libs, and placed the code in the moodle/mods directory. Accessing the PHP pages on the server with the URLs directly result in a Moodle error, since I'm not accessing the module through proper channels. I get the "Incorrect access detected" error.
Is what I'm tasked to do even possible? If so, how is the best way to accomplish it? Do I need to write an authentication module and then an activity module? Is there any way to bypass all of Moodle's authentication and simply use the database abstraction without editing the core Moodle configuration files? (I know it's possible by modifying the Moodle code, but that is sadly not an option).
I have plenty of PHP experience, but I only have about 4 hours of Moodle experience and I'm getting nowhere fast.
It sounds to me that you might be trying to access the script while coming in from a host other than what poodle has specified in its config file. You could try dumping you http_host and noodles wwwroot to see if the line up. I'm less familiar with 2 than 1.9 but you might be able to define abort_after_config then include config then change the cfg wwwroot then define abort_after_config_cancel then include setup. Otherwise you could spoof the host otherwise you can delete the check in Tue lib/setup.pup file
Not sure quite what you are trying to achieve here but any of the following may work.
(1) If you have a stand-alone platform you want delivered within an LMS framework then you might offer a counter proposal of developing it in your preferred environment but wrapping it in LTI. Moodle can then deliver it via the External Tool plugin and you can get two-way communications between the two for authentication and tracking.
(2) Doing it in Moodle
Create an authentication with a login_hook and make sure this is is moved to the top of the authentication plugins list so that it is checked first before the others. Use the hook to process the hex key (as GET or POST parameter) or take you to an alternate process and return true (or create session). You could also use the 'alternative login page' in the authentication settings alongside this plugin hook. This should take of authentication.
If enrolment is not an issue then create your plugin as a local plugin (not mod) and use the above hook to redirect to this page after login. This gives you a bit more flexibility in the libraries you use and you can still use front-page enrolments if necessary as a workaround. If you really need enrolments, course roles, and gradebook then use a mod to leverage these. There is a single activity course format in the latest Moodle that gives you a format to run just your bespoke activity on its own.
Finally develop your own layout type in the theme for the local plugin if using that or for the course and incourse layouts if using courses so that you can control what of the standard Moodle navigation and structure you want.
If the plugin is sharing a Moodle already being used for other activities then you'll need to be sensitive to this. If you're just running your own thing then it will be much easier.
(3) Use Web Services to get what you want from Moodle in your own App.
Related
As you can probably tell, I am new to Magento2 and I am trying to figure out some of the basics. I'm a full-stack developer that is use to developing (frontend and backend) myself then using docker and finally hosting it on an AWS:S3/EC2 or AWS: Elastic Beanstalk. With that said, Magento seems like a completely different beast to conquer.
I have a family member who is wanting me to do some basic frontend stuff for their website (such as changing Navbar design and a potential home page overhaul later on), naturally wanting to help them out I agreed to have a look and see what I can do. I have access to their Magento 2 dashboard area and have been looking around with no sure luck thus far. I have researched online that Magento 2 allows for a "Page Builder" or a "WYSIWYG" type functionality. But I am unable to use these types of tools because my family member had the website built by a Magento 2 developer firm awhile back and everything is coded manually and could cause problems if using one of the above mentioned tools. Due to this I am trying to get access to their site directory so that I can go in and make the necessary changes and upload the files. But I am really struggling on how to access the codebase.
I have read that an admin needs to send me the code??? Or grant me access to the code or something along those lines? I do have the host, port, root, username, password, etc. for the live server but still having trouble.
Any help would be greatly appreciated.
You need to use ssh to access the server
ssh user#host -p port
After you get into the server, you should set up a git repository in the project root and push the code from the server to the repository, then clone the repo to your local environment.
From there on, it's the normal development flow. You can use a clean database with sample data or you can dump the db from the live env and use it on your local env, but this will require some changes in the db after the import.
Detailing all the steps required to do this task would take forever and would cover a lot of different issues/steps.
"I have read that an admin needs to send me the code???"
Not sure what you mean by this, but a Magento admin is just a user on the backend side of the website. He does not have access to any code.
A git repository admin(probably previous dev) could grant you access to the code repository, but this doesn't seem like an option.
I am taking over a community website that was built using Kentico (an ASP.NET-based CMS).
I have PHP/CodeIgniter code that could add interesting functionality to this Kentico website. For example, my PHP code allows for uploading and posting of user-generated material such as images, which the community can then comment on.
Since I'm unfamiliar with how Kentico works, I wonder if anyone knows if this functionality exists in it (as a module). If not, either this
would have to be coded in ASP.NET or
I could have a hybrid website using my PHP code, however authentication from the Kentico side would have to be passed the PHP side of the website.
Any suggestions on how to handle this situation?
You can store the authenticated session in the DB where both ASP and PHP have access
Look into the "User contributions module" - if you've got access to a new enough version of Kentico and the appropriate license then it will probably do exactly what you need it to.
Otherwise if you needed to do authentication from a seperate PHP app, I suppose you could write a simple web service in .Net and add it into the Kentico site. In the past I've used a .ashx generic handler to do this.
Maybe you could include a hidden iframe to the other site on each page and use postMessage in JavaScript to send a session ID between the sites.
I would probably try to keep everything all in one code base unless there was reason to break it out into a seperate module though - otherwise it just seems like a lot of extra work.
I'm developing a Wordpress plugin that requires API credentials for Facebook.
Ordinarily I'd advise the users of the plug-in to sign up for their own API keys and allow them to be entered as plug-in options, however this plug-in requires extended permissions. Which as I'm currently in the process of finding out are an absolute ball-ache to get, take up-to 7 businesses days to have reviewed and the reviewers don't actually read the requested instructions on how the application is being used.
Can I write a plugin that is basically a wrapper around my hosted version of the code, this way I can allow users of the plugin the benefits of the extended permissions without giving away my APP ID and APP SECRET
Thinking something like...
require_once("https://www.myplugin.com/FacebookPlugin.php");
Here's the obvious problem, this wouldn't work for hosted versions of Wordpress as they don't have access to plug-ins anyway and I believe it would require the owner to allow remote file inclusion, which is putting a lot of trust in me as the host of the remote file not to execute nasty scripts on their server.
So how do I offer the functionality of my plugin to other users?
I think this question is closely related to this question.
I do not think there's more you can do, except still having your separate server which can be triggered using HttpRequest::send from within the plugin, and ship encrypted Keys from there each time somebody is accessing your plugin.
Might be a performance-Killing approach, though, especially if your server is not that fast.
I've been working on a site (for my company) to allow selected data center users to remotely access a scheduling calendar and some pages offering information on the various servers they are coming to the site to access--on a separate site. Initially, I was under the impression that I'd be creating a database and registration page to add, authorize or track end users. My initial project coding has been a combination of HTML, PHP, CSS, and MySQL and Apache for the database side. Now I've been told that we will be using AD, tied into our company's official Active Directory, so that users can use the same IDs and passwords that they've already had approved by our company.
My question is (hopefully) simple. Is there a certain web programming language that I should use in creating the pages that works better with Active Directory than others?
If you are comfortable with PHP, you should be able to achieve the above no problem!
The beauty of PHP is that someone somewhere along the line had the same problem as you so chances are, there's an established solution already.
adLdap seems to be a good solution, a library that already does most of the hard work for you and all you'd need to do would be integrate it into your script!
See: http://adldap.sourceforge.net/wiki/doku.php?id=documentation_user_functions
Hopefully this can make it a little easier for you so you can concentrate on the other things like the actual functionality of the website itself.
There probably is some solution to this, whether it involves code running on just the wordpress installation or a combination of a wordpress installation and a master server I am not sure yet, but please remember not to have tunnel vision and consider any and all possible solutions:
The scenario is this: A WordPress plugin (plugin-A) that manages some sort of valuable data (something that the admin would not want stolen), lets say, lead data with user's name and email addresses, the plugin uses its own db tables.
Other than the obvious (which is the admin installing plugin-B, not knowing its malicious intent), what is to prevent another WordPress plugin (plugin-B) from accessing plugin-A data or hacking plugin-A files to circumvent security.
Trouble is, you'll be trying to protect the system from something that is running within it - the very nature of a WordPress plugin is that it has;
Database name, username and password, along with...
An active database connnection, with which it could easily query to find all tables and their structures, no matter how obscure
It is running inside the WordPress script, and has access to all globals, functions and classes
If the data you're working with is that sensitive, or you simply don't want to run the risk, don't allow plugins (at least not without checking the source code first).