I have my Wordpress install and MediaWiki sharing the same login information. Unfortunately, users need to log into both separately, but at least they use the same credentials.
What I would like to do is cause a successful login on the Wordpress blog to also cause a login for MediaWiki (ideally both directions). There are two ways this could happen:
Logging in causes a login on the other application (writes the cookie and creates the session in the DB)
Accessing an application checks for the cookie of the other and then automatically logs in.
Since the usernames are shared it seems like the latter should be pretty easy to do. Any tips would be great.
The primary problem you are going to run into is that you'll have two login forms, and two logout methods. What you need to do is pick one of the login forms as the default, and redirect the other one over to it.
I've been able to successfully integrate bbPress + MediaWiki + WordPress + WordPress MU, but I wrote a lot of custom code to do it.
I'm using the bbPress login page as the default (and .htaccess rewrite to /login/), and then I created my own MediaWiki authentication plugin (which looks a lot like the one you are using), except my plugin checks the WordPress/bbPress cookie for the login information and automatically logs the user in.
I created a customized /logout/ link that runs the bbPress logout, and also kills the MediaWiki cookies at the same time.
Then the last step was to redirect all of the other logout / login links for bbpress, mediawiki, etc, over to my consolidated one. I used .htaccess rewrites for this rather than mess with core code.
Still a work in progress, but it works fairly well.
You could consider some kind of single-sign-on software. I am unaware of any that are free and I've only ever used SiteMinder which is neither free nor good. Crowd may be better (but is again not free).
I've seen a setup going through Invision Power Board, using IpbWiki and a Wordpress integration mod. Mind you, it's expensive and excessive.
They both support OpenId now.
MediaWiki's extension
WordPress's plugin
There are probably other options for using OpenId, but I think that is the best solution available.
Related
I have a Moodle(3.0) website and a WordPress blog (3.5.4). I need to implement SSO between these two.
Here is the basic idea why I want to do it:
Some of the courses in Moodle contain external content (load a page with resources in iframe). At the bottom of the iframe page, that is loaded there is a bbPress embedded (Forum plugin for WordPress).
I need the SSO, so when user logs in his moodle account and choose to view certain resource to be able to participate in the forum topic under the resource without the need of login again.
I've read Authenticate Users From Moodle Into WordPress, and tried to configure External database Authentication Method in Moodle, but so far no luck.
I've found an WordPress plugin Edwiser Bridge, but it makes quite the opposite (integrates Moodle within WordPress) - which is of no use to my particular case.
I will much appreciate every help I can get. Thanks
I ended up building an API, which makes the handshake between Moodle and Wordpress.
I've modified the moodle/login/index.php page and wp-login.php to send requests to the API when logging in.
Every time someone logs in either platform a request is being sent to the API. It tries to log the user programmatically and start a session cookie for the user. (if the username and password match in the db).
When user is being registered the user data is stored in both databases (Moodle and Wordpress).
NOTE: This is not exactly SSO, but it solved my problem and its working.
I am taking over a community website that was built using Kentico (an ASP.NET-based CMS).
I have PHP/CodeIgniter code that could add interesting functionality to this Kentico website. For example, my PHP code allows for uploading and posting of user-generated material such as images, which the community can then comment on.
Since I'm unfamiliar with how Kentico works, I wonder if anyone knows if this functionality exists in it (as a module). If not, either this
would have to be coded in ASP.NET or
I could have a hybrid website using my PHP code, however authentication from the Kentico side would have to be passed the PHP side of the website.
Any suggestions on how to handle this situation?
You can store the authenticated session in the DB where both ASP and PHP have access
Look into the "User contributions module" - if you've got access to a new enough version of Kentico and the appropriate license then it will probably do exactly what you need it to.
Otherwise if you needed to do authentication from a seperate PHP app, I suppose you could write a simple web service in .Net and add it into the Kentico site. In the past I've used a .ashx generic handler to do this.
Maybe you could include a hidden iframe to the other site on each page and use postMessage in JavaScript to send a session ID between the sites.
I would probably try to keep everything all in one code base unless there was reason to break it out into a seperate module though - otherwise it just seems like a lot of extra work.
I'm developing a Wordpress plugin that requires API credentials for Facebook.
Ordinarily I'd advise the users of the plug-in to sign up for their own API keys and allow them to be entered as plug-in options, however this plug-in requires extended permissions. Which as I'm currently in the process of finding out are an absolute ball-ache to get, take up-to 7 businesses days to have reviewed and the reviewers don't actually read the requested instructions on how the application is being used.
Can I write a plugin that is basically a wrapper around my hosted version of the code, this way I can allow users of the plugin the benefits of the extended permissions without giving away my APP ID and APP SECRET
Thinking something like...
require_once("https://www.myplugin.com/FacebookPlugin.php");
Here's the obvious problem, this wouldn't work for hosted versions of Wordpress as they don't have access to plug-ins anyway and I believe it would require the owner to allow remote file inclusion, which is putting a lot of trust in me as the host of the remote file not to execute nasty scripts on their server.
So how do I offer the functionality of my plugin to other users?
I think this question is closely related to this question.
I do not think there's more you can do, except still having your separate server which can be triggered using HttpRequest::send from within the plugin, and ship encrypted Keys from there each time somebody is accessing your plugin.
Might be a performance-Killing approach, though, especially if your server is not that fast.
thanks for reading! Here's what I'm up to.
I'm writing a WordPress plugin that makes use of the PHP SDK (latest version 3.1.1) that Facebook provides. My application is registered with Facebook as a website because it infact acts like a website, even though it's embedded in WordPress.
This SDK comes with an example.php that is very straightforward and easy to understand. If I put this file on my server, it just works. I made sure that the certificate file and the SDK files are in the right place and accessible by the script.
However, if I do the exact same thing from within a WordPress plugin (from the admin page of the plugin), the Facebook backend won't return the user id but will always return 0 instead. The problem with FB returning 0 is pretty common, but the reasons for it seem to vary a lot.
I have to mention that this behavior wasn't always like this. It began just a few weeks ago. I'm suspecting that the FB backend somehow checks for indirect API calls and that calling it from within a WordPress plugin seems to violate FBs auth rules in some way (CSRF issue?). But I'm not sure.
Has anybody got a clue what's going on here?
Here's my guess:
Facebook will not be able to access the backend of your WordPress blog since it requires authentication. So the example.php code will not be visible to it from a WordPress admin panel.
When served raw on your server, there are no such access controls and Facebook is able to reach the page.
If this is the case, my suggestion would be to turn this into a non-admin plugin, perhaps by adding a rewrite rule using the WP_Rewrite class.
I am tasked with writing a relatively small and simple PHP web app which will use a small database. Authentication for this will be through randomly generated hex keys in the query string which are generated by an administration page and emailed to desired users.
This is all fine so far, but here's the catch:
For various political reasons, we are forced to make this app a Moodle module. I can use the Moodle database in MySQL, but I will be working with my own tables which do not interact with Moodle, and Moodle will not interact with my tables. I must also to use the Moodle database abstraction rather than direct PHP->MySQL access.
I do not want my users to know they are operating within Moodle. They shouldn't need to log in to Moodle to access my web app, and they probably won't have access to Moodle anyway. Those users who do have access to Moodle shouldn't see this web app in their list of Moodle functions.
I've thrown together a few small PHP pages, included some Moodle libs, and placed the code in the moodle/mods directory. Accessing the PHP pages on the server with the URLs directly result in a Moodle error, since I'm not accessing the module through proper channels. I get the "Incorrect access detected" error.
Is what I'm tasked to do even possible? If so, how is the best way to accomplish it? Do I need to write an authentication module and then an activity module? Is there any way to bypass all of Moodle's authentication and simply use the database abstraction without editing the core Moodle configuration files? (I know it's possible by modifying the Moodle code, but that is sadly not an option).
I have plenty of PHP experience, but I only have about 4 hours of Moodle experience and I'm getting nowhere fast.
It sounds to me that you might be trying to access the script while coming in from a host other than what poodle has specified in its config file. You could try dumping you http_host and noodles wwwroot to see if the line up. I'm less familiar with 2 than 1.9 but you might be able to define abort_after_config then include config then change the cfg wwwroot then define abort_after_config_cancel then include setup. Otherwise you could spoof the host otherwise you can delete the check in Tue lib/setup.pup file
Not sure quite what you are trying to achieve here but any of the following may work.
(1) If you have a stand-alone platform you want delivered within an LMS framework then you might offer a counter proposal of developing it in your preferred environment but wrapping it in LTI. Moodle can then deliver it via the External Tool plugin and you can get two-way communications between the two for authentication and tracking.
(2) Doing it in Moodle
Create an authentication with a login_hook and make sure this is is moved to the top of the authentication plugins list so that it is checked first before the others. Use the hook to process the hex key (as GET or POST parameter) or take you to an alternate process and return true (or create session). You could also use the 'alternative login page' in the authentication settings alongside this plugin hook. This should take of authentication.
If enrolment is not an issue then create your plugin as a local plugin (not mod) and use the above hook to redirect to this page after login. This gives you a bit more flexibility in the libraries you use and you can still use front-page enrolments if necessary as a workaround. If you really need enrolments, course roles, and gradebook then use a mod to leverage these. There is a single activity course format in the latest Moodle that gives you a format to run just your bespoke activity on its own.
Finally develop your own layout type in the theme for the local plugin if using that or for the course and incourse layouts if using courses so that you can control what of the standard Moodle navigation and structure you want.
If the plugin is sharing a Moodle already being used for other activities then you'll need to be sensitive to this. If you're just running your own thing then it will be much easier.
(3) Use Web Services to get what you want from Moodle in your own App.