DX Auth 1.0.6 (Authentication library)

[eluser]port23user[/eluser]
After more investigation, I found out what my problem is but still don't know how to solve it. I found out that crypt() is returning an empty string (line 1169 of libraries/DX_Auth.php; it should say $new_pass = crypt($this->_encode($new_pass)). It does that only when there's no salt passed to the crypt function.

I found a similar issue at http://article.gmane.org/gmane.comp.apac...evel/13802 . Any ideas of what I can do to fix it?

[eluser]port23user[/eluser]
Okay, sorry for so many posts. I finally figured out what was wrong. I was using an older version of Suhosin on my server. This was a bug that was fixed in Suhosin 0.9.23 and newer. After I upgraded Suhosin on my server, everything worked great. Now I'm all ready to go!

[eluser]a&w[/eluser]
I was just looking over the code for inspiration/ideas, so forgive me if my comment is out of line (not having actually tested it).

There is an autologin feature. It looks to me like the autologin feature sidesteps some of the checks that the login feature does, banned users in particular.

In my library I reference some methods so the autologin and login both implement some of the same checks. It looks like the way dx auth is currently coded once a user is autologged in then any attempts to ban them would be ineffective. If you reworked the login/autologin to refer to some common 'checks' (ban/locked/whatever), then you'd be assured both were treated the same.

The snippets of code shown below share some similar behavior. But I notice that autologin does not appear to check banned, and does not trigger the event. I would think you could pull some of the similar checks out to another method for equal treatment by both login types (auto and normal).

Code:

function autologin()
{
    ...
        if ($result = $query->row())
            {
                // User verified, log them in
                $this->_set_session($result);
                // Renew users cookie to prevent it from expiring
                $this->_auto_cookie($auto);
                
                // Set last ip and last login
                $this->_set_last_ip_and_last_login($auto['user_id']);
                
                $result = TRUE;
            }
        }
    ...
}

function login($login, $password, $remember = TRUE)
{
    ...
            // Get user record
            $row = $query->row();

            // Check if user is banned or not
            if ($row->banned > 0)
            {
                // Set user as banned
                $this->_banned = TRUE;                    
                // Set ban reason
                $this->_ban_reason = $row->ban_reason;
            }
            // If it's not a banned user then try to login
            else
            {                    
                $password = $this->_encode($password);
                $stored_hash = $row->password;

                // Is password matched with hash in database ?
                if (crypt($password, $stored_hash) === $stored_hash)
                {
                    // Log in user
                    $this->_set_session($row);                                                
                    
                    if ($row->newpass)
                    {
                        // Clear any Reset Passwords
                        $this->ci->users->clear_newpass($row->id);
                    }
                    
                    if ($remember)
                    {
                        // Create auto login if user want to be remembered
                        $this->_create_autologin($row->id);
                    }                        
                    
                    // Set last ip and last login
                    $this->_set_last_ip_and_last_login($row->id);
                    // Clear login attempts
                    $this->_clear_login_attempts();
                    
                    // Trigger event
                    $this->ci->dx_auth_event->user_logged_in($row->id);

                    // Set return value
                    $result = TRUE;
                }
    ...
}

Again just an observation from the cheap seats.

[eluser]a&w[/eluser]
Another question/observation:

Code:

// Make cookie expired
set_cookie($this->ci->config->item('DX_autologin_cookie_name'),    '',    -1);

Why -1? That makes the expire time 0, which according to php manual indicates the cookie isn't deleted until the browser is closed. So wouldn't that leave the back button open to a security hole?

If you don't set the expire time then CI sets the expiration time in the past:

Code:

$expire = time() - 86500;

That seems better to prevent any back button issues.

[eluser]samseko[/eluser]
hi, nice auth library!

just got a quick question.. what do i need to add to a restricted page, so that only a certain user can only access it?

I basically want to use the auth library to log in and edit blog content. And that it only allows my user account to do that.

Thanks for your help!

Sam.

[eluser]therendStudio[/eluser]
[quote author="samoil" date="1232100423"]hi, nice auth library!

just got a quick question.. what do i need to add to a restricted page, so that only a certain user can only access it?

I basically want to use the auth library to log in and edit blog content. And that it only allows my user account to do that.

Thanks for your help!

Sam.[/quote]

The quick and dirty way would be to just put.

Code:

if($this->dx_auth->get_username() != 'MyUsername')
      $this->dx_auth->deny_access('deny');

The right way for a simple case would be to allow yourself this uri and then

Code:

$this->dx_auth->check_uri_permissions();

The extended case for more general user control I believe is to make a separate moderator user role descending from regular user and assign it to yourself.

Code:

if(!$this->dx_auth->is_role(array('moderator')))
     $this->dx_auth->deny_access('deny');

[eluser]Reza Valinezhad[/eluser]
there is a table and a model for profiles. is there anything else like a form for changing information?

[eluser]therendStudio[/eluser]
Reza Valinezhad:
[quote author="Reza Valinezhad" date="1232211031"]there is a table and a model for profiles. is there anything else like a form for changing information?[/quote]

As far as eye can see only these:
backend/users
backend/unactivated_users
backend/roles
backend/uri_permissions
backend/custom_permissions

The profiles table is user customizable so apparently no (simple) code could be made for editing it. You gotta make one yourself or use scaffolding.
----------------------
samoil:

The right way for a simple case would be to allow yourself this uri and then

Code:

$this->dx_auth->check_uri_permissions();

Please scratch that - one can only set uri permission per roles so that leaves you with variant 1 and 3

[eluser]Reza Valinezhad[/eluser]
[quote author="therendStudio" date="1232217302"]The profiles table is user customizable so apparently no (simple) code could be made for editing it. You gotta make one yourself or use scaffolding.[/quote]

Thanks for reply. but I thought about a sample code that I can change it. Also I think the library needs some codes the user can changes his email and password after registration.

[eluser]therendStudio[/eluser]
[quote author="Reza Valinezhad" date="1232224695"][quote author="therendStudio" date="1232217302"]The profiles table is user customizable so apparently no (simple) code could be made for editing it. You gotta make one yourself or use scaffolding.[/quote]

Thanks for reply. but I thought about a sample code that I can change it. Also I think the library needs some codes the user can changes his email and password after registration.[/quote]
That's what I meant - the back-end code's just a sample and it doesn't exemplify all the features of the lib. You're right though - there could be a sample profile page in the package but it's elementary to make one anyway.
If you have troubles with this you could ask if somebody has his own profile page already made (but beware it will be filled in with app specific code). It would probably contain both user and profile table info control code merged.
Also when changing password in your own code make sure to use the same encryption algorithm as in the lib:

Code:

$password= crypt($this->_encode($password)); //`this` being the library instance