Serendipity Forums

Hi All,
I've put together a sidebar login/logout plugin that I'd like to share and get some feedback on - in particular, from a security perspective.

Available here: http://www.pigslipstick.com/_product/se ... rlogin.zip

I'm doing this to more elegantly handle non-admin user's who don't need to see the admin backend, but have read permissions to certain non-public categories.

I've read quite a few posts dealing with login/logout and taken a slightly different approach (sort of...I think) whereby I POST serendipity[user] and serendipity[pass] to serendipity_admin.php in a hidden iframe in the sidebar panel.

For logout, I simply load serendipity_admin.php?serendipity[adminModule]=logout into the same iframe.

In both cases, I reload the window: window.location.href=serendipity_currentURL().

If there's a simpler way to manage a login from the front page, without having to direct the user to the backend first, I'm all ears, but as far as I can tell, there is no api that does this.

Speaking of which, I've read a little (only one post seems to exist) about the checkPermission hook, but can't get it to function/return anything. It would be nice, without having to setup a very long IF condition, as in:
to check for permissions after login to determine whether I should show the button that directs users to the Admin backend. Only a very few users will need access to the Admin backend in my case, so would prefer not to even show the button under normal circumstances. Any thoughts on this?




Thanks in advance,
Adam

Hi!

Is there a special reason why you do not use the serendipity_plugin_loginform + serendipity_event_loginform plugins (available on spartacus)? Those can login a user without redirecting anything to serendipity_admin.php...

Speaking of which, I've read a little (only one post seems to exist) about the checkPermission hook, but can't get it to function/return anything. It would be nice, without having to setup a very long IF condition, as in:

It returns true/false depending on the privilege you want to check. Which privilege exactly do you want to check?

HTH,
Garvin

garvinhicking wrote:Hi!

Is there a special reason why you do not use the serendipity_plugin_loginform + serendipity_event_loginform plugins (available on spartacus)?

Heh heh, probably because I didn't realize they were there, despite a valiant hunt and many searches through the forum

I think I'll go with the existing plugin(s), the methodology is much more sound.

At least I can say that I learned a lot in the process of the experiment.

Adam

That's a pretty impressive accomplishment, there. I hope to see more from you in the future!

judebert wrote:That's a pretty impressive accomplishment, there. I hope to see more from you in the future!

Thanks judebert - much appreciated!

Given the investment, it was hard to walk away from the project, so I dug deeper and re-worked my login/logout plugin. I can't really see making two plugins that serve the same purpose available on spartacus, but I'll release it if you guys want to commit it (pending a little code cleanup).

The new and improved version uses the login/logout methodology from Garvin's sidebar plugin (serendipity_plugin_loginform) and actively uses the event plugin (serendipity_event_loginform), so is dependent on _event_loginform and replaces _plugin_loginform, and no longer uses the hidden iframe in my first rev to pass in the credentials on login and execution of logout.

In addition, in rev 2, I'm creating a table on-install to stuff login data into (tracking login_name, success/failure, IP, etc), and an admin option to view and purge the log data. I don't doubt that a plugin already exists which tracks login data, but didn't notice it in a cursory search on spartacus.

This was really just a big learning experience - I'll use my plugin just because it's my baby, and they're both (the iframe version, and the API version) available at www.PigsLipstick.com , but won't be offended it if goes no further than my own site

Here are a couple of screen caps of Rev 2:



Adam

If yours is more configurable (and it sounds like it is) or it provides additional features (like a log viewable in the admin screen), we'd probably like to commit it to the repository. It sounds to me like a drop-in replacement for the existing plugin.

judebert wrote:If yours is more configurable (and it sounds like it is) or it provides additional features (like a log viewable in the admin screen), we'd probably like to commit it to the repository. It sounds to me like a drop-in replacement for the existing plugin.

Thanks Judebert - I've cleaned up my plugin, updated the credits as a substantial bit of my material came directly from the existing _loginform plugins, variablized the admin login log for localization, and incorporated the bit that allows the admin to define the redirect on logout.

One major change in what I've versioned "2.0.x" is that it no longer depends on the serendipity_event_loginform (hence the incorporation of the definable redirect). The reason I removed this dependency and rolled the functionality into my event plugin directly was for the complication which arose if one was to remove the serendipity_event_loginform plugin accidentally. Long story short - it just makes more sense to self-contain everything into a single package.

It's available at http://www.pigslipstick.com/_product/se ... rlogin.zip - the event and sidebar plugin live together in the same directory which appears to be acceptable.

Thanks!
Adam