Gossamer Forum
Home : Products : Gossamer Links : Version 1.x :

password log on, editor log on, etc

Quote Reply
password log on, editor log on, etc
I'm trying to upgrade a site to use the log-on features of the program. Both for editors, and for users to modify their additions. I've never paid much attention to all this, since I wasn't using it on any sites, and know it will be much improved in the next version. But I need to make something work now.

1) users don't need to be registered to add links. (potential problem, I know).

2) users need to be registered, and have added their link as a registered user to make changes to their link. (see #1 above, but possibly able to get around it with a mod to the forget-password mod, to check email addresses, and send a validation code)

3) Editor log on, to edit user links.

Now, I know 3 or 4 people here have used this successfully, and have modified their sites to work this way.

What I'm looking for are any "gotchas" .... right now the only files I've modified are user.cgi, modify.cgi and add.cgi. I've not added all the required fields to them, _BUT_ do I have to modify any other scripts or templates to make this work?

I've used a munge of Widgetz, Eliots and Roberts mods to get the scripts to compile, and I'm not sure _if_ they are working yet. (This is not my site, I'm in the last stages of modifying someone elses site.)

I'd like to add in Eliot's password for the admin/build/etc files for added protection.

What I need:

1) editors to be able to edit any files in the Validation database, as well as files in the main database. but _ONLY_ those files. They can use (and currently do) use a non-public URL requiring a log-in. With the log-on working, this would then go through the normal user.cgi most likely, I would assume?

2) users can add links, but only modify links if they have a password/ID match, but those files still go to validate for editor approval. Add.cgi/modify.cgi

3) The Admin gets all the links that were "Edited" and can approve those, ignoring links that were added, but not "Edited" yet. I have most of the code for that working, just a few extra fields and tests, nothing biggie. It's #1 and #2 where I am, and expecting to, hit problems.



I'm asking because this is complicated for me by not having designed the site, or the templates, and having to do a lot of backtracking... and I know some things are template related, and other things are not. I'm just trying to get everything in one place, since I know I'm not the only one struggling to get this to work in this (or very similar) ways.

http://www.postcards.com
FAQ: http://www.postcards.com/FAQ/LinkSQL/

Quote Reply
Re: password log on, editor log on, etc In reply to
Robert,

As you may have taken from looking around my backend a bit, my tables are structured very differently than the default install of Links SQL. I have most of the user infromation stored in the Users table (and I will probably transfer all user related fields like ReceiveMail into the Users table). And you probably have gandered from my previous Threads that I have had to hack the modules and cgi scripts to get the authentication and scripts to work properly....

Anyway...

In Reply To:
1) users don't need to be registered to add links. (potential problem, I know).
I don't know an easy way around this unless you contain some of the user info, like password and username in your Links table. However, in terms of security I think that the Username and Password need to be total "hidden" and organized in the Users table to maintain referential integrity and normalization of data.

In Reply To:
2) users need to be registered, and have added their link as a registered user to make changes to their link. (see #1 above, but possibly able to get around it with a mod to the forget-password mod, to check email addresses, and send a validation code)
I have used Jerry's modify.cgi script to this and I have adapted the codes in other scripts like reviews, modify reviews, delete reviews, and delete links.

In Reply To:
3) Editor log on, to edit user links.
That is controlled by the Status field in the Users table.

In Reply To:
What I'm looking for are any "gotchas" .... right now the only files I've modified are user.cgi, modify.cgi and add.cgi. I've not added all the required fields to them, _BUT_ do I have to modify any other scripts or templates to make this work?
I tweaked the login and signup template files to include tags and conditional statements, like:

Code:

<%if to%>
<%to%>
<%endif%>


in the login.html and I created another template file called login_error.html where I included this conditional statement. I did not like how error messages were parsed in the same login template file.

In Reply To:
1) editors to be able to edit any files in the Validation database, as well as files in the main database. but _ONLY_ those files. They can use (and currently do) use a non-public URL requiring a log-in. With the log-on working, this would then go through the normal user.cgi most likely, I would assume?
Yes...the normal user.cgi will work just fine. You could do one of two things:

1) Have a link for maintain.cgi in your header/footer files. Then add the authentication codes you've used in the modify.cgi and add.cgi files. Then when the "Editors" login they will be redirected to the Editor Screen via the <%to%> tag in the login form.

2) Simply have your "Editors" login via the user.cgi script. Then when they login, they will see a link called Maintain your Section, like the following:

Code:

<%if Status eq 'Editor'%>
<a href="maintain.cgi">Maintain your Section</a>
<%endif%>


I actually have a bunch of conditional statements based on values in the Status field. In the future, when I come up with an integrated forum script, I will have additional links based on Status like Moderator, ForumAdministrator, etc.

In Reply To:
2) users can add links, but only modify links if they have a password/ID match, but those files still go to validate for editor approval. Add.cgi/modify.cgi
I don't know an easy solution for this. Unfortunately, with the current 300 limit (I don't know where that number comes from), Editors can only maintain a certain number of categories and subcategories, which means that your Editors will only be able to validate links that are added in their categories.

In Reply To:
3) The Admin gets all the links that were "Edited" and can approve those, ignoring links that were added, but not "Edited" yet. I have most of the code for that working, just a few extra fields and tests, nothing biggie. It's #1 and #2 where I am, and expecting to, hit problems.
If memory serves me correct, I think that this is part of the default configuration of Links SQL, but don't quote me.

In Reply To:
I'm asking because this is complicated for me by not having designed the site, or the templates, and having to do a lot of backtracking... and I know some things are template related, and other things are not. I'm just trying to get everything in one place, since I know I'm not the only one struggling to get this to work in this (or very similar) ways.
I hope that the above information helps...I do know that many Links SQL users (not to mention Links 2.0 users) who have unsecure directories based on the default fields in the tables/database files. It would've been nice to have a built-in user management feature for both programs rather than hacking/modding the script to secure the data.

Regards,

Eliot Lee



Quote Reply
Re: password log on, editor log on, etc In reply to
Here's one.

I've gotten the main problems worked out, but now I'm hitting all the cascading related ones.

When the login_success.html is generated, it's being generated dynamically. I've tried everything to force it to _not_ do that (except the right thing!).

Nothing works. I commented out the

defined $dynamic and &clean_output($dynamic, \$output);

line, but while that does work, when I try to "logout" I get serious undefined/param errors. I also have a feeling that the session data was not sent properly.

Once you log in, is the site generated dynamically? If so, that means page.cgi has to be modified along with everything else!

Shouldn't only the .cgi pages need to do the dynamic stuff, and the static pages just pass the value either in the URL or in the cookie?

It's getting too late, and I think I'm starting to miss the obvious.



http://www.postcards.com
FAQ: http://www.postcards.com/FAQ/LinkSQL/

Quote Reply
Re: password log on, editor log on, etc In reply to
That helps a bit. I tried hacking things, and hit some walls, and tonight made some progress again.

I got the user log on working so that if a person is an editor, they end up with the modify.cgi (Jerry's mod, I think). A regular user just gets the logon_success.html template.

This is to avoid a step.

I guess I'll keep hacking at it. I haven't figured it all out, but I'm really hoping the next release integrates this all into a simple process.

Alex already showed that setting the cookies and getting the password is all going to be controlled by a set_ or get_ method. That alone will make it easier.



http://www.postcards.com
FAQ: http://www.postcards.com/FAQ/LinkSQL/

Quote Reply
Re: password log on, editor log on, etc In reply to
Hi,

In your modifications I see following problems:

1. Users can add links wihthout beinig logged in. How do you know which user has added this link?
How should a modify script know if the user who has now logged in owns this link to modify?

2. Editors should be able to edit the links to validate and the admin finally validates them. This is a modification I put on my "todo list".

I want to make a new editor script with following features:

- own login (to keep them out of the admin dir)
- defined Category area (Maincat and its subcats)
- only important data is shown for pre-validation
(like Title, Description, Attachement) to reduce data transfer and scrolling time.
- quality management and payment system(which editor has pre-validated how may links and how many wrong / unsutible links have passed this editor)

I would like to share this script with you because you are basicly the only one helping people out here not only asking questions which have been aswered already in the forum. ( about 1 year ago I was one of them )

If you have any wish that should be added to this new editor script please don't hesitate to post it.

I am on holliday (on a Boat in South of France, no PC/Internet/Phone :-) )until the 10th of September and will start the layout of this cgi then. ( It has to be finished till the 25th because our site launches on 1st October)

regards, alexander

Quote Reply
Re: password log on, editor log on, etc In reply to
In Reply To:
I would like to share this script with you because you are basicly the only one helping people out here not only asking questions which have been aswered already in the forum. ( about 1 year ago I was one of them )
Who are you referring to? I think that pugdog and I both do our share to help people and your statement refers to one person. Wink

Regards,

Eliot Lee

Quote Reply
Re: password log on, editor log on, etc In reply to
Robert,

In Reply To:
Once you log in, is the site generated dynamically? If so, that means page.cgi has to be modified along with everything else!

Once you log in, is the site generated dynamically? If so, that means page.cgi has to be modified along with everything else!
Only if you want to include "dynamic" content in the other template pages (like categories, new, cool, etc.). I am simply having the following scripts be "dynamic":

1) add.cgi (Add Links)
2) dellinks.cgi (Delete Links)
3) modify.cgi (Edit Links)
4) review.cgi (Add Review)
5) delreview.cgi (Delete Review)
6) modreview.cgi (Edit Review)
7) password.cgi (Password Lookup)
8) detail.cgi (Review Detailed View)
9) detailink.cgi (Link Detailed View)
10) search.cgi (Search)

and a few others...all other category pages (and page.cgi) will not include dynamic information from Users table.

Regards,

Eliot Lee

Quote Reply
Re: password log on, editor log on, etc In reply to
Eliot,

That's how I thought it would work. The dynamic variable had to be set, usually by running page.cgi.

For some reason, though, when the user signs in, and is verified, the success page suddenly is dynamic.

I've tried undef'ing, setting to '' and 0, and anything else I could find before the call to the template. I replaced $dynamic with undef. I tried it all (except what works!). I tried undef'ing the 'd' parameter as well. Nothing worked.

The only thing that worked was commenting out the actual call to the clean routine that reparses the paths. But, when I did that, it undef'd the 't' parameter, and something else that causes a system/server crash for calling an undefined parameter with param.

I tried defined 'ing the calls in the nph-build.cgi so that the assignment was only done _if_ the parameter exited, or was set to undef, but that didn't work.

That's why I asked about the flip to dynamic. It shouldn't be happening, and I can't figure out why. As a test, I even have two computers running, and I have two different "users" logged in to the script (one on each machine) to avoid problems in cookies. But this isn't a cookie thing. For some reason the dynamic paramter is being set, and is being passed, and is sticky as heck!

What is happening, is the login_success.html page is being returned, but the links in it have been parsed 'dynamic'. This should be like the search.cgi, and jump.cgi, etc. When the page is returned, even though the page is dynamicly created, the links on should link staticly (not through page.cgi). But, as I outlined above, this is being forced through the clean routine, and I can't un-define, un-pass, un-set the dynamic for some reason.



http://www.postcards.com
FAQ: http://www.postcards.com/FAQ/LinkSQL/

Quote Reply
Re: password log on, editor log on, etc In reply to
In Reply To:
For some reason, though, when the user signs in, and is verified, the success page suddenly is dynamic.
The login success page should be dynamic to pull Status values from the Users table and create links based on the Status.

Regards,

Eliot Lee

Quote Reply
Re: password log on, editor log on, etc In reply to
Wait... any cgi script can pull values. But the page that is returned needs to be staticly linked or a static site is suddenly running in 'dynamic' mode.

Meaning, the url's should not be re-directed through page.cgi

This is the problem. Search.cgi is dynamic, but returns 'static' pages.

There are times you want the user to have 'dynamic' pages, but most of the time you just want them logged in, and able to authenticate themselves, not get dynamic pages -- that's what the cookie is for. The cookie should be set, and a user should be able to navigate the site, going between dynamic and static content transparently. Or am I hoping for too much?

http://www.postcards.com
FAQ: http://www.postcards.com/FAQ/LinkSQL/

Quote Reply
Re: password log on, editor log on, etc In reply to
In Reply To:
There are times you want the user to have 'dynamic' pages, but most of the time you just want them logged in, and able to authenticate themselves, not get dynamic pages -- that's what the cookie is for. The cookie should be set, and a user should be able to navigate the site, going between dynamic and static content transparently. Or am I hoping for too much?
That is how the modification I've applied works. When you login, you are either redirected to the cgi script you were trying to access (like add.cgi or modify.cgi) or you go to the login success screen that contains "dynamic" content of links that you can then pass to be able to add, modify, or delete things.

But if you go to, let's say, the home page after logging in, the content is "static".

I don't really understand your problem thoroughly enough to explain it better than I have. Please provide some visual examples of what you are attempting to do and also what is currently occurring, so that I may be able to understand your challenges.

Regards,

Eliot Lee

Quote Reply
Re: password log on, editor log on, etc In reply to
Here it is.

In short, I've tried to modify the parameters as passed to the &site_html_login_success (or whatever) to have dynamic turned off, and I can't.

There should be a way to set $dynamic to something like undef that prevents it from parsing the tags....

I guess I could redirect somewhere else, but I wanted to do a success page.

http://www.postcards.com
FAQ: http://www.postcards.com/FAQ/LinkSQL/

Quote Reply
Re: password log on, editor log on, etc In reply to
Again...why don't you want the login success page dynamic??? I don't understand.

Regards,

Eliot Lee

Quote Reply
Re: password log on, editor log on, etc In reply to
Sorry Eliot!!!

I did not want leave you out. (or anybody else!)

I just wanted to thank all doing a great job helping newbies with their first code-hacking expieriences. Wink

So if anybody has a whish (list) for the script dealing with external editors please post them. It will be written for LinksSQL 1.11 and be converted to LinksSQL2 when a stable version of it will be available (sometime next year I guess. Any bets? Wink)

regrads alexander



Quote Reply
Re: password log on, editor log on, etc In reply to
Ok,

Simply....

If we encourage people to log in for tracking, or to notify them of other things, things that have happened since their last vist, etc, I want them to see that, but I want them to link out to the main site ... not use page.cgi.

That is the problem. Even the link "home" is a call to page.cgi.

Once the cookies are set, the user is logged in. But, 90% of the time all they need to do is log in, then go somewhere else. But, to let them go there, they end up seeing the "dynamic" page.

Search.cgi outputs a dynamic page but all the links are staticly linked.

That's what I need the success page to do, but it insists on linking everything through page.cgi.



http://www.postcards.com
FAQ: http://www.postcards.com/FAQ/LinkSQL/

Quote Reply
Re: password log on, editor log on, etc In reply to
Edit your header and footer files to go to the static home page. Also edit the sub build_linked_title routine in the DB_Utils.pm file.

Regards,

Eliot Lee