login form

[mrw02536]

I would like to modify the login form so that it opens with a starting value for username and password. I tried by modifying the 'serendipity_admin.php' form by adding values to the username and password input fields (see the bold text) but it had no effect. Apparently I am on the wrong track. Any suggestions?

form action="serendipity_admin.php" method="post">
<input type="hidden" name="serendipity[action]" value="admin" />
<table id="serendipityAdminCredentials" cellspacing="10" cellpadding="0" border="0" align="center">
<tr>
<td><?php echo USERNAME ?></td>
<td><input class="input_textbox" type="text" name="serendipity[user]" value="admin" /></td>
</tr>
<tr>
<td><?php echo PASSWORD ?></td>
<td><input class="input_textbox" type="password" name="serendipity[pass]" value="password" /></td>
</tr>
<tr>
<td colspan="2"><input class="input_checkbox" id="autologin" type="checkbox" name="serendipity[auto]" /><label for="autologin"> <?php echo AUTOMATIC_LOGIN ?></label></td>
</tr>
<tr>
<td colspan="2" align="right"><input type="submit" name="submit" value="<?php echo LOGIN ?> >" class="input_button serendipityPrettyButton" /></td>
</tr>
<?php echo $out['table']; ?>
</table>
</form>

[Timbalu]

Why do you want to do this? Is that starting value you want, a real login value? This is not recommendet! Else you might use some jquery code to show some example value.

Did you try to use L80ff in templates/default/admin/index.tpl
https://github.com/s9y/Serendipity/blob ... ex.tpl#L80
or do you change L368ff in /serendipity_admin.php (the non-smarty fallback)
https://github.com/s9y/Serendipity/blob ... n.php#L368

[mrw02536]

That's a real registered user. I want to start the login page with the name and password of the admin. I am uncertain of where to include these starting values in the login form. Modifying the 'serendipity_admin.php' file is obviously not the correct way.

[mrw02536]

Ian, your post answered my question. After modifying the index.tpl in the templates folder I got the desired results - thanks.

[Timbalu]

That's a real registered user. I want to start the login page with the name and password of the admin.

But how do you want to prevent opening your backend to the public with that?
If you want an automated login, use the autologin checkbox.

[mrw02536]

I'm integrating Serendipity into a website I've already created. My website has it's own Registration and Login process and I want to eliminate the need to login twice. What I've done is assigned the values of username and password when I login to my website to the Serendipity 'index.tpl' template. The values do appear on the Serendipity login page when I link to it but I do have a small issue in that the password I'm assigning is already md5 so I need to work around that in Serendipity since it's looking for a clear text password. I need to either remove the additional md5 conversion that Serendipity uses for authentication or assign the clear text password from my site.
I think what I'm doing is straightforward but if you can suggest another way I'll try it.

[Timbalu]

Did you read about this? http://www.s9y.org/55.html
All other may be a question of version and or special needs / situation. (Btw is that a plain blog install via S9y.org release zip, or automated by ISP?)
I can not answer this globally. But doing it the intended way is obviously unsecure, if open to public.

[mrw02536]

Ian, I have a general idea of what the embed wrapper accomplishes but it's not quite what I intend.
I have a website where users register and login using a username and password. I use a database with a large number of tables for various elements of the website. My intent is the use the same database with Serendipity tables for the blog. When someone registers for my website I plan to use this login information to simultaneously register for the Serendipity blog by filling-in the appropriate Serendipity tables in the database. This is really straightforward.
When logging in to my website I've assigned the inputted 'username' and 'password' to the values that appear in the Serendipity login page so all it takes is a click of the 'submit' button to log in to the blog. Here is the code I added to the 'serendipity_admin.php' page:

$Name=$user_data['username'];
$Pwd=$user_data['password'];
$serendipity['smarty']->assign('Name', $Name);
$serendipity['smarty']->assign('Pwd', $Pwd);

'$user_data[]' is a global array generated from my site that contains the users 'username' and 'password' and to load it I've added an 'include' statement to the beginning of the 'serendipity_admin.php page to include it.

I then changed the code (bold) in the 'templates/default/admin/index.tpl' file as follows:

<form action="serendipity_admin.php" method="post">
<input type="hidden" name="serendipity[action]" value="admin" />
<table id="serendipityAdminCredentials" cellspacing="10" cellpadding="0" border="0" align="center">
<tr>
<td>{$CONST.USERNAME}</td>
<td><input class="input_textbox" type="text" name="serendipity[user]" value = "{$Name}"/></td>
</tr>
<tr>
<td>{$CONST.PASSWORD}</td>
<td><input class="input_textbox" type="password" name="serendipity[pass]" value = "{$Pwd}"/></td>
</tr>
<tr>
<td colspan="2"><input class="input_checkbox" id="autologin" type="checkbox" name="serendipity[auto]" /><label for="autologin"> {$CONST.AUTOMATIC_LOGIN}</label></td>
</tr>
<tr>
<td colspan="2" align="right"><input type="submit" name="submit" value="{$CONST.LOGIN} >" class="input_button serendipityPrettyButton" /></td>
</tr>
{$admin_vars.out.table}
</table>
</form>

The effect is that when I link to the Serendipity login page (from my website) the login page appears with the 'username' and 'password' already filled in (in the final version I will make this fields hidden). All the user has to do is click the 'submit' button to enter the blog site as a registered user.

It works for but one problem. The password I assign is already md5 encrypted. In order for this to work correctly with the Serendipity login I need to find the serendipity validation code that checks the password submitted and change it so that it doesn't md5 encrypt for the second time. Do you happen to know where that code is? I believe it's a function in the 'include/functions.inc.php' file but I haven't gotten it to work. Any ideas here would be appreciated.

I believe what I've done does not effect the security of the system but merely embeds Serendipity into my website without including redundancy with regard to registration and login.

BTW, do you think raising this question is more appropriate to the Development category in this forum?

Thanks for your replies.

[Timbalu]

Assuming the user is already registered:

How about bypassing the login form with serendipity_authenticate_author() function, which should allow the password to check (may contain plaintext or MD5 hash)...? (Serendipity itself uses a salted hash since ~1.5 Series)

Code: Select all

// assuming user_data is available by include or global
if ( is_array($user_data) && !serendipity_userLoggedIn() ) {
    $username = $user_data['username'];
    $password = $user_data['password']; // already md5 encoded
    if ( !empty($username) && !empty($password) ) {
        // login with other user login data and set $is_hashed to true
        serendipity_authenticate_author($username, $password, true, false);
    }
}

somewhere right on top of serendipity_admin (maybe L24)?

I am not sure this will work though.

This might be a question for our evangelist @garvinhicking as being quite fundamentally.

[garvinhicking]

Hi!

I'd do it like this:

Create a custom serendipity_event_myauth event plugin. Hook into the "frontend_configure" and "backend_configure" event hooks, which are the first event that is fired. Inside that code, you can include your custom authentication layer (which is hopefully using PHP sessions, so you might even use $_SESSION['your_user_data...']. The upside of this is, you don't actually need to store the password in here, because your authentication layer already performed this and stored a boolean somewhere in the session.

Now you simply set the $_SESSIOn values that s9y requires (check the serendipity_event_externalauth plugin for example) and you set them appropriately (check include/functions_config.inc.php, search for $_SESSIOn to find them all). Ian also has a good hint on how to operate with the s9y API.

Then you don't need to actually store and pass around the MD5 values in a HTTP form, but you can do it all within the custom plugin. The other upside of having this plugin is that you can use it for other customized features you might want to give to your users...

Regards,
Garvin

[Timbalu]

Yepp, much better!
Another upside is, you don't lose any data, if updating Serendipity!

[mrw02536]

I am going to need time to digest this. I've only spent a short time with the Serendipity code and need help. Perhaps you could be more specific in how to setup the externauth plugin.
I've started the SESSION and my global variables/arrays are available to Serendipity but how do I get the user_data[username'] and user_data['password'] into the custom serendipity_event_myauth event plugin?

[mrw02536]

Ian, your suggestion intrigued me. Can I bypass the 'serendipity_authenticate_author()' function entirely. When my users are logged in and authenticated I have a function which returns true, i.e., 'logged_in() === TRUE'
If I used that at the start of serendipity_admin what php statement would I need to be authenticated for the site? I'm guessing something along the lines of:

serendipity_login(true);

???

[Timbalu]

No, I don't think you could outwit and bypass Serendipity(-Loginchecks) that easy!
Serendipity checks overall by serendipity_userLoggedIn() and $_SESSION['serendipityAuthedUser'] a.s.o.
So at the very end you will need to create a real and successful login and the best way to do, is to follow Garvins recommendation, even if that takes a little digging into the great possibilities, Serendipity and this tremendous good Plugin System offers to all Users with special wishes.

[Timbalu]

I am going to need time to digest this. I've only spent a short time with the Serendipity code and need help. Perhaps you could be more specific in how to setup the externauth plugin.

Garvin did not say to use and setup the external auth plugin, it was meant to show as an example of using SESSIONs. He recommended to write your own myauth plugin - to keep your custom authentication layer - and use the global PHP $_SESSION vars to connect.
Take this as a skeleton plugin to insert your custom auth layer and login to Serendipity

Code: Select all

<?php

class serendipity_event_siteauth extends serendipity_event {
    function introspect(&$propbag) {
        global $serendipity;

        $propbag->add('name',          'siteauth');
        $propbag->add('description',   'S9y Login with custom authentification layer');
        $propbag->add('stackable',     false);
        $propbag->add('author',        'Ian');
        $propbag->add('version',       '1.0');
        $propbag->add('requirements',  array(
            'serendipity' => '1.7',
            'php'         => '5.2.6'
        ));
        $propbag->add('event_hooks',    array(
            'frontend_configure'   => true,
            'backend_configure'   => true
        ));
        $propbag->add('groups', array('BACKEND_FEATURES'));
    }

    function event_hook($event, &$bag, &$eventData, $addData = null) {
        global $serendipity;

        $hooks = &$bag->get('event_hooks');
       
        if (isset($hooks[$event])) {
            switch($event) {
                case 'frontend_configure':
                case 'backend_configure':
                    if (!serendipity_userLoggedIn()) {
                        //use custom authentication layer and connect to Serendipity via authenticated SESSION
                    }
                    return true;
                    break;


                default:
                    return true;
                    break;
            }
        } else {
            return false;
        }
    }
}