First attempt at an extension, advice welcomed. :-)
Development and Programming
Hi all,
I’ll list the code I’ve written so far for my extension below. It’s very simple and follows most generic templates I’ve seen. However, I’m reluctant to install it just yet as I’m not sure what part of the security in the core system I’m missing out on, as well as if it’ll work in general.
Referencing my own thread in a ‘How to’ forum I posted earlier: http://ellislab.com/forums/viewthread/71366/, I need a solution to provide two different class of users on my website a login form. One group of users are ‘clients’ and the other are ‘vendors’. They will be granted certain access to certain templates on my site, based on if they are a client or vendor. This is only my third day using Expression Engine so please bare with me, and I apologize for any newbie questions.
Now originally, I had these users in a separate database, a stand-alone if you must that isn’t a part of EE’s database. I figured it would be a pain modifying the $DB class, so I’m going to migrate all the tables from my custom application into EE. Does anyone see that as a problem?
I figured I’d include hidden input fields in my login form, so that my extension will be able to figure out if a client is logging in, or a vendor.
something such as the following might work:
<input type="hidden" value="vendor" />So, basically I’m going to need a way to manage their users, and their preferences. I want to be able to handle it in not only an elegant fashion, but also a secure one. That’s why I’m trying to stick to close to EE’s native member management techniques as possible. I think going the extension route might be the proper way to handle this, but I’d definitely appreciate any help.
Below is my basic extension that I’ve started piecing together. Would anyone be able to point me in the right direction? Let me know if I’m doing something terribly incorrect/insecure? (I don’t know how else I’m going to let my users login, but once they use a very custom application I’ve created, which will eventually be an EE “module”, they get assigned to a table. I then authenticate clients based on email/phone numbers, and vendors with company name/password.)
I’m excited to get this working, and I certainly appreciate anyone who can help me make it happen.
Thanks a lot to the developer community here!
Here is the code that I’ve started to scrabble together:
<?php if ( ! defined('EXT')) exit('Invalid file request');
/**
* FA Auth Class
*
* @package ExpressionEngine
* @category Extension
* @author Steve Finkelstein
*/
class FA_auth {
var $settings = array();
var $name = 'FA Auth';
var $version = '1.0';
var $description = 'Customized login hook for the FA platform.';
var $settings_exist = 'n';
var $docs_url = 'http://www.expressionengine.com';
/**
* Constructor
*/
function FA_auth($settings = '')
{
$this->settings = $settings;
}
function activate_extension()
{
global $DB;
$DB->query($DB->insert_string('exp_extensions',
array(
'extension_id' => '',
'class' => "FA_auth",
'method' => "fa_authenticate_request",
'hook' => "member_member_login_start",
'settings' => "",
'priority' => 10,
'version' => $this->version,
'enabled' => "y"
)
)
);
}
/**
* FA Authenticate Request
*
* Authenticates user
*
* @access public
* @return boolean
*/
function fa_authenticate_request()
{
global $IN, $SESS, $DB, $LANG, $FNS;
/** ----------------------------------------
/** Is user banned?
/** ----------------------------------------*/
if ($SESS->userdata['is_banned'] == TRUE)
{
return $OUT->show_user_error('general', array($LANG->line('not_authorized')));
}
if (isset($user = $IN->GBL('user', 'POST')))
{
// assume this is a user login
$query = $DB->query("SELECT FROM custom_user_table WHERE user = '" .$DB->escape_str($IN->GBL('user','POST'))
. "' AND WHERE password = '" . $DB->escape_str($IN->GBL('password', 'POST')));
return $FNS->redirect($home_url);
}
if (isset($user = $IN->GBL('vendor', 'POST')))
{
// assume this is a vendor login
/* code here */
}
}
/**
* Disable Extension
*
* Uninstalls the extension
*
* @access public
* @return void
*/
function disable_extension()
{
global $DB;
$DB->query("DELETE FROM exp_extensions WHERE class = 'FA_auth'");
}
} // END FA auth classCheers,
/sf
I’m just brainstorming here, but would it make sense to add custom fields such as phone number + email for my user class and login_name + password for my ‘vendor’ class to the existing expression engine members table and then modify my code to lookup that?
I would need my application to register users directly into that table in that event. I just want to make sure my code is secure and I can still use all of the membership features EE has to offer. I don’t want to make this more complicated than it is…
Hope someone is out there to give me some solid security and implementation advice.
Ok, I am not 100% sure of what you want to do, but essencially you want 2 different user groups (i.e. vendors and clients) to have different access levels to your system. As much as I know EE can do that out of the box.
Go to the “Admin/Members and Groups” section and add two new member groups: vendors and clients. Then you click on “Edit Group” where you can change the access levels to almost anything.
juro:
The issue here is, is the way that vendors and clients login. Clients login using email and phone number. Vendors login with say company name and password. I have to use an extension to modify the behavior for this, I believe. Also adding this extra fields I believe can be achieved using custom profile fields?
I’m worried about a few things.
a) namely customizing existing expression engine tables, is this common?
b) I’m pretty much building an application on top of the website (which I assume will eventually become a module or two.. is it ill advised to move all of my tables into expression engine’s database or should I be keeping that separate?
I hope that makes sense. Thank you for the reply.
/sf
So where is the problem? You create the usernames for the “member group” clients using their emails and telephone numbers. Then you create the “member group” vendors and the username are their company name/password.
juro:
It’s more of me understanding how to approach it the appropriate way and not over engineering a solution. Main example being is that I’m sure the Members and Groups module looks at specific fields in the exp_members table when authenticating a user. I need to be able to manipulate this logic. Hence why I asked if I should be using an extension which I’ve prototyped above.
Also, my needs require insertion of data into this table based on a custom application I’m trying to write on top of Expression Engine. So, I was curious if other developers can chime in and give me their two cents on whether or not it’s appropriate to integrate my application into expression engine’s database or to keep them separate. I’m going to need to add a phone number custom field for instance, to folks in ‘clients’ group. I then need expression engine to know that the login form on my index template is for clients, so it needs to authenticate based on email and phone number. it’s not just a matter of adding groups and members. I have to tell EE how to authenticate these users.
/sf