passing username and password through url

calmnus

Joined: 2008-07-21
Posts: 4
Posted: Mon, 2008-07-21 17:25

Hello,

is it possible to pass the username and password through a URL to log a specific user in? (i.e. http://domain.com/gallery/mail.php?user=bob?password=abc123) I have a system used by multiple "special needs" individuals. I have it set up where they can push on a button and log directly into their individual email accounts. I would like to do the same for a Gallery account. Remembering passwords is not an option for these users, and multiple users will be using the same system, so having individual login links would be great. I would like to password the photos from the internet, having someone look at the local links stored behind the buttons is not a concern.

Thanks a bunch,
Mike
 
alecmyers

Joined: 2006-08-01
Posts: 4342
Posted: Mon, 2008-07-21 18:38

This appears to work:

...example.com/main.php?g2_controller=core.UserLogin&g2_form[username]=myUsername&g2_form[password]=myPassword&g2_form[action][login]=Login

(random edit ... ho hum.)
 
floridave
floridave's picture

Joined: 2003-12-22
Posts: 27300
Posted: Mon, 2008-07-21 17:53

example.com/gallery2/main.php?g2_controller=core.UserLogin&g2_form[formName]=UserLogin&g2_form[action][login]=Login&g2_form[username]=admin&g2_form[password]=secret

change the bold to your username and password

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
 
floridave
floridave's picture

Joined: 2003-12-22
Posts: 27300
Posted: Mon, 2008-07-21 18:34

Great minds think alike. :-)
but how did you beat me with a Posted: Mon, 2008-07-21 10:57 versus mine of Posted: Mon, 2008-07-21 10:53

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
 
alecmyers

Joined: 2006-08-01
Posts: 4342
Posted: Mon, 2008-07-21 18:43

I guess it's mislabeled, and should say "last edited:" - after all, now it says Posted: Mon, 2008-07-21 18:38 (ignoring time zones differences etc etc)

Used to was, you edited a post and it dropped to the bottom of the thread - now at least they're sorted by posting order even if not labeled quite right!
 
floridave
floridave's picture

Joined: 2003-12-22
Posts: 27300
Posted: Mon, 2008-07-21 18:51

FYI: http://gallery.menalto.com/node/79859

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
 
calmnus

Joined: 2008-07-21
Posts: 4
Posted: Mon, 2008-07-21 21:50

You guys rock!

Thanks so much,

Mike
 
calmnus

Joined: 2008-07-21
Posts: 4
Posted: Wed, 2008-07-23 17:08

Hello,

One more quick question. What you supplied above is working great. The only problem is if the user just closes the browser instead of logging out, the next time any of the users use their URL to look at their pictures they get:

"Authentication Failure" "Your change cannot be completed due to a loss of session data. Please try again. If it still doesn't work, try logging out and logging back in." "Back to Gallery"

The link takes them back to the front page of gallery which shows the album of the person who didn't "logout" giving them full access. for instance, Bob uses the auto login link and looks at his pictures. He just closes the browser when he's done. Mary sits down and clicks on her link, she gets the "Authentication Failure" error listed above, when she clicks on "Back to Gallery", she sees and has access to Bob's album, but not her own. If everyone "Logs out" everything works correctly. (none of my users log out though, they just close the browser)

Is there a way to prevent the above error, and log the user straight in each time, even if the last user didn't log out the time before?

Thanks again,
Mike
 
alecmyers

Joined: 2006-08-01
Posts: 4342
Posted: Wed, 2008-07-23 17:44

The problem appears to be that once you've logged in, any url to a GalleryController needs to be accompanied by an authToken for that session. Before you log in, you can run the login controller without an authToken so a static link is fine. Once you've logged in, unless the url includes ...&g2_authToken=.... and the correct token for that session it gets automatically rejected as a potential hacking attempt.

There's an easy workaround though: GalleryControllers have a function omitAuthTokenCheck() to signal they're exempt from the requirement from an authToken. You can make the LoginController return 'true' for this (and so bypass this security check) by adding the following code to file modules/core/UserLogin.inc:

    
    /**
     * @see GalleryController::omitAuthTokenCheck()
     */
    function omitAuthTokenCheck() {
        return true;
    }

You need to put it inside the brace begun near the top of the file with class UserLoginController extends GalleryController { - in 2.3RC1 line 184 works fine.

I think that will do the trick.

Unless the user does log out though the browser session remains active so if the next user doesn't log in they can still (by getting to the right url) get to the previous pictures. G2.3 has a time-out feature on sessions (down to 15 minutes) so that might be a useful upgrade.
 
calmnus

Joined: 2008-07-21
Posts: 4
Posted: Fri, 2008-07-25 16:30

works perfectly.

Thanks again,
Mike