Drupal 7 Webform - Allow anonymous user to edit previous submission - forms

I'm pretty sure this is not possible, but I was wondering if anyone can think of a way to allow anonymous users to edit webform submissions. We are allowing users to sign up for a job search agent where they anonymously provide their email address and then submit a few preferences on the type of jobs they are looking for and then we email them jobs that are available when they become available. We don't want these users to have to create an actual Drupal registration and have to remember another password. We want it to be super easy for them. So they can submit the form anonymously, but the problem is if they want to come back and edit their preferences at a later date, they can't because Drupal wont know who they are. I was thinking of possibly creating an official user registration behind the scenes using their email address and a basic password when they submit the webform and when they come back to the site, they provide their email address in a separate form I create in a custom module, then I can do a user lookup based on the email address and auto log them in (if that's even possible) and then send them to the webform? Do you think that would work, or is their a better solution to this predicament?

I think your solution will work. I've done something similar in the past.
Users just logged in by visiting a particular url such as /login/USER_NAME. Then you can send out emails with this link and they are automatically logged in as soon as they hit the site.
To create the users account use something like this:
$new_user = array(
'name' => $name, // this could also just be the email address if you are not collecting a name
'pass' => 'password', // hardcoded password - same for every user
'mail' => $email,
'status' => 1,
'init' => $email,
);
user_save('', $new_user);
Then to log them in you can use:
if ($uid = user_authenticate($username, 'password')) {
global $user;
$user = user_load($uid);
$login_array = array ('name' => $username);
user_login_finalize($login_array);
}

Related

Creating login form in Laravel

I don't want to use the AuthController way of creating a login form, because I'm building a website for backend administrators. There won't be any registration needed. (That controller I will use in the future for users login and registration)
How do I actually compare the inputted login data from the form with the rows in my database?
Everything else, beside that, seems to work perfectly in my login mechanism.
To validate a users credentials, use Auth::attempt()
if(Auth::attempt(['email' => $email, 'password' => $password]))
{
// redirect
}
Of course, the email and password are supplied by your user in the form.
You might also want to "remember" the user. That's the attempt() methods second argument
Auth::attempt(['email' => $email, 'password' => $password], $remember)
Remember, you will miss out on stuff like ThrottlesLogins that's added to the default authentication method. But you can of course add that to your own method.
Use the trait Illuminate\Foundation\Auth\AuthenticatesUsers in your relevant controller.
Alternatively, use the code in the postLogin method of the above trait as a template to create your own authentication code.

Different registration forms for different roles. FOSUserBundle

I'm absolutely new of Symfony, and I'm trying to implement a registration form that works only with invitation
but that can redirect two different forms for two different roles.
In practice if I send an invitation for an USER_TYPE1 role the client can only register like USER_TYPE1, if I send an invitation for an USER_TYPE2 the client can only register like USER_TYPE2 (and, of course, assigns the corrispondent role).
Is it possible?
thank you in advance for your help
UPDATE:
I want two different form because one user will be allowed to update file, but will also have to set his position and other important settings. The second user will only allow to download the files uploaded by the first kind of user, and his profile needs completely different information.
I do not have enough reputation to ask for details, but one thing that is not clear in your question is: why do you need 2 different forms? In your question, you mention 2 different roles, but why do you need 2 different forms? If you really need 2 different forms, then you should first:
- create a new form type
- create a new view (twig)
Like Boris suggested, I would keep some kind of token for every invitation sent, and associate an email address, and a role to it. Then modify your registration route so you can pass a token in there, like this:
register:
pattern: /signup/{token}
defaults: { _controller: MyBundle:Registration:signup }
In the registration action of your controller, you created the correct form type and display the appropriate twig, depending on the ROLE associated to the token you just got. And when handling a POST, you check the Token again to see if it matches the email address, and assign the proper ROLE when creating the User.
public function signupAction($token) {
// 1. Get the Token entity matching the $token variable
// 2. Create the correct form type
// 3. Display the correct twig for GET, assign correct ROLE to new User for POST
}
But you can't use FOSUserBundle as-is. You will have to overwrite the registration process. You can read the FOSUserBundle documentation about that.
What's certain is that, for every invitation you send, you should keep a token with a matching email address and ROLE (the role you want to give to that person).

Zend deny access on changed url parameters best practice?

Within the multi-user application I have in my View index.phtml:
<a href="<?php echo $this->url( array( "module" => "myModule", "controller"
=>"myController","action" => "edit", "id" => $objThings->thingsid),
'default', TRUE )?>
Clicking this link will lead to the url:
http://website/mymodule/mycontroller/edit/id/228
where user can edit the record.
Once logged in a user could copy this url and change the parameter to 229 or 130 etc. and get access to information from other users.
What is the best practice to prevent this, set authentication on the level of records and deny access to records of other users? (Of course the records have a userid).
Hiding the parameters in the url would be a step to not tempt a user, suggestions for this are welcome.
Necessary is also authentication on module/action level.
I have been searching but can not seem to find the solution.
Do both. If you want to edit a logged in users profile details, you don't need the id in the URL as you already know who they are.
Then, in your update code, only allow them to update their specific data.
If you have a logged in user, you may well have an object you have for them which will make updating their data easy (depending if you are using ActiveRecord or something else), otherwise ensure you use id in your SQL.

Send email on new bug in Mantis

For a particular project, I am trying to configure mantis to send an email to all Supervisors (65) whenever a new bug is submitted.
To do this I have added an entry to the Configuration Report page as so:
Username: All Users
Project Name: Test New
Type: Complex
Value:
array ('new' => array('threshold_min' => '65', 'threshold_max' => '65'))
When I add that it re-formats it like so:
array (
'new' => 'array(\'threshold_min => \'65',
'threshold_max' => '65\')',
)
and doesn't send the emails to the project supervisors.
Can someone assist me please? Very new to configuring Mantis!
I discovered that I also had to make the Supervisor enabled for 'E-mail on Change of Handler' (I also had to do this for Manager level to receive emails when assigned.
Its now working :)
Login as administrator in mantis.
Click on Manage Configuration.
Click on Email Notification.
You will get a table which tells when mail should be triggered at various instance of time, select appropriate options.
Click here to view the documentation of mantis administrative guide
Attached picture is the snapshot for your assistance...
Below is just for your mantis functionality enhancement...
You can also give CHAT option for different levels of users by including
$g_main_menu_custom_options = array (
array( "Chat", REPORTER, 'chat_page.php' )
);
in your config_inc.php.
I've merged phpchat application with mantis.
You can configure to send emails to a particluar user role as "Manager". Then assign all those 65 people this role in the project.
All these people will get mails.
Let me know if this helps.
There is currently a known limitation in the manage config page, which does not properly handle entry of complex types properly.
I actually started working on a fix for this a while ago based on the initial submission from the issue's reporter, but got sidetracked and never got around to finalizing it. You can find the work in progress on my github branch.
Until then, I'm afraid that your only option would be to enter the required setup directly in config_inc.php.

vBulletin login from subdomain

I have rather special need in login to vBulletin not from forum directly. I looked through topics by searching "vbulletin login", but found nothing.
So here's the structure.
domain.com - main site, access is
restricted by ip range
domain.com/forum/ - vB with cookie's
host set to .domain.com, of course
it's also restricted by ip
extra.domain.com - secondary site
which is available to almost anyone
('almost' includes users of vB
created manually via ACP)
As for now users already authenticated at domain.com/forum/ are recognized both at domain.com and at extra.domain.com.
So the problem is to login from extra.domain.com to domain.com/forum/
However i can't just post entered usernames and passwords to forum because of ip restriction. As I get it, there should be some wrapper, which will do all the login procedure via cURL or somehow, get all the cookies and then return them to user.
First of all, please tell me if I'm on a right way in my thoughts? Also are there any other ways to complete task without having to spend hours with HTTP sniffer? I mean are there any SOAP plugins for vB auth from trusted domains? Forum version is 4.0.8
Does the code on the secondary site have access to the vBulletin code & database? If so, you can handle vBulletin logins in PHP like so:
chdir('/directory/where/vbulletin/is');
require_once('global.php');
require_once(DIR . '/includes/functions_login.php');
// Check for too many login attempts
$strikes = verify_strike_status($username, TRUE);
if ($strikes === FALSE || $strikes >= 5) {
// TODO: Your error handling here
}
// Attempt authentication
if (!verify_authentication($username, $password, '', '', TRUE, TRUE)) {
exec_strike_user($username);
// TODO: Handle bad username & password here
}
// Clear records of previous bad logins
exec_unstrike_user($username);
// Create a new session
process_new_login('', TRUE, '');
The code above should work with vBulletin 3.8.x, but from what I remember of 4.x it shouldn't take much tweaking to make it work with 4.0.8.
Set the 5th parameter to verify_authentication to false if you wish to make the login non-persistent (like not checking "Remember Me" on login).