I want to create several password protected pages for visitors (clients) to my site. I understand about creating Access and Resource Groups and assigning ModX users to that group - but there are a couple of things I do not understand:
How do you set up a login page to access the secure resources?
If I set up a user group for my clients and distribute usernames and passwords, will they be able to login to the back end of ModX (/manager) like an admin does?
Is is better to just use a plugin like DocPassword that just makes pages password protected (no usernames)?
Any help would be much appreciated! Thanks!
I found this which helped me out a lot:
http://rtfm.modx.com/display/ADDON/Login.Tutorials
What I didnt know is that you had to install an add on called 'Login'
Related
Currently we have a user guide sitting in Confluence. We want to give access to this page to all users of the product. What is the best way to do this?
Do I put the user guide into its one space and make it public. Then would I need to make a group defining all my users on our product?
It would be ideal if the users did not have to log into confluence in order to view the user guide. The most important piece is we do not want to give access to the user guide to everyone to view.
If you want to grant access to the users of that product, you need to create a group, and then, give access to only that group. If users don't need to log into Confluence, then, anyone could access.
Another approach is to use Comala Share It (disclaimer, I work in Comalatech). This add-on allows you to create a unique URL, which could be shared with the users of your product, so only them could access. Of course, if the URL is shared with anyone outside the group, that person could access too. Guess the public URL is not possible, since it uses a secure token.
Regards,
Gorka
Posted this on google groups for Roadkill wiki, but there seems to be not much activity. Stackoverflow was mentioned, but there's only 2 posts per year... Bitbucket account is closed... Seems wrong to add an issue in github to just ask questions... https://github.com/roadkillwiki/roadkill/issues
I want to create a help wiki for a password protected website (asp.net, c#, iis...). This website is using Form Authentication. Only users logged onto the site will be able to see the help pages. They will be able to READ the pages, not add or edit or register new users or anything like that.
1) admin access
There will be 1 (or 2 or 3) admin users who can add/edit/delete pages. They can use a special URL to get to the admin pages if required.
- They use their own credentials from the real website somehow mapped as admin in Roadkill, or
- have special Roadkil user+pwd, defined in Roadkill rather than the real website.
2) For the read only requirement, I see it's work in progress for v3.
https://github.com/roadkillwiki/roadkill#viewer-role
http://roadkillwiki.userecho.com/topics/27-viewer-role/
I know it says "no ETA", but are we talking 1 month, 6 months, 1 year? I might have to do my own as I need this within a month or two!
3) For authentication of my readonly users... I thought I would have to write my own "User Manager", using the technique described here:
http://www.roadkillwiki.net/wiki/12/users-and-permissions
But then I thought... If I just install Roadkill in a protected folder in the root of my website, doesn't this give me Form Authentication for free? I don't care who the users are, all pages will be readonly for them... a kind of anonymous access... but I saw anonymous access doesn't exist.
Then I saw this question:
http://roadkillwiki.userecho.com/topics/10-port-it-to-aspnet-identity/
and the answer is no, "asp.net identity doesn't support groups". But it supports roles, so you could have admins, editors (and viewers), am I missing something?
Any tips regarding the 3 points above? It's borderline off topic by stackoverflow standards, I know. So let's make it a real question: how to configure Roadkill in a Form authenticated asp.net website so that all users have readonly access, to create a series of help pages?
There aren't that many .net wikis out there! It's all php!
I've just integrated my app with IBM's SSO via Cloud Directory. The idea here is that I want access to be very secure and only authorized users (pre-approved) can access the application (e.g. website in this case).
However, I've just realised now that anyone that goes to the app's webpage can, instead of logging in, just select "Register New User" and fill in some details and he's given access? Is there a way to:
1) EITHER keep that registration form, but require one of the admins to approve it before access is given? (better solution)
2) OR completely remove the self-registration option?
As the current situation is far from secure for what I need.
Thanks a lot!
I talked with the support team and that is the best (only) way to do it, just remove the links from the HTML templates.
Can anyone think of a neat solution for this; we operate an website service and sell to large organisations. Rather than have a logon for everyone, we'd like to be able to provide a direct link to our website from the organisation's Intranet page. We'd then like to check the referrer and if it's in our listed of 'trusted referrers', i.e. the intranet url, then we grant logon without asking for credentials.
I'm aware you can do $_SERVER['HTTP_REFERER']; to get the referrer, but I'm also aware that can be spoofed. Can anyone think of how we could achieve what we want, but while also guaranteeing it won't be hackable?
Thanks in advance
It's not exectly what you want, but to make logging on easier and ensure you don't need to store all the passwords you could use, for example, OpenID.
I think that there is no perfect and safe solution for this.
One solution would be to append tokens to the urls. It will work and it will be save, but anyone who knows the link (including token) will be able to login as that organization
Another solution would be to check the source ip. This can be done in different ways *apache, load balancer, app, etc).
Also a combination of token + ip could work (this token for that organization but only if the request comes from allowed_ips for that organization)
A more elegant solution (which I implemented for several big companies) would be to integrate you website login with the active record domain login. It is possible to use the current user window login as login into a website, using domain authorization. If a user is logged in into a domain, when enters your site will automatically login to the website.
This solution is much more easy to implement than it sounds. But, requires Active directory and workstation that connects to a domain to be in the company (this shouldn't be a problem, most of corporations are using windows on workstations and active directory for domain controller). Also is working best on IE only (direct login to the website). On other browsers the domain login popup will appear and user will have to enter again the domain password.
Also, I am pretty sure that can be made to work on linux environments, but I have no idea how.
I'm building a Multi-Tenant application and I'm struggling incorporating a Facebook Login into the web application.
The tenants are using a sub-domain for example
http://tenant-1.domain.com/
http://tenant-2.domain.com/
http://tenant-3.domain.com/
So, I have created an application and when it comes to add the Website, how can I make it to be available in all tenants? Something like:
But of course, that does not work, and if I add just http://domain.com/ it does not work either on http://tenant-1.domain.com/ as soon I click in the <fb:button-login> I get:
How do I do this, without creating a specific FB App for each tenant?
I'm using this to help persons to subscribe their account, I just want the login to get name and email, or they need to fell that up in the name and email boxes...
This is not possible, but there are options to workaround. I think probably the best would be to use a single domain to perform the authentication, specified as the redirect_uri. On this redirect_uri you can append some query parameters, for example your redirect_uri could be:
http://auth.domain.com/auth.php?tenant=tenant-1
Then in the code for auth.php you would grab this tenant parameter from the query string, authenticate the user, store their access token and then immediately redirect them back to tenant-1.domain.com
I'm not sure if this solution will be something you prefer, but it is currently not possible to specify subdomains for authentication, so this or a similar workaround is necessary.