Mackski Posted January 23, 2014 Posted January 23, 2014 Although from a security standpoint this isn't a good solution. I have a requirement where once a user has activated their account via the usual email / activation link, that they automatically be logged into the system. So I need to find a user, then log them in using their ID, as their password is encrypted.Without duplicating and modifying:Session.php -> public function ___login($name, $pass)Is there another way to accomplish this?
ryan Posted January 25, 2014 Posted January 25, 2014 It's easy enough to change the active user for the current request: $user = $users->get($id); if(!$user->id) throw new Wire404Exception(); if($user->isSuperuser()) throw new Wire404Exception(); $session->setCurrentUser($user); But before you do anything like that, you need to be absolutely certain that the user has no ability to set the $id that gets called in $users->get($id). I think you may have to jump through some security challenges with any kind of solution that logs in a user without a password. So I would really advise against it. Beyond the security issues, the other problem with the code above is that it doesn't keep the user logged in. That's because the $session->login($user, $pass); sets cookies and starts a session. Just setting the $user for the current request does not do that. Since you don't have the password, you'd need to override PW's authentication with your own: $user = $users->get($id); if(!$user->id) throw new Wire404Exception(); if($user->isSuperuser()) throw new Wire404Exception(); $pass = 'some long string that only you can see'; $session->addHookAfter('authenticate', function($event) use($user, $pass) { if($event->return) return; // user already authenticated if($user->name === $event->arguments('name') && $pass === $event->arguments('pass')) { $event->return = true; } }); $user = $session->login($user->name, $pass); if(!$user) throw new Wire404Exception(); I've not tested this out, but in theory is should work. But again be really careful about this, as I think you may be creating a security hole in bypassing the regular login process.
Soma Posted January 25, 2014 Posted January 25, 2014 Small correction to Ryans example, it would be $users->setCurrentUser($u); and maybe not use $user var but $u, since you would overwrite the $user var: $u = $users->get($id); .. $users->setCurrentUser($u);
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now