Jump to content

User login by $user->id

Mackski

By Mackski,
in API & Templates

 Share

Recommended Posts

Mackski Sr. Member

Mackski

Posted
Posted

Although from a security standpoint this isn't a good solution. 
I have a requirement where once a user has activated their account via the usual email / activation link, that they automatically be logged into the system.

So I need to find a user, then log them in using their ID, as their password is encrypted.

Without duplicating and modifying:
Session.php -> public function ___login($name, $pass)

Is there another way to accomplish this?

Link to comment
Share on other sites
ryan Hero Member

ryan

Posted
Posted

It's easy enough to change the active user for the current request:

$user = $users->get($id);
if(!$user->id) throw new Wire404Exception();
if($user->isSuperuser()) throw new Wire404Exception();
$session->setCurrentUser($user);  

But before you do anything like that, you need to be absolutely certain that the user has no ability to set the $id that gets called in $users->get($id). I think you may have to jump through some security challenges with any kind of solution that logs in a user without a password. So I would really advise against it.

Beyond the security issues, the other problem with the code above is that it doesn't keep the user logged in. That's because the $session->login($user, $pass); sets cookies and starts a session. Just setting the $user for the current request does not do that. Since you don't have the password, you'd need to override PW's authentication with your own:

$user = $users->get($id);
if(!$user->id) throw new Wire404Exception();
if($user->isSuperuser()) throw new Wire404Exception();

$pass = 'some long string that only you can see'; 

$session->addHookAfter('authenticate', function($event) use($user, $pass) {
  if($event->return) return; // user already authenticated
  if($user->name === $event->arguments('name') && $pass === $event->arguments('pass')) {
    $event->return = true; 
  }
}); 

$user = $session->login($user->name, $pass);
if(!$user) throw new Wire404Exception(); 

I've not tested this out, but in theory is should work. But again be really careful about this, as I think you may be creating a security hole in bypassing the regular login process. 

Link to comment
Share on other sites
Soma Hero Member

Soma

Posted
Posted

Small correction to Ryans example, it would be 

$users->setCurrentUser($u);

and maybe not use $user var but $u, since you would overwrite the $user var:

$u = $users->get($id);
..
$users->setCurrentUser($u);
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...