Module FrontendUser: login, logout and register users / members

[benbyf]

https://github.com/benbyford/subscribers

it probably needs some changes and updates. I've been using it with a client and building alot on top. I havent heard much from other people using it hence no new updates - but i would be keen to here from people wanting to use or contribute.

[szabesz]

I'm interested  in the near future I will need something like this and I will be happy to help as much as I can.

[benbyf]

NICE!! mainly trying and checking the module for security and new features

[modifiedcontent]

@benbyf, I just installed/tried your module. It doesn't have account validation/email confirmation etc.?

After adding test info on the register form, I was immediately logged in, but apparently with no permissions to do anything in the admin area. I was unable to log in again with my administrator account. I am now locked out of my own site.

Edit: I used the same email address for the test as I have in my main admin account, so the subscriber with no permissions hijacked my main administrator account - how is that even possible? Going into the database now to try to restore my site...

Edit: Unable to restore the site via database. Completely fucked. Now reinstalling everything from scratch.

[dotnetic]

@modifiedcontent  Did you see my PW 3 compatible module https://github.com/jmartsch/processwire-social-login? Maybe you want to use it instead? It has  account validation/email confirmation and login via Facebook.

[modifiedcontent]

Thanks for the suggestion @jmartsch. I am trying to understand how forms, registration, etc. works in PW, not so much looking for an out-of-the-box solution. I want to be able to customize and add/expand. I have used OAuth in Wordpress projects, will add that when I have the PW basics figured out.

[fbg13]

6 minutes ago, modifiedcontent said:

trying to understand how forms, registration, etc. works in PW,

@modifiedcontent Works the same as everywhere else, you have a form, form gets submitted, you process it (do what you need with the values submitted).

I showed you how to save the values in a page, the same way you can create a user.

<?php
// $input->post->username same as $_POST["username"]
if($input->post->submit) {
    $u = new User();
    $u->name = $input->post->username;
    $u->email = $input->post->email;
    $u->pass = $input->post->password;
    $u->registrationDate = time();
    $u->addRole("member");
    $u->save();
}

 

[modifiedcontent]

Yes I got that, @fbg13. Thanks again. I am now working on putting it all together, but also with confirmation emails and field validation and error handling and generating the username from the fullname and integrating with other scripts and maliing systems etc.

My point to @jmartsch was that I've kinda given up on the idea that there is going to be one module that will take care of the whole process - although @pwFoo's module is a great starting point.

I guess it is the Wordpress attitude to look for a plugin that does what you need. in Processwire it is probably better to spend the time to learn to understand the basics and put your own custom solution together.

[Robin S]

11 hours ago, modifiedcontent said:

After adding test info on the register form, I was immediately logged in, but apparently with no permissions to do anything in the admin area. I was unable to log in again with my administrator account. I am now locked out of my own site.

Edit: I used the same email address for the test as I have in my main admin account, so the subscriber with no permissions hijacked my main administrator account - how is that even possible? Going into the database now to try to restore my site...

Edit: Unable to restore the site via database. Completely fucked. Now reinstalling everything from scratch.

For next time, if you find yourself logged in as a user with limited admin permissions, just log out.

[modifiedcontent]

@Robin S, I did log out, but wasn't able to log in again with my main admin account, because the test account had hijacked that email address.

[Robin S]

Just now, modifiedcontent said:

@Robin S, I did log out, but wasn't able to log in again with my main admin account, because the test account had hijacked that email address.

But you log in in with your username, not your email address. Or do you mean you used your email address as your username? In which case I would suggest don't do that - it violates the allowed characters for the "name" field of a user page.

[modifiedcontent]

No, @Robin S of course I did not put an email address in the username field. But I think @benbyf's module doesn't check if an email address is already used in the system. I tried the module with a Test User, but used the same email address as my main admin account - dumb move. Login with my admin username + browser stored password then failed for some reason. Resetting the password with the 'lost password' feature also failed. Removing the Test User via PHPMyAdmin did not fix the problem either.

btw, @benbyf's module does seem to use email address as the username in an odd way. The confirmation email after registering said 'Your username is: myfirstname-mydomain.com'; the email address with only @ replpaced by -

[Robin S]

1 minute ago, modifiedcontent said:

But I think @benbyf's module doesn't check if an email address is already used in the system.

I've never used the module so not sure how it works, but it is not a requirement that the "email address" field of a user page be unique - only the "name" must be unique. Having another user with the same email address as your superuser account is not going to stop you from logging in with your username/password as normal. Maybe you simply had an incorrect password entered when you were trying to log in as superuser.

[modifiedcontent]

Quote

Maybe you simply had an incorrect password entered when you were trying to log in as superuser.

it failed with a browser-stored password. I am testing/building sites at the moment, using the same easy passwords. Resetting the password via 'lost password' didn't work either. Not sure what happened. Maybe I am an idiot. Maybe you should try the module yourself before lecturing me.

[fbg13]

You can always change the password through the api

<?php

$u = $pages->get(...);
$u->of(false);
$u->pass = "...";
$u->save();

Also we are off topic here.

[modifiedcontent]

Quote

Also we are off topic here.

Yes. My post here was only meant as a quick report of my test of that module, that I thought would be more similar to pwFoo's module. pwFoo's module does look like a more developed starting point.

[adrian]

1 hour ago, modifiedcontent said:

Maybe you should try the module yourself before lecturing me.

This is friendly place and @Robin S has gone out of his way to help support a problem you are having with someone else's module. We all make silly mistakes on occasion - I am certain he was just trying help you eliminate all possibilities.

Regardless of what this module did to your admin account, it is always possible to edit and add a new account with superuser rights via the API, so there should have been no need to reinstall a so called completely f'ed installation. Please just ask and we'll do our best to help.

[modifiedcontent]

Quote

... has gone out of his way to help support a problem you are having ...

@Robin S's comments were off topic, unhelpful and plainly insulting. My post was a quick report of my quick test of that module. I was not asking for @Robin S's pearls of wisdom. Test @benbyf 's module. Let us know if it has anything to offer to @pwFoo's module.

Edit: here is what I have so far as a module alternative - there are probably better built-in PW methods to generate password and username:

Spoiler

<?php
function usernamer($str = '') {
$str = strip_tags($str); 
$str = preg_replace('/[\r\n\t ]+/', ' ', $str);
$str = preg_replace('/[\"\*\/\:\<\>\?\'\|]+/', ' ', $str);
$str = strtolower($str);
$str = html_entity_decode( $str, ENT_QUOTES, "utf-8" );
$str = htmlentities($str, ENT_QUOTES, "utf-8");
$str = preg_replace("/(&)([a-z])([a-z]+;)/i", '$2', $str);
$str = str_replace(' ', '', $str);
$str = str_replace('-', '', $str);
$str = str_replace('--', '', $str);
$str = rawurlencode($str);
$str = str_replace('%', '', $str);
return $str;
}

function passworder( $length ) {
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
return substr(str_shuffle($chars),0,$length);
}

$pass = passworder(8);
$activation = md5($pass."randomstringhereforextraprotection");

if($input->post->submit) {
    $u = new User();
    $u->fullname = $sanitizer->text($input->post->fullname);
    $u->name = usernamer($u->fullname);
    $u->email = $sanitizer->text($input->post->email);
    $u->pass = $pass;
    $u->activation = $activation;
    $u->registrationDate = time();
    $u->addRole('');
    $u->save();
	
	$activationlink = $config->httpHost .'/signup/?key='. $activation;
	
	echo '<style>form { display: none }</style>';
	echo '<p>Thank you for your interest. Check your email inbox for the account activation link.</p>';
	
	$welcome = '<p>Hello '. $u->fullname .',<br>Thank you for submitting your data. Your username is ' . $u->name . ' and your pass is '. $pass .' and your activation link: '. $activationlink .'</p>';
	$mail->send($u->email, 'Company <admin@company.com>', 'Your Account Activation Link', $welcome);
}

/* get activation code from URL */
if (isset($_GET['key'])) {

$activation =  $sanitizer->text($_GET['key']);
$newuser = $users->get('activation='. $activation);

	if ($newuser->activation == $_GET['key']) {
	$newuser->of(false);
	$newuser->addRole('subscriber'); /* activate by updating role */
	$newuser->activation = '0'; /* remove validation key */
	$newuser->save(); 
	$newuser->of(true);
	echo 'You now have an active account';
    }
    else {
	echo 'Your account is already active or you have an invalid key<br><br>';
	}
} else { ?>
<form method=post>

<div class=field>
	<label for=fullname>Full name</label>
	<input id=fullname type=text name=fullname placeholder=fullname required>
</div>

<div class=field>
	<label for=email>Email</label>
	<input id=email type=email name=email placeholder=email required>
</div>
	
	<input type=submit name=submit>
</form>
<?php } ?>

 

This solution needs fields 'activation' and 'fullname' added to the user (system) template.

[adrian]

5 minutes ago, modifiedcontent said:

@Robin S's comments were off topic, unhelpful and plainly insulting. My post was a quick report of my quick test of that module. I was not asking for @Robin S's pearls of wisdom.

His pearls of wisdom were an attempt to help you and others who may come across a similar situation.

I'm out!

[benbyf]

wow the conversation has moved on here, totally missed this.

YES @modifiedcontent the module is supposed to be writen into your templating, i.e. use the functions to create login, forgotten username, register etc. Then the user is added as a subscriber role (or role of your choosing).

For my project I create some pages only available to subscriber role, I dont want anyone from the public seeing the PW install so I effectively created protected parts of the site where they can see and do stuff for their role e.g. see restricted content.

I'm happy to develop the module further... the idea wasn't that it was a replacement for the PW admin but a way of creating login to parts of your site for differing  role types.

Hope that makes sense.

Also, yes the username creation is not good, any recommendations would be appreciated. Currently they are created out of the email address as i didn want to add a username field which then needed to be checked for duplication on the client side with PW for a nice experience... lots of cans of worms there. It also doesn't have a two step email verification as it wasn't needed for my purpose at the time, but does mean your likely to get spam.

I use: user has role in my private templates to check for logged in users.

 

$user->hasRole($role)

if($user->hasRole("subscriber")){
	/*
	* my private info for subscribers
	*/
}else{
	/*
	* show login form or similar
	*/
}

 

[modifiedcontent]

Thank you for not taking this personal, @benbyf.

In my solution here I use a custom function for username creation from a fullname. I haven't added a check for diplication yet - and kinda hope the system would catch that somewhere. I have used a similar username-from-fullname process in Wordpress for years and never had a problem there.

Apparently in Processwire 'it is not a requirement that the "email address" field of a user page be unique'. I think I have tried the username-from-email solution myself when I first tried to develop this process in Wordpress, with similar results.

[netcarver]

<moderator hat: on>

Hi everyone,

Just want to point out that discussion of Ben's module really belongs in its own thread and not under this one - which is specifically for discussing pwFoo's module. If anyone wants to discuss a possible merger between the two modules, please start a new thread to discuss the possibility and then post a single pointer to the new thread here and in Ben's module's thread.

Many thanks!

<moderator hat: off>

[benbyf]

@netcarver true, also im not easily offended

[modifiedcontent]

@netcarver, if you follow the thread back, you'll see that I actively tested pwFoo's module. It worked very well, except for a few issues that did not get resolved. March 7 pwFoo mentioned that 'the module isn't compatible with the latest PW version'.

I got back into this thread to finish the solution, get a complete working process. I basically have one here, but don't know how to turn it into a module or integrate it with pwFoo's.

So I think it is up to @pwFoo to return to his thread and solve outstanding issues, maybe by using or rejecting some of what we discussed above.

BTW, this wirePopulateStringTags() solution would also be a great addition to a FrontendUser/member registration module, to make the system activation and welcome email messages managable as regular fields.

[pwFoo]

3 hours ago, modifiedcontent said:

@netcarver, if you follow the thread back, you'll see that I actively tested pwFoo's module. It worked very well, except for a few issues that did not get resolved.

If I follow the link there are no issues...?!

1. Second welcome email? -> just hook into the process and send one. Use PW API / hooks
2. Add a role -> write a PW hook. Default role? See documentation example... -> https://bitbucket.org/pwFoo/frontenduser/wiki/Register extensions and plugins
3. Custom fields...? See example  https://bitbucket.org/pwFoo/frontenduser/wiki/Code snippets / Examples
4. Style a form api field? -> Search forum and PW documentation about PW native form api and inputfields. Get form object: $fu->form.
   Overwrite the register form? Ok, just do it...
   https://bitbucket.org/pwFoo/frontenduser/src/0070dc3106945198ac438bab3ab742b1784080e9/FrontendUser/FrontendUser.module?at=master&fileviewer=file-view-default#FrontendUser.module-78
   See first function param $fields
5. validation email template (default):  https://bitbucket.org/pwFoo/frontenduser/src/0070dc3106945198ac438bab3ab742b1784080e9/FrontendUser/templates/validationEmail.php?at=master&fileviewer=file-view-default

   $file = wire('fu')->getFile('validationEmail.php', 'templates');

    getFile() function...
   https://bitbucket.org/pwFoo/frontenduser/src/0070dc3106945198ac438bab3ab742b1784080e9/FrontendUser/FrontendUser.module?at=master&fileviewer=file-view-default#FrontendUser.module-199

       /**
        * Load custom or default styles / scripts
        * @param string $file Filename to load
        * @param string $type File type styles or scripts
        */
       public function getFile($file, $fileType, $type = 'paths') {
           $custom = $this . '/' . $file;
           if (file_exists($this->config->paths->templates . $custom)) {
               $file = $this->config->$type->templates . $custom;
           }
           else {
               $file = "{$this->config->$type->$this}{$fileType}/$file";
           }
           return $file;
       }

   Have I pointed to the module documentation before... ?!
   https://bitbucket.org/pwFoo/frontenduser/wiki/Documentation#markdown-header-styles-scripts-templates

   Quote

   Styles, scripts & templates

   The modules includes base styles, scripts and templates in the module directory You can overwrite these files with custom files inside the templates directory. If a custom style, script or template file exists it will replace the default file!

   Login form

   
   /site/templates/FrontendUser/FrontendUserLogin.css
   /site/templates/FrontendUser/FrontendUserLogin.js
   

   register form

   
   /site/templates/FrontendUser/FrontendUserRegister.css
   /site/templates/FrontendUser/FrontendUserRegister.js
   

   Email validation template

   
   /site/templates/FrontendUser/validationEmail.php

4 hours ago, modifiedcontent said:

March 7 pwFoo mentioned that 'the module isn't compatible with the latest PW version'.

Maybe, I haven't tested it. It seems there was a change inside the password inputfield which needs additional css / js to work...

 

The FrontendUser module is just based on form api, inputfields, hooks. PW native features. So if you know PW you know how to extend the module. 

Since I'm currently busy in my job, I'm missing the time to rework the module, but it should be flexible enough for most of the needed extensions / plugins. 
If there is a bug or problem a pull request is welcome