Expands the uses for tokenauth. I can make up some more blahblah on why I want it.

Anyhow, this is the simple patch, without any added checking or such.

CommentFileSizeAuthor
#4 tokenauth.allow_authenticated-1115098-4.patch1.36 KBGrayside
tokenauth_allow_authenticate.patch1.38 KBhefox

Comments

geerlingguy’s picture

geerlingguy commented
Version: 6.x-1.6 » 6.x-1.x-dev

The difficulty here is that for many use cases (at least, my own and many that I envision), it would be preferred if a token authentication wouldn't override the authenticated session (especially for people who share a computer, or families, etc.).

Maybe it would work better if you use drupal_set_message() to tell the user "The link you used was intended for a different user. Click here to be logged out of your current account and log in as that user for this page." Something like that.

That way, the user would be able to decide whether or not to be logged out.

Grayside’s picture

Grayside commented

The concern is that you could click a link in an email, and it would log you in to some other user's view of the page? That is a valid point.

"You have arrived at a special URL that has logged you in as a different user. Click <a>this link</a> to reload the page with your original account."

If we are going to add that, a watchdog() entry to mark this kind of authentication would also be useful as a basic part of this enhancement, facilitating log analysis to detect patterns of a user repeatedly getting ahold of many other people's tokens.

@hefox, thoughts?

hefox’s picture

hefox commented
Status: Needs review » Needs work

Sounds like something that should be configurable anyhow; marking this as needs work for now

Grayside’s picture

Grayside commented
StatusFileSize
new tokenauth.allow_authenticated-1115098-4.patch1.36 KB

Reroll for 6.x-2.x.