Developer authentication

Hi Zeip,

Looks like good idea,.

Below are the comments from Ventral Automated review:
FILE: ...al-7-pareview/sites/all/modules/pareview_temp/test_candidate/README.txt
--------------------------------------------------------------------------------
FOUND 0 ERROR(S) AND 1 WARNING(S) AFFECTING 1 LINE(S)
--------------------------------------------------------------------------------
24 | WARNING | Line exceeds 80 characters; contains 81 characters
--------------------------------------------------------------------------------

FILE: ...ll/modules/pareview_temp/test_candidate/developer_authentication.module
--------------------------------------------------------------------------------
FOUND 5 ERROR(S) AFFECTING 3 LINE(S)
--------------------------------------------------------------------------------
97 | ERROR | Line indented incorrectly; expected 2 spaces, found 0
97 | ERROR | Comment indentation error, expected only 1 spaces
98 | ERROR | Line indented incorrectly; expected 2 spaces, found 0
99 | ERROR | Line indented incorrectly; expected 2 spaces, found 0
99 | ERROR | There must be no blank line following an inline comment
--------------------------------------------------------------------------------

@ http://ventral.org/pareview/httpgitdrupalorgsandboxzeip1407262git

Once fixed you could re-run the review to check the status.

This reviews just the formatting and other Drupal coding standards. Someone would review the code manually once its is clean.

There is still a master branch, remove the master branch, see also step 6 and 7 in http://drupal.org/node/1127732.
I haven't played much with this module but some quick manual review.

Manual Review

1. It would be great if you could mention some example incorrect usage of this module which can realy harm site security, in Project description or somewhere in README.txt file.
2. .info file description and Project description in sandbox is different. In Project description it is : "Allows an developer to log in as user #1 with user accounts from a separate authentication source, such as LDAP. Can also be used without LDAP to login" and in .info file its : "Allows developers to login via LDAP as user #1". I think in .info file should have description similar to this text "Allows developers to login via separate authentication source such as LDAP or other authentication as user #1"
3. In .install file line no 14 looks overhead. Get rid of $t = get_t(); line.
4. In .module file, Line no 12 : Remove $items = array(); no need of defining $items. $items will be deined and initialized in next line.
5. You may need to add validate function for developer_authentication_form in .module file

Regards,
Chintan Vyas.

Forgot to change status :P

I'm afraid you did not point out a single issue which justifies setting 'needs work'.

I mentioned 5 points in #3 Manual review.

Hello. I tested the module with LDAP:

1. function _developer_authentication_clean_ldap_string($str) must return value or use pointer.
   Patch to fix
2. I have a warning if not set settings: Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Can't contact LDAP server in function _developer_authentication_ldaplogin() (line 104 in file /.../sites/all/modules/developer_authentication/developer_authentication.module).
3. Why module configuration saves into settings.php? Why module does not have a configuration page?
4. How i can select users from LDAP who can access to login as developer?

We are currently quite busy with all the project applications and I can only review projects with a review bonus. Please help me reviewing and I'll take a look at your project right away :-)

Hello
I could not test it with LDAP but from looking at the code and the variable authentication I can say it looks pretty good.
The only thing I would classify as a bug at this point is the fact that you allow the log in with a master password but you still get the error:

You haven't set the LDAP log in settings.

So either make it as a warning or better blend it out if developer_authentication_admin_pwd is set.

Although I do it myself on most of my sites it would be better to call the username not admin. That could also be a setting or defined in a variable. After all it is a second field to get right when hacking the site.

I am not the most experience reviewer but I would give it a rtbc if you fix the LDAP warning.
see you

Hello

Yes we are absolutely on the same page about the password and the security then. And I agree with you that the fixed name is not a show stopper.
Then again the password for user 1 also needs to be taken care of and I have the feeling that that also doesn't happen often... And I guess if you enable this module you are well aware of the risk. After all, you mentioned it.

So in my opinion you are good to go.
Good luck!

We are currently quite busy with all the project applications and I can only review projects with a review bonus. Please help me reviewing and I'll take a look at your project right away :-)

I would probably raise the visibility of the usage warning on your front page, as this does have the potential to severely compromise the security of a site if misused. I'd also suggest that having an option that logs the user in as a specific user who is NOT user #1, but a secondary admin account with full permissions, would be a bit safer ... as you would not be exposing UID #1, and the admins setting up the site would have to consciously consider what permissions they were making available before the module could be used (and those who do not know the security risks couldn't inadvertantly expose them).

That said, the code is clean and it uses the APIs properly ... I haven't tested as I don't have an LDAP server readily available, but I don't see any immediate red flags. Thus ...

Thanks for your contribution, Zeip!

I updated your account to let you promote this to a full project and also create new projects as either a sandbox or a "full" project.

Here are some recommended readings to help with excellent maintainership:

• Dries' post on Responsible maintainers
• Best practices for creating and maintaining projects
• Maintaining a drupal.org project with Git
• Commit messages - providing history and credit
• Release naming conventions.
• Helping maintainers in the issue queues

You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and get involved!

Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

Thanks to the dedicated reviewer(s) as well.