Hey all,
Wondering if anyone could give me any insight as to the best solution for this situation.
I'm just in the process of setting up my first Drupal site for my department's intranet at work and am writing a module to authenticate users via their Unix account details (local and NIS). I've got the basics in place - it's treated as a distributed authentication method which calls an external perl script which does the authentication checks then returns the result.
The problem I'm having is that there is still the ability for the user to set their account password, and if I do that I can then log in using either password.
So, what I'm trying to do is somehow prevent this happening. Looking in user.module there's no logic around the code that creates the text field, so I'm guessing I can't turn it off cleanly. Have I maybe not implemented the _auth hook properly, as surely this would affect any distributed authentication method?
Thanks in advance.
Jon
Comments
Edit user module?
You could I suppose edit the user.module to make the password changing fields not appear.
Hi Nedjo, thanks for the suggestion
Hi Nedjo, thanks for the suggestion, I guess that's what I'm going to have to do. I think I sort of answered my own question when I said that there was no logic around the text field code in user.module!
I was really hoping to avoid performing any hacks to any of the existing modules but it seems like there's not much choice.
Try a patch
Which is always a cue to consider making a core patch. What do you want the behaviour to be? And how might you cleanly implement it? Maybe a tweak to an existing hook, or failing that a new config option, that informs Drupal that distributed authentication is being used, and hence that the password handling should be different. If you can implement it cleanly in your case, you should be able to come up with a good patch. (Keep in mind, though, that you would need to make your patch for CVS HEAD, not 4.6.)
I was thinking about that possibility....
Though was slightly put off by having never done that sort of thing before - was going to make this my first foray into contributing to a project like this. Still, I'm willing to give it a go :-)
Onto the solution though, assuming that for any distributed authentication method you would want the password change fields not to be available I was thinking of simply putting some logic in there to test if you authenticated against a module (something available in the $user object?) and then to either display the form fields or a message appropriately.
How's that sound?
Sounds good
I imagine you're using an
_auth()hook. I'm not sure offhand how to determine if remote authentication was used. Maybe just from the form of the username (user@example.com)? Or else have user.module set a token in the $user object (if one is not already set), e.g., $user->remote = TRUE;I also have to do the password request mechanism too....
Either of those ways you suggested sounds good. I guess I'll give them a try and report back on how it goes. The site I'm writing them for won't be going live for some time now so I've got a little while to play.
Found a thread that addresses this...
I'd seen this one before but not read much of it, but it refers to a dicussion raising this exact point.
http://drupal.org/node/19113
I'll have a bit more of a read and see if they got anywhere before I start on it.
user cannot change password
what solution did you end up using? i didnt check this thread til yesterday when I figured I needed this functionality. For my purposes, using the following user.module worked for me. Of course, using this module doesn't remove the functionality from http://site.tld/user/password
http://ninovanroad.com/user.7z
I'd like to know what you ended up doing
Sorry to never reply!
Hey mate, sorry no reply. I imagine this is way too late for you so I'm just posting it in case anyone who searches and finds this thread is still interested.
Regarding what I did - I ended up hacking user.module and putting in a little logic to remove the entries from the forms if you were logged in with a distrubuted authentication module.
I've also put my code up for download here: http://www.professionalnerd.com/drupal_modules
It's offered as a base for others to modify to suit their own needs as it's not really complete enough to submit as a project.
Cheers,
Jon
I created a module for this:
http://drupal.org/project/sympal_password_hijack
---
Professional | Personal
Use theme
You can implement theme_password_confirm and just not return anything.