calebtr [calebtr] [#900016]

CVS edit link for calebtr

Hi, I'm a librarian that administers a Drupal site. I've written thousands of lines of code for my theme and custom modules but have always had trouble figuring out how, and what, to give back to the Drupal community.

Recently on a discussion list for Drupal and libraries, someone expressed a need similar to a problem I had solved and I thought it was a good opportunity to share. Simply, lots of site administrators use Drupal user accounts to manage information about people but don't ever intend that those people will log into the site.

In my case, I depend heavily on the Messaging/Notifications framework to communicate with library patrons. It requires that the people I communicate with be Drupal users. In the other example, someone wanted to create profiles of college faculty and integrate the standard Drupal contact form.

But it can be embarrassing when those people-who-aren't-users try to log into your site, and it can be insecure when they succeed. To prevent these nice people from even accidentally discovering that hey had "accounts", I wrote a hack using hook_form_alter() to make the the password recovery form return invalid for users that had a certain role. In effect, Drupal pretends those accounts do not exist.

I have now expanded my hack into a module, "Secret Users". The module provides a settings form that lets the administrator choose which roles should be invalidated and what rules to apply.

I realize that simply blocking a user forces the password recovery form to return invalid, but I think there is a need to allow for more complicated logic. A person with a "potential customer" role might easily become a "customer" some day. In my case, library staff are usually (but not always) library patrons as well, and it is a lot easier to manage their permissions if I can assign those accounts both roles.

I hope someone besides me can make use of this module and provide suggestions for improvement.

Comment	File	Size	Author
#1	secret_users.tar_.gz	2.2 KB	calebtr
#1	secret_users.png	128.29 KB	calebtr

Comments

Comment #1

calebtr commented 1 September 2010 at 23:58

Status	File	Size
new	secret_users.png	128.29 KB
new	secret_users.tar_.gz	2.2 KB

Here is the module I described and a screen shot of the administrative settings page.

Comment #2

calebtr commented 2 September 2010 at 00:01

Status:

Postponed (maintainer needs more info)

» Needs review

Following instructions to set the status to 'needs review'.

Comment #3

avpaderno

he/him

Italian

Brescia, 🇮🇹 🇪🇺

commented 3 September 2010 at 02:35

Issue tags:

+Module review

Hello, and thanks for applying for a CVS account. I am adding the review tags, and some volunteers will review the code, pointing out what it needs to be changed.

Comment #4

avpaderno

he/him

Italian

Brescia, 🇮🇹 🇪🇺

commented 12 September 2010 at 21:01

Status:

Needs review

» Needs work

The points reported in this review are not in order of importance / relevance.
Most of the times I report the code that present an issue. In such cases, the same error can be present in other parts of the code; the fact I don't report the same issue more than once doesn't mean the same issue is not present in different places.
Not all the reported points are application blockers; some of the points I report are simple suggestions to who applies for a CVS account. For a list of what is considered a blocker for the application approval, see CVS applications review, what to expect. Keep in mind the list is still under construction, and can be changed to adapt it to what has been found out during code review, or to make the list clearer to who applies for a CVS account.

The version line needs to be removed from the .info file.
Hook implementation comments should be like the following one:
```
/**
 * Implements hook_menu().
 */
```
Strings used in the user interface should be translated; this includes also the strings used for the form field options.
Menu descriptions and titles, as well as schema descriptions, are not passed to t().

/**
 * Implementation of hook_form_alter. Modifies password recovery form ('user_pass') to user our
 * validation function.
 */
function secret_users_form_alter(&$form, $form_state, $form_id) {
  if ($form_id == 'user_pass') {
    $form['values']['name']['#element_validate'] = array(_secret_users_user_validate);
  }
}

It would be probably better to implement hook_form_FORM_ID_alter().

function _secret_users_user_validate($element, &$form_state) {

  $name = trim($form_state['values']['name']);

The code should probably get the values to check from $element, as the following code does:

function myelement_validate($element, &$form_state) {
   if (empty($element['#value'])) {
     form_error($element, t('This field is required.'));
   }
}

Comment #5

avpaderno

he/him

Italian

Brescia, 🇮🇹 🇪🇺

commented 29 November 2010 at 22:33

Status:

Needs work

» Closed (won't fix)

I am closing this issue due to lack of replies.

Comment #6

avpaderno

he/him

Italian

Brescia, 🇮🇹 🇪🇺

commented 18 April 2019 at 12:15

Component:	Miscellaneous	» new project application
Issue summary:	View changes

Please read the following links as this is very important information about CVS applications.

Drupal.org has moved from CVS to Git! This is a very significant change for the Drupal community and for these applications.
Please read Migrating from CVS Applications to (Git) Full Project Applications and Applying for permission to opt into security advisory coverage on how this affects and benefits you and the application process. In short, every user has now the permissions necessary to create new projects, but they need to apply for opt into security advisory coverage. Without applying, the projects will have a warning on projects that says:

This project is not covered by Drupal’s security advisory policy.

calebtr [calebtr]

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

News items

Our community

Documentation

Drupal code base

Governance of community