[D7] Httplock [#2188319]

Greetings!

I have created a first module that i'd like to open source as the earlier variants with the same functionality have been extremely useful in our in-house projects.

This module uses an htpasswd style 403/400 auth structure but authenticates it against the drupal user database. It is configurable in many ways and I've gone through the process of writing every configuration option as drush commands as well as making a solid admin form.

More details in the project page.

Details:

Project page:https://drupal.org/sandbox/misterkoz/2132789
Drupal version: Drupal 7

Git clone:

git clone --branch 7.x-1.x mister.koz@git.drupal.org:sandbox/mister.koz/2132789.git 
httplock
cd httplock

Similar modules
Modules that are similar but don't fully suit the needs, i looked into a few modules on drupal.org, i may have missed something but it would appear that these modules do not suit the specific needs i am looking for.

Aligned to user roles
No server configuration required
Allows for white-listed IP's and auto-auth
Scriptable via bash for CI/Integrated deployment

https://drupal.org/project/htpasswd
This project is dead and the maintainer moved to "shield" merged into the next one

https://drupal.org/project/shield

Has config based user auth - i needed this to auth against the Drupal user
Does not support roles
Cannot enforce a whitelist
Cannot auto-login based on IP

https://drupal.org/project/htpasswdsync

syncs the user database with the htpasswd file - very good but doesn’t allow white lists or auto-authenticated ip’s
Has config based user auth - i needed this to auth against the Drupal user
Does not support roles
Cannot enforce a whitelist
Cannot auto-login based on IP

To decrease the review time i attempted to review 3 modules, i feel that perhaps with more experience i could be of more use but i largely made suggestions based on code-quality and the project guidelines document.

Reviews of other projects:

Cheers!

Comments

Comment #1

PA robot commented 4 February 2014 at 11:23

We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)

Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).

I'm a robot and this is an automated message from Project Applications Scraper.

Comment #2

jribeiro commented 6 February 2014 at 16:22

Hi mister.koz, thank you for share this module.

Would be great if exist a flag to enable and disable all access checking, instead of having to uninstall the module to disable the feature.

Custom Review:

httplock.module | LINE 19: 'page arguments' => array('httplock_form')
httplock_form.inc | LINE 13: function httplock_form($form, &$form_state) {
I advise you to rename the function to form a more intuitive name, such as: httplock_settings_form

httplock.module | LINE 61
httplock.module | LINE 102
You are using the same verification in both functions, you can create a function with this verification, and avoid duplicated code.

httplock.module | LINE 191

/**
 * Httplock success method.
 */
function httplock_success() {
  // This is an empty method stub, used for testing.
}

I believe that this function is not needed, since it is not doing anything

httplock.module | LINE 202
Use a constant instead of a directly number. Clean code ;)

httplock.module | LINE 209
httplock.module | LINE 210
httplock.module | LINE 233
httplock.module | LINE 234
You can use a core function to add http header: https://api.drupal.org/api/drupal/includes%21bootstrap.inc/function/drup...

httplock.module | LINE 213
You can use drupal_exit();

httplock_form.inc | LINE 133
You can store this in a function.

httplock_form.inc | LINE 138
Remove this 'echo'.

Comment #3

mister.koz commented 10 February 2014 at 06:52

Awesome, thank you for the comprehensive review. I will get onto this tomorrow morning.

With regards to stopping the rules process, the module disables gracefully so i figured if people do not want it that it should be disabled. My reasoning is that it's interrupting every page request on theme load even though its only a collection of if's and DB calls for config i think the performance hit is probably still measurable.

as for the rest, i'll fix them up asap :)

Comment #4

mister.koz commented 11 February 2014 at 03:42

Errors fixed, just need to get a full regression test done and i'll push the code back up.

Cheerz!

Comment #5

dsim commented 11 February 2014 at 22:14

Hi,

httplock_form.inc line 34: Please use constant for roles, manipulation of roles sometimes changes the id.

if (!in_array("3", $selected_roles)) {
$selected_roles[] = "3";
}

httplock.module line 128: Using Constant will be a good idea, making a change single place will affect in other places.
if (in_array(3, array_keys($validated_user->roles))) {

httplock_form.inc line no 134: Merge the fields in a single line
$denied_node_ids = db_select('node', 'n')
->fields('n', array('nid'))
->fields('n', array('title'))
->fields('n', array('type'))

better to be like
->fields('n', array('nid', 'title', 'type'))

httplock_form.inc line no 168: What is the use of echo here?

httplock_form.inc line no 94: minor spelling mistake. "origonating"

Thanks

Comment #6

mister.koz commented 17 February 2014 at 01:08

Hey Silambarasan, thank you for your comments, i'll work on the fixes for these portions too, should have fixes and regression tests done soon.

Comment #7

j.branson commented 19 February 2014 at 16:01

Hi, nice project! This is super useful. There are a few things though that I am wondering. 1) Can the config form default to admin only so that without any changes it will operate as most people will probably want it to operate. It seems like when in doubt granting less access is the way to go for something like this. 2) I'm concerned about the seemingly extraneous use of 'include_once "httplock.methods.inc";' in the httplock_form.inc file. I ran the module both with the line and without the line and there is seemingly no difference. Perhaps I'm missing something, but I think you only need to run it once from the.module file so long as the module is installed. Without the include in the .install file it won't uninstall since .install is all that's going to run on uninstall. But for the form file It seems like the statement might be redundant with the .module file. I could be mistaken about all of this and if so, I'm curious to learn more! 3) You should update the project application page so that the git clone is a clean generic clone code to http:// url without the user attribution.

I'm definitely excited to use this module. Thanks!

Comment #8

klausi

he/him||they/them

German

🇦🇹 Vienna

commented 21 February 2014 at 11:05

Assigned:	mister.koz	» Unassigned
Status:	Needs review	» Needs work
Issue tags:	-PAreview: review bonus	+PAreview: security

Thank you for your reviews. When finishing your review comment also set the issue status either to "needs work" (you found some problems with the project) or "reviewed & tested by the community" (you found no major flaws).

manual review:

please add the differences to the existing projects to your project page, so that users can make an educated decision which module to use.
Your code does not seem to include any automated tests? Please consider writing Simpletests: https://drupal.org/simpletest
httplock_preprocess_page(): why hook_preprocess_page()? I think hook_init() might be more appropriate? hook_preprocess_page() is only called if an actual page is displayed, does that mean there is an access bypass security vulnerability for any other menu routes that don't render pages?
httplock_test_user_and_role(): you cannot hard-code the administrative role here with "3", as that might be different on Drupal sites. You need to use variable_get('user_admin_role').
httplock_test_user_and_role(): you are calling user_authenticate without flood protection here, so an attacker can try to brute-force the password for a given user account. Please use the flood_*() functions to prevent that. And please don't remove the security tag, we keep that for statistics and to show examples of security problems.
httplock_test_whitelist(): there is an empty if clause in there, should that be removed?
httplock_ip_string_validate(): don't use "echo" here, is that a debugging leftover?

Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.

Comment #9

PA robot commented 6 May 2014 at 16:27

Status:

Needs work

» Closed (won't fix)

Closing due to lack of activity. Feel free to reopen if you are still working on this application (see also the project application workflow).

I'm a robot and this is an automated message from Project Applications Scraper.

[D7] Httplock

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

News items

Our community

Documentation

Drupal code base

Governance of community