Tuesday 29 July 2003 6:16:46 pm
Using the latest stable version I'm creating a site that has a login box statically embedded in the pagelayout.tpl. The usr/login.tpl is only used to display error messages in the main content area {$module_result.content} and does not contain a login form. The login box is replaced with the statement "You are loged in as ...." and a logout link when the user is logged in. There are 2 sections 'public' and 'private' . Content under 'private' is only readable if logged in as a user from a specific role.
The current structure looks like:
Home 'public' section
About 'public' section News 'private' section The above structure is displayed with the following template code in pagelayout.tpl
<h3>Menu</h3>
<ul>
<li><a href="/">Home</a></li>
{let toplevel=fetch(content,list,
hash(parent_node_id,2,
sort_by,array(array(name,true()))
)
)
}
<ul>
{section loop=$toplevel}
<li><a href={$:item.url_alias|ezurl}>{$:item.name}</a></li>
{/section}
</ul>
</ul> {/let} Because of the permission restrictions "News" should only be visible IF the user is logged in. If a correct login and password is entered, logging in and out works as expected. I've come across the following issues, the first is pretty minor the other worries me somewhat. 1. If a Username is not entered $User:warning.bad_login variable is set to false indicating that login was successful. To me this is quite limiting as the login has actually failed but there is no way of knowing why. (it failed because there was no username) This is because of the following code in kernel/user/login.php starting at line 80
$user = false;
if ( $userLogin != '' )
{
$user = eZUser::loginUser( $userLogin, $userPassword );
if ( get_class( $user ) != 'ezuser' )
$loginWarning = true; } I think this should be extended to set $loginWarning = true if no username is entered and perhaps even adding an additional element to $User:warning to indicate why. Any feedback is appreciated. 2. This item concerns me as it may indicate that the is a fundamental permissions issue. When the login fails because either the username/password combination is not valid or no username is entered, restricted items (News) are displayed. When clicking on the restricted link the correct "accessed denied" message is displayed as expected. Sometimes when I login to the ez forums I see "Edit" buttons beside posts that are not mine. Clicking on them gives me the "access denied" message. (as described and "fixed?" in this bug http://ez.no/developer/ez_publish_3/bug_reports/edit_buttons_shown_when_they_should_not_be) I am wondering if what I am seeing on my site is related to this behaviour. Anyone have sites that that work in a similar manner that may be able to confirm this behaviour? I'll try to get a public site up in the next 24 hours to be able to demonstrate this.
Cheers
Bruce designIT
My Blog: http://www.stuffandcontent.com/
Follow me on twitter: http://twitter.com/brucemorrison
Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish
|