search

Kroc / NoNonsenseForum

A free, open source, PHP-based simple discussion forum. It favours removing barriers to conversation rather than massaging egos. Download Here: https://github.com/Kroc/NoNonsenseForum/archive/master.zip
http://camendesign.com/nononsense_forum
Other
247 stars 34 forks source link

.htpasswd auth #15

Closed Kroc closed 12 years ago

Kroc commented 13 years ago

For running private forums (or private sub-forums in a forum), the code should detect if the user is logged in using HTTP authentication and use that as their name instead, hiding the name/password fields.

rvanvelzen commented 13 years ago

The solution isn't that hard ($_SERVER['PHP_AUTH_USER'] contains the name), but maybe it'd be wise to have this configurable? I can imagine a scenario where the forum is hidden behind a generic login, but you still want users to fill out the username/password combo.

Kroc commented 13 years ago

Aye, I know this is simple enough to do, but I haven’t personally had the need and I don’t know of many actually using NNF to warrant it. It doesn't need to be configurable because the presence of the PHP_AUTH_USER will trigger it. So when then admin adds a htpasswd file to lock the site, the board automatically responds. There's no need to have two logins for users. The server admin can add the people he wants to the htpasswd file. -- that’s the simplest setup I can think of, as I dislike writing code to replace already existing server / client tech.

On 28 Oct 2011, at 9:53 AM, Richard van Velzen wrote:

The solution isn't that hard ($_SERVER['PHP_AUTH_USER'] contains the name), but maybe it'd be wise to have this configurable? I can imagine a scenario where the forum is hidden behind a generic login, but you still want users to fill out the username/password combo.

Reply to this email directly or view it on GitHub: https://github.com/Kroc/NoNonsenseForum/issues/15#issuecomment-2554006

rvanvelzen commented 13 years ago

Definitely. I certainly understand the reasoning, just wanted to be sure I was on the right track. I'll be pushing a fix for this issue shortly, just to show it works. :)

Kroc commented 13 years ago

I’ve just finished up v7 (running from a folder), I’m ready for your http_auth code now. BTW, you’ll have to hide the search box too, since it relies on Google being able to access the forum, and with htpsswd it can’t.

One alternative solution, optional to the user, would be to keep the forum visible (so search works), but only initiate a http_auth request when they click a login link.We can save this for a v2 of the feature, what you’ve done already will suffice for now. (totally private forums)

rvanvelzen commented 13 years ago

I've just pushed my initial commit which allows creating a new thread. I currently trying to figure out what should happen if for some reason the HTTP authentication layer is removed. Should the username/password combinations still be writter to their user file, even though they're already authorized?

Currently, their information isn't stored. The username is used verbatim and the password is set to false (with the checks changed appropriately).

https://github.com/rvanvelzen/NoNonsenseForum/tree/http_auth

Kroc commented 12 years ago

I had a look at this and I don’t believe your approach (or mine) is right, due to reasons I’m about to get into.

I’ve come to see this as more of a design issue than it is a technical one; that is, the bug is asking the wrong thing. What’s actually trying to be achieved is the ability to limit posting and/or access to a select number of chosen usernames.

Use of .htpasswd is flawed because:

a) The user needs to edit their .htaccess file, making it harder to update to new versions b) The path to the .htpasswd file has to be absolute, which is hard to know on shared hosting and less friendly to newbies c) It effectively by-passes the already existing name/password system, relying on the .htpasswd file instead. This is more of an internal design conflict, but does raise questions as to the worth of adding the feature

I can add HTTP authorisation using PHP (no need for htpasswd), but then you could just enter any name and password because the normal behaviour is to create a user if they don’t exist; so what gain would there be from an HTTP_AUTH request, rather than the name/password boxes that already exist?

There would need to be another feature (a text file likely) to say that only users x, y & z can view the forum.

This poses a UI problem; what do you make visible and accessible, and what do you not? These are more features to consider. Do you make the forum visible but only accept submits from allowed usernames (bad UI), or do you provide a "login" button that invokes the authorisation request and only then display the input forms? Do you hide the entire forum and don’t allow them to see anything untill they’ve logged in. Should the forum display a splash screen and require them to click to log in rather than just throwing an auth request at them the second they visit the URL?

I think this needs to be taken to the forum to be discussed more and hashed out, and with these amount of considerations and complications, I’m not sure if the feature really is worth it.

Kroc commented 12 years ago

Discussion about this happening here: http://goo.gl/28MYj

Kroc commented 12 years ago

Closing this bug as it is unspecific and only confuses the matter; will open other individual bugs as per discussion.