JanRomero
commented
4 months ago Since Session::login works with User objects as well as user name strings, you could use a before-hook to narrow down users:
$this->addHookBefore("Session::login", function(HookEvent $event) {
$username = $event->arguments(0);
//only run hook if User object has not already been determined
if (!is_string($username))
return;
if(!strlen($username)) {
$event->replace = true;
$event->return = null;
}
$user = users()->get('roles=editor, name=' . sanitizer()->selectorValue($username));
$event->setArgument(0, $user);
});I don’t think it’s possible to use permissions in selectors, so I guess you’d have to use find() and go through the results individually.
Short description of the issue
I have several branches of users, some of which have roles that allow editing, but some that don't. In some cases the person appears in more than one branch (I know this is weird, but it is for a reason for frontend viewing), so their username (the page name) is the same. The problem is that when the user tries to log in to the account with editing permissions, it is trying to log them into the account with only view permissions and no set password.
I know this is unusual and I don't think you should try to prevent users with the same name from being created, but perhaps it would be useful to prevent the system from trying to login to an account with no set password, or no page edit / user profile edit permissions, or something along those lines.
Currently the error they get is login failed and in the admin "invalid password" is logged, but the problem is really related to not knowing which account it should be logging in to.