- Publicity: Public Only All
authentication-procs.tcl
Tcl API for authentication, account management, and account registration.
- Location:
- packages/acs-authentication/tcl/authentication-procs.tcl
- Created:
- 2003-05-13
- Author:
- Lars Pind <lars@collaobraid.biz>
- CVS Identification:
$Id: authentication-procs.tcl,v 1.114.2.32 2024/08/28 10:06:11 gustafn Exp $
Procedures in this file
- auth::UseEmailForLoginP (public)
- auth::authenticate (public)
- auth::authentication::authenticate (public)
- auth::can_admin_system_without_authority_p (public)
- auth::check_local_account_status (private)
- auth::create_local_account (public)
- auth::create_local_account_helper (private)
- auth::create_user (public)
- auth::delete_local_account (public)
- auth::get_all_registration_elements (public)
- auth::get_local_account (private)
- auth::get_local_account_status (public)
- auth::get_register_authority (public)
- auth::get_registration_elements (public)
- auth::get_registration_form_elements (public)
- auth::get_user_id (public)
- auth::get_user_secret_token (public)
- auth::issue_login (public, deprecated)
- auth::login_attempts::get_all (public)
- auth::login_attempts::record (private)
- auth::login_attempts::reset (public)
- auth::login_attempts::reset_all (public)
- auth::login_attempts::threshold_reached_p (private)
- auth::refresh_login (public)
- auth::registration::GetElements (private)
- auth::registration::Register (private)
- auth::require_login (public)
- auth::self_registration (public)
- auth::send_email_verification_email (private)
- auth::set_email_verified (public)
- auth::update_local_account (public)
- auth::user_info::GetUserInfo (private)
- auth::validate_account_info (private)
- auth::verify_account_status (public)
Detailed information
auth::UseEmailForLoginP (public)
auth::UseEmailForLoginP
Do we use email address for login?
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth_use_email_for_login_p, auth_registration_implementations, password_recovery_page
auth::authenticate (public)
auth::authenticate [ -return_url return_url ] \ [ -authority_id authority_id ] [ -username username ] \ [ -email email ] -password password [ -persistent ] [ -no_cookie ] \ [ -first_names first_names ] [ -last_name last_name ] \ [ -host_node_id host_node_id ]
Try to authenticate and login the user forever by validating the username/password combination, and return authentication and account status codes.
- Switches:
- -return_url (optional)
- If specified, this can be included in account status messages.
- -authority_id (optional)
- The ID of the authority to ask to verify the user. Defaults to local authority.
- -username (optional)
- Authority specific username of the user.
- -email (optional)
- User's email address. You must supply either username or email.
- -password (required)
- The password as the user entered it.
- -persistent (optional, boolean)
- Set this if you want a permanent login cookie
- -no_cookie (optional, boolean)
- Set this if you don't want to issue a login cookie
- -first_names (optional)
- -last_name (optional)
- -host_node_id (optional)
- Optional parameter used to determine the cookie domain from the host_node_map
- Returns:
- Array list with the following entries:
- auth_status: Whether authentication succeeded. ok, no_account, bad_password, auth_error, failed_to_connect
- auth_message: Human-readable message about what went wrong. Guaranteed to be set if auth_status is not ok. Should be ignored if auth_status is ok. May contain HTML.
- account_status: Account status from authentication server. ok, closed.
- account_url: A URL to redirect the user to. Could e.g. ask the user to update his password.
- account_message: Human-readable message about account status. Guaranteed to be set if auth_status is not ok and account_url is empty. If nonempty, must be relayed to the user regardless of account_status. May contain HTML. This proc is responsible for concatenating any remote and/or local account messages into one single message which can be displayed to the user.
- user_id: Set to local user_id if auth_status is ok.
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth_authenticate, auth_use_email_for_login_p
auth::authentication::authenticate (public)
auth::authentication::authenticate -authority_id authority_id \ -username username -password password
Invoke the Authenticate service contract operation for the given authority.
- Switches:
- -authority_id (required)
- The ID of the authority to ask to verify the user.
- -username (required)
- Username of the user.
- -password (required)
- The password as the user entered it.
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth_password_reset
auth::can_admin_system_without_authority_p (public)
auth::can_admin_system_without_authority_p -authority_id authority_id
Before disabling or deleting an authority we need to check that there is at least one site-wide admin in a different authority that can administer the system.
- Switches:
- -authority_id (required)
- Returns:
- boolean
- Author:
- Peter Marklund
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth__can_admin_system_without_authority_p
auth::check_local_account_status (private)
auth::check_local_account_status [ -return_url return_url ] \ [ -no_dialogue ] -user_id user_id -authority_id authority_id \ -member_state member_state -email email \ -email_verified_p email_verified_p -screen_name screen_name \ -password_age_days password_age_days
Check the account status of a user with the given parameters.
- Switches:
- -return_url (optional)
- -no_dialogue (optional, boolean)
- If specified, will not send out email or in other ways converse with the user
- -user_id (required)
- -authority_id (required)
- -member_state (required)
- -email (required)
- -email_verified_p (required)
- -screen_name (required)
- -password_age_days (required)
- Returns:
- An array-list with account_status, account_url and account_message
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- No testcase defined.
auth::create_local_account (public)
auth::create_local_account [ -user_id user_id ] \ -authority_id authority_id [ -username username ] -array array
Create the local account for a user.
- Switches:
- -user_id (optional)
- -authority_id (required)
- -username (optional)
- -array (required)
- Name of an array containing the registration elements to update. Fields are specified by auth::get_all_registration_elements
- Returns:
- Array list containing the following entries:
All entries are guaranteed to always be set, but may be empty.
- creation_status: ok, data_error, reg_error, failed_to_connect. Says whether user creation succeeded.
- creation_message: Information about the problem, to be relayed to the user. If creation_status is not ok, then either creation_message or element_messages is guaranteed to be nonempty, and both are guaranteed to be in the array list. May contain HTML.
- element_messages: list of (element_name, message, element_name, message, ...) of errors on the individual registration elements. to be relayed on to the user. If creation_status is not ok, then either creation_message or element_messages is guaranteed to be nonempty, and both are guaranteed to be in the array list. Cannot contain HTML.
- account_status: ok, closed. Only set if creation_status was ok, this says whether the newly created account is ready for use or not. For example, we may require approval, in which case the account would be created but closed.
- account_message: A human-readable explanation of why the account was closed. May include HTML, and thus shouldn't be quoted. Guaranteed to be nonempty if account_status is not ok.
- See Also:
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth_use_email_for_login_p
auth::create_local_account_helper (private)
auth::create_local_account_helper email first_names last_name password \ password_question password_answer [ url ] [ email_verified_p ] \ [ member_state ] [ user_id ] [ username ] [ authority_id ] \ [ screen_name ]
Creates a new user in the system. The user_id can be specified as an argument to enable double click protection. If this procedure succeeds, returns the new user_id. Otherwise, returns 0.
- Parameters:
- email (required)
- first_names (required)
- last_name (required)
- password (required)
- password_question (required)
- password_answer (required)
- url (optional)
- email_verified_p (optional, defaults to
"t"
)- member_state (optional, defaults to
"approved"
)- user_id (optional)
- username (optional)
- authority_id (optional)
- screen_name (optional)
- See Also:
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- No testcase defined.
auth::create_user (public)
auth::create_user [ -verify_password_confirm ] [ -user_id user_id ] \ [ -username username ] -email email [ -first_names first_names ] \ [ -last_name last_name ] [ -screen_name screen_name ] \ [ -password password ] [ -password_confirm password_confirm ] \ [ -url url ] [ -secret_question secret_question ] \ [ -secret_answer secret_answer ] \ [ -email_verified_p email_verified_p ] [ -nologin ] \ [ -authority_id authority_id ]
Create a user, and return creation status and account status.
- Switches:
- -verify_password_confirm (optional, boolean)
- Set this flag if you want the proc to verify that password and password_confirm match for you.
- -user_id (optional)
- -username (optional)
- -email (required)
- -first_names (optional)
- -last_name (optional)
- -screen_name (optional)
- -password (optional)
- -password_confirm (optional)
- -url (optional)
- -secret_question (optional)
- -secret_answer (optional)
- -email_verified_p (optional)
- Whether the local account considers the email to be verified or not.
- -nologin (optional, boolean)
- -authority_id (optional)
- create user in the specified authority. Defaults to the register authority of the subsite.
- Returns:
- Array list containing the following entries:
- creation_status: ok, data_error, reg_error, failed_to_connect. Says whether user creation succeeded.
- creation_message: Information about the problem, to be relayed to the user. If creation_status is not ok, then either creation_message or element_messages is guaranteed to be nonempty, and both are guaranteed to be in the array list. May contain HTML.
- element_messages: list of (element_name, message, element_name, message, ...) of errors on the individual registration elements. to be relayed on to the user. If creation_status is not ok, then either creation_message or element_messages is guaranteed to be nonempty, and both are guaranteed to be in the array list. Cannot contain HTML.
- account_status: ok, closed. Only set if creation_status was ok, this says whether the newly created account is ready for use or not. For example, we may require approval, in which case the account would be created but closed.
- account_message: A human-readable explanation of why the account was closed. May include HTML, and thus shouldn't be quoted. Guaranteed to be nonempty if account_status is not ok.
- user_id: The user_id of the created user. Only when creation_status is ok.
- See Also:
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth_authenticate, auth_create_user, auth_password_change, auth_password_reset, auth_use_email_for_login_p, auth_email_on_password_change, person_procs_test, party_procs_test
auth::delete_local_account (public)
auth::delete_local_account -authority_id authority_id \ -username username
Delete the local account for a user.
- Switches:
- -authority_id (required)
- -username (required)
- Returns:
- Array list containing the following entries:
All entries are guaranteed to always be set, but may be empty.
- delete_status: ok, delete_error, failed_to_connect. Says whether user deletion succeeded.
- delete_message: Information about the problem, to be relayed to the user. If delete_status is not ok, then delete_message is guaranteed to be nonempty. May contain HTML.
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth__delete_local_account
auth::get_all_registration_elements (public)
auth::get_all_registration_elements [ -include_password_confirm ]
Get the list of possible registration elements.
- Switches:
- -include_password_confirm (optional, boolean)
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth__get_all_registration_elements
auth::get_local_account (private)
auth::get_local_account [ -return_url return_url ] -username username \ [ -authority_id authority_id ] [ -email email ] \ [ -first_names first_names ] [ -last_name last_name ]
Get the user_id of the local account for the given username and domain combination.
- Switches:
- -return_url (optional)
- -username (required)
- The username to find
- -authority_id (optional)
- The ID of the authority to ask to verify the user. Leave blank for local authority.
- -email (optional)
- -first_names (optional)
- -last_name (optional)
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- No testcase defined.
auth::get_local_account_status (public)
auth::get_local_account_status -user_id user_id
Return 'ok', 'closed', or 'no_account'
- Switches:
- -user_id (required)
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth__delete_local_account
auth::get_register_authority (public)
auth::get_register_authority
Get the ID of the authority in which accounts get created. Is based on the RegisterAuthority parameter but will default to the local authority if that parameter has an invalid value.
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth__get_register_authority
auth::get_registration_elements (public)
auth::get_registration_elements
Get the list of required/optional elements for user registration.
- Returns:
- Array-list with two entries
- required: a list of required elements
- optional: a list of optional elements
- See Also:
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth_get_registration_elements, auth_use_email_for_login_p
auth::get_registration_form_elements (public)
auth::get_registration_form_elements
Returns a list of elements to be included in the -form chunk of an ad_form form. All possible elements will always be present, but those that shouldn't be displayed will be hidden and have a hard-coded empty string value.
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth_get_registration_form_elements
auth::get_user_id (public)
auth::get_user_id [ -level level ] [ -account_status account_status ]
Get the current user_id with at least the level of security specified. If no user is logged in, or the user is not logged in at a sufficiently high security level, return 0.
- Switches:
- -level (optional, defaults to
"ok"
)- -account_status (optional, defaults to
"ok"
)- Returns:
- user_id of user, if the user is logged in, 0 otherwise.
- See Also:
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth__get_user_id
auth::get_user_secret_token (public)
auth::get_user_secret_token -user_id user_id
Get a secret token for the user. Can be used for email verification purposes.
- Switches:
- -user_id (required)
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- acs_subsite_test_email_confirmation
auth::issue_login (public, deprecated)
auth::issue_login -user_id user_id [ -account_status account_status ] \ [ -cookie_domain cookie_domain ] [ -persistent ]
Deprecated. Invoking this procedure generates a warning.
Issue the login cookie. DEPRECATED: just a trivial wrapper of ad_user_login
- Switches:
- -user_id (required)
- -account_status (optional, defaults to
"ok"
)- -cookie_domain (optional)
- -persistent (optional, boolean)
- See Also:
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- No testcase defined.
auth::login_attempts::get_all (public)
auth::login_attempts::get_all
Get all failed login attempts
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth__login_attempts
auth::login_attempts::record (private)
auth::login_attempts::record [ -login_attempt_key login_attempt_key ]
Record a failed login attempt
- Switches:
- -login_attempt_key (optional, defaults to
"[ad_conn peeraddr]-[ad_conn subsite_id]"
)- Identifier of this login attempt. Defaults to "[ad_conn peeraddr]-[ad_conn subsite]"
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth__login_attempts
auth::login_attempts::reset (public)
auth::login_attempts::reset [ -login_attempt_key login_attempt_key ]
Flush the recorded failed login attempt for the provided login_attempt_key
- Switches:
- -login_attempt_key (optional, defaults to
"[ad_conn peeraddr]-[ad_conn subsite_id]"
)- Identifier of this login attempt. Defaults to "[ad_conn peeraddr]-[ad_conn subsite]"
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth__login_attempts
auth::login_attempts::reset_all (public)
auth::login_attempts::reset_all
Flush all recorded failed login attempts
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth__login_attempts
auth::login_attempts::threshold_reached_p (private)
auth::login_attempts::threshold_reached_p \ [ -login_attempt_key login_attempt_key ]
Check if the maximum number of consecutive failed login attempts has been reached
- Switches:
- -login_attempt_key (optional, defaults to
"[ad_conn peeraddr]-[ad_conn subsite_id]"
)- Identifier of this login attempt. Defaults to "[ad_conn peeraddr]-[ad_conn subsite]"
- Returns:
- 1 if limit has been reached otherwise 0
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth__login_attempts
auth::refresh_login (public)
auth::refresh_login
If there currently is a user associated with this session, but the user's authentication is expired, redirect the user to refresh his/her login. This allows for users to not be logged in, but if the user is logged in, then we require that the authentication is not expired.
- Returns:
- user_id of user, if the user is logged in and auth_status is not expired, or 0 if the user is not logged in. If user's auth_status is expired, this proc will issue a returnredirect and abort the current page.
- See Also:
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth__refresh_login
auth::registration::GetElements (private)
auth::registration::GetElements -authority_id authority_id
- Switches:
- -authority_id (required)
- Author:
- Peter Marklund
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- No testcase defined.
auth::registration::Register (private)
auth::registration::Register -authority_id authority_id \ [ -username username ] [ -password password ] \ [ -first_names first_names ] [ -last_name last_name ] \ [ -screen_name screen_name ] [ -email email ] [ -url url ] \ [ -secret_question secret_question ] \ [ -secret_answer secret_answer ]
Invoke the Register service contract operation for the given authority.
- Switches:
- -authority_id (required)
- Id of the authority.
- -username (optional)
- -password (optional)
- -first_names (optional)
- -last_name (optional)
- -screen_name (optional)
- -email (optional)
- -url (optional)
- -secret_question (optional)
- -secret_answer (optional)
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- No testcase defined.
auth::require_login (public)
auth::require_login [ -level level ] \ [ -account_status account_status ]
If the current session is not authenticated, redirect to the login page, and aborts the current page script. Otherwise, returns the user_id of the user logged in. Use this in a page script to ensure that only registered and authenticated users can execute the page, for example for posting to a forum.
- Switches:
- -level (optional, defaults to
"ok"
)- -account_status (optional, defaults to
"ok"
)- Returns:
- user_id of user, if the user is logged in. Otherwise will issue a returnredirect and abort the current page.
- See Also:
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- package_normalize_path, xowiki_test_cases, link_tests, slot_interactions, path_resolve
auth::self_registration (public)
auth::self_registration
Check AllowSelfRegister parameter and set user message if self registration not allowed.
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth__self_registration
auth::send_email_verification_email (private)
auth::send_email_verification_email -user_id user_id
Sends out an email to the user that lets them verify their email. Throws an error if we couldn't send out the email.
- Switches:
- -user_id (required)
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- No testcase defined.
auth::set_email_verified (public)
auth::set_email_verified -user_id user_id
Update an OpenACS record with the fact that the email address on record was verified.
- Switches:
- -user_id (required)
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth_confirm_email, acs_subsite_expose_bug_1144
auth::update_local_account (public)
auth::update_local_account -authority_id authority_id \ -username username -array array
Update the local account for a user.
- Switches:
- -authority_id (required)
- -username (required)
- -array (required)
- Name of an array containing the registration elements to update.
- Returns:
- Array list containing the following entries:
All entries are guaranteed to always be set, but may be empty.
- update_status: ok, data_error, update_error, failed_to_connect. Says whether user update succeeded.
- update_message: Information about the problem, to be relayed to the user. If update_status is not ok, then either update_message or element_messages is guaranteed to be nonempty, and both are guaranteed to be in the array list. May contain HTML.
- element_messages: list of (element_name, message, element_name, message, ...) of errors on the individual registration elements. to be relayed on to the user. If update_status is not ok, then either update_message or element_messages is guaranteed to be nonempty, and both are guaranteed to be in the array list. Cannot contain HTML.
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth__update_local_account
auth::user_info::GetUserInfo (private)
auth::user_info::GetUserInfo -authority_id authority_id \ -username username
Invoke the Register service contract operation for the given authority.
- Switches:
- -authority_id (required)
- Id of the authority.
- -username (required)
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- No testcase defined.
auth::validate_account_info (private)
auth::validate_account_info [ -update ] -authority_id authority_id \ -username username -user_array user_array \ -message_array message_array
Validates user info and returns errors, if any.
- Switches:
- -update (optional, boolean)
- Set this flag if you're updating an existing record, meaning we shouldn't check for duplicates.
- -authority_id (required)
- -username (required)
- -user_array (required)
- Name of an array in the caller's namespace which contains the registration elements.
- -message_array (required)
- Name of an array where you want the validation errors stored, keyed by element name.
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- No testcase defined.
auth::verify_account_status (public)
auth::verify_account_status
Verify the account status of the current user, and set [ad_conn account_status] appropriately.
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- auth__verify_account_status