authentication-procs.tcl

Publicity: Public Only All

authentication-procs.tcl

Tcl API for authentication, account management, and account registration.

Location:

packages/acs-authentication/tcl/authentication-procs.tcl
Created:

2003-05-13
Author:

Lars Pind <lars@collaobraid.biz>
CVS Identification:

$Id: authentication-procs.tcl,v 1.114.2.32 2024/08/28 10:06:11 gustafn Exp $

Procedures in this file

auth::UseEmailForLoginP (public)
auth::authenticate (public)
auth::authentication::authenticate (public)
auth::can_admin_system_without_authority_p (public)
auth::create_local_account (public)
auth::create_user (public)
auth::delete_local_account (public)
auth::get_all_registration_elements (public)
auth::get_local_account_status (public)
auth::get_register_authority (public)
auth::get_registration_elements (public)
auth::get_registration_form_elements (public)
auth::get_user_id (public)
auth::get_user_secret_token (public)
auth::issue_login (public, deprecated)
auth::login_attempts::get_all (public)
auth::login_attempts::reset (public)
auth::login_attempts::reset_all (public)
auth::refresh_login (public)
auth::require_login (public)
auth::self_registration (public)
auth::set_email_verified (public)
auth::update_local_account (public)
auth::verify_account_status (public)

Detailed information

auth::UseEmailForLoginP (public)

 auth::UseEmailForLoginP

Do we use email address for login?

Testcases:
auth_use_email_for_login_p, auth_registration_implementations, password_recovery_page

auth::authenticate (public)

 auth::authenticate [ -return_url return_url ] \
    [ -authority_id authority_id ] [ -username username ] \
    [ -email email ] -password password [ -persistent ] [ -no_cookie ] \
    [ -first_names first_names ] [ -last_name last_name ] \
    [ -host_node_id host_node_id ]

Try to authenticate and login the user forever by validating the username/password combination, and return authentication and account status codes.

Switches:

-return_url (optional)
If specified, this can be included in account status messages.
-authority_id (optional)
The ID of the authority to ask to verify the user. Defaults to local authority.
-username (optional)
Authority specific username of the user.
-email (optional)
User's email address. You must supply either username or email.
-password (required)
The password as the user entered it.
-persistent (optional, boolean)
Set this if you want a permanent login cookie
-no_cookie (optional, boolean)
Set this if you don't want to issue a login cookie
-first_names (optional)
-last_name (optional)
-host_node_id (optional)
Optional parameter used to determine the cookie domain from the host_node_map

Returns:
Array list with the following entries:

auth_status: Whether authentication succeeded. ok, no_account, bad_password, auth_error, failed_to_connect
auth_message: Human-readable message about what went wrong. Guaranteed to be set if auth_status is not ok. Should be ignored if auth_status is ok. May contain HTML.
account_status: Account status from authentication server. ok, closed.
account_url: A URL to redirect the user to. Could e.g. ask the user to update his password.
account_message: Human-readable message about account status. Guaranteed to be set if auth_status is not ok and account_url is empty. If nonempty, must be relayed to the user regardless of account_status. May contain HTML. This proc is responsible for concatenating any remote and/or local account messages into one single message which can be displayed to the user.
user_id: Set to local user_id if auth_status is ok.

Testcases:
auth_authenticate, auth_use_email_for_login_p

auth::authentication::authenticate (public)

 auth::authentication::authenticate -authority_id authority_id \
    -username username -password password

Invoke the Authenticate service contract operation for the given authority.

Switches:

-authority_id (required)
The ID of the authority to ask to verify the user.
-username (required)
Username of the user.
-password (required)
The password as the user entered it.

Testcases:
auth_password_reset

auth::can_admin_system_without_authority_p (public)

 auth::can_admin_system_without_authority_p -authority_id authority_id

Before disabling or deleting an authority we need to check that there is at least one site-wide admin in a different authority that can administer the system.

Switches:

-authority_id (required)

Returns:
boolean

Author:

Peter Marklund

Testcases:
auth__can_admin_system_without_authority_p

auth::create_local_account (public)

 auth::create_local_account [ -user_id user_id ] \
    -authority_id authority_id [ -username username ] -array array

Create the local account for a user.

Switches:

-user_id (optional)
-authority_id (required)
-username (optional)
-array (required)
Name of an array containing the registration elements to update. Fields are specified by auth::get_all_registration_elements

Returns:
Array list containing the following entries:

creation_status: ok, data_error, reg_error, failed_to_connect. Says whether user creation succeeded.
creation_message: Information about the problem, to be relayed to the user. If creation_status is not ok, then either creation_message or element_messages is guaranteed to be nonempty, and both are guaranteed to be in the array list. May contain HTML.
element_messages: list of (element_name, message, element_name, message, ...) of errors on the individual registration elements. to be relayed on to the user. If creation_status is not ok, then either creation_message or element_messages is guaranteed to be nonempty, and both are guaranteed to be in the array list. Cannot contain HTML.
account_status: ok, closed. Only set if creation_status was ok, this says whether the newly created account is ready for use or not. For example, we may require approval, in which case the account would be created but closed.
account_message: A human-readable explanation of why the account was closed. May include HTML, and thus shouldn't be quoted. Guaranteed to be nonempty if account_status is not ok.
All entries are guaranteed to always be set, but may be empty.

See Also:

auth::get_all_registration_elements

Testcases:
auth_use_email_for_login_p

auth::create_user (public)

 auth::create_user [ -verify_password_confirm ] [ -user_id user_id ] \
    [ -username username ] -email email [ -first_names first_names ] \
    [ -last_name last_name ] [ -screen_name screen_name ] \
    [ -password password ] [ -password_confirm password_confirm ] \
    [ -url url ] [ -secret_question secret_question ] \
    [ -secret_answer secret_answer ] \
    [ -email_verified_p email_verified_p ] [ -nologin ] \
    [ -authority_id authority_id ]

Create a user, and return creation status and account status.

Switches:

-verify_password_confirm (optional, boolean)
Set this flag if you want the proc to verify that password and password_confirm match for you.
-user_id (optional)
-username (optional)
-email (required)
-first_names (optional)
-last_name (optional)
-screen_name (optional)
-password (optional)
-password_confirm (optional)
-url (optional)
-secret_question (optional)
-secret_answer (optional)
-email_verified_p (optional)
Whether the local account considers the email to be verified or not.
-nologin (optional, boolean)
-authority_id (optional)
create user in the specified authority. Defaults to the register authority of the subsite.

Returns:
Array list containing the following entries:

creation_status: ok, data_error, reg_error, failed_to_connect. Says whether user creation succeeded.
creation_message: Information about the problem, to be relayed to the user. If creation_status is not ok, then either creation_message or element_messages is guaranteed to be nonempty, and both are guaranteed to be in the array list. May contain HTML.
element_messages: list of (element_name, message, element_name, message, ...) of errors on the individual registration elements. to be relayed on to the user. If creation_status is not ok, then either creation_message or element_messages is guaranteed to be nonempty, and both are guaranteed to be in the array list. Cannot contain HTML.
account_status: ok, closed. Only set if creation_status was ok, this says whether the newly created account is ready for use or not. For example, we may require approval, in which case the account would be created but closed.
account_message: A human-readable explanation of why the account was closed. May include HTML, and thus shouldn't be quoted. Guaranteed to be nonempty if account_status is not ok.
user_id: The user_id of the created user. Only when creation_status is ok.

See Also:

auth::get_all_registration_elements

Testcases:
auth_authenticate, auth_create_user, auth_password_change, auth_password_reset, auth_use_email_for_login_p, auth_email_on_password_change, person_procs_test, party_procs_test

auth::delete_local_account (public)

 auth::delete_local_account -authority_id authority_id \
    -username username

Delete the local account for a user.

Switches:

-authority_id (required)
-username (required)

Returns:
Array list containing the following entries:

delete_status: ok, delete_error, failed_to_connect. Says whether user deletion succeeded.
delete_message: Information about the problem, to be relayed to the user. If delete_status is not ok, then delete_message is guaranteed to be nonempty. May contain HTML.
All entries are guaranteed to always be set, but may be empty.

Testcases:
auth__delete_local_account

auth::get_all_registration_elements (public)

 auth::get_all_registration_elements [ -include_password_confirm ]

Get the list of possible registration elements.

Switches:

-include_password_confirm (optional, boolean)

Testcases:
auth__get_all_registration_elements

auth::get_local_account_status (public)

 auth::get_local_account_status -user_id user_id

Return 'ok', 'closed', or 'no_account'

Switches:

-user_id (required)

Testcases:
auth__delete_local_account

auth::get_register_authority (public)

 auth::get_register_authority

Get the ID of the authority in which accounts get created. Is based on the RegisterAuthority parameter but will default to the local authority if that parameter has an invalid value.

Testcases:
auth__get_register_authority

auth::get_registration_elements (public)

 auth::get_registration_elements

Get the list of required/optional elements for user registration.

Returns:
Array-list with two entries

required: a list of required elements
optional: a list of optional elements

See Also:

auth::get_all_registration_elements

Testcases:
auth_get_registration_elements, auth_use_email_for_login_p

auth::get_registration_form_elements (public)

 auth::get_registration_form_elements

Returns a list of elements to be included in the -form chunk of an ad_form form. All possible elements will always be present, but those that shouldn't be displayed will be hidden and have a hard-coded empty string value.

Testcases:
auth_get_registration_form_elements

auth::get_user_id (public)

 auth::get_user_id [ -level level ] [ -account_status account_status ]

Get the current user_id with at least the level of security specified. If no user is logged in, or the user is not logged in at a sufficiently high security level, return 0.

Switches:

-level (optional, defaults to "ok")
-account_status (optional, defaults to "ok")

Returns:
user_id of user, if the user is logged in, 0 otherwise.

See Also:

ad_script_abort

Testcases:
auth__get_user_id

auth::get_user_secret_token (public)

 auth::get_user_secret_token -user_id user_id

Get a secret token for the user. Can be used for email verification purposes.

Switches:

-user_id (required)

Testcases:
acs_subsite_test_email_confirmation

auth::issue_login (public, deprecated)

 auth::issue_login -user_id user_id [ -account_status account_status ] \
    [ -cookie_domain cookie_domain ] [ -persistent ]

Deprecated. Invoking this procedure generates a warning.

Issue the login cookie. DEPRECATED: just a trivial wrapper of ad_user_login

Switches:

-user_id (required)
-account_status (optional, defaults to "ok")
-cookie_domain (optional)
-persistent (optional, boolean)

See Also:

ad_user_login

Testcases:
No testcase defined.

auth::login_attempts::get_all (public)

 auth::login_attempts::get_all

Get all failed login attempts

Testcases:
auth__login_attempts

auth::login_attempts::reset (public)

 auth::login_attempts::reset [ -login_attempt_key login_attempt_key ]

Flush the recorded failed login attempt for the provided login_attempt_key

Switches:

-login_attempt_key (optional, defaults to "[ad_conn peeraddr]-[ad_conn subsite_id]")
Identifier of this login attempt. Defaults to "[ad_conn peeraddr]-[ad_conn subsite]"

Testcases:
auth__login_attempts

auth::login_attempts::reset_all (public)

 auth::login_attempts::reset_all

Flush all recorded failed login attempts

Testcases:
auth__login_attempts

auth::refresh_login (public)

 auth::refresh_login

If there currently is a user associated with this session, but the user's authentication is expired, redirect the user to refresh his/her login. This allows for users to not be logged in, but if the user is logged in, then we require that the authentication is not expired.

Returns:
user_id of user, if the user is logged in and auth_status is not expired, or 0 if the user is not logged in. If user's auth_status is expired, this proc will issue a returnredirect and abort the current page.

See Also:

ad_script_abort

Testcases:
auth__refresh_login

auth::require_login (public)

 auth::require_login [ -level level ] \
    [ -account_status account_status ]

If the current session is not authenticated, redirect to the login page, and aborts the current page script. Otherwise, returns the user_id of the user logged in. Use this in a page script to ensure that only registered and authenticated users can execute the page, for example for posting to a forum.

Switches:

-level (optional, defaults to "ok")
-account_status (optional, defaults to "ok")

Returns:
user_id of user, if the user is logged in. Otherwise will issue a returnredirect and abort the current page.

See Also:

ad_script_abort

Testcases:
package_normalize_path, xowiki_test_cases, link_tests, slot_interactions, path_resolve

auth::self_registration (public)

 auth::self_registration

Check AllowSelfRegister parameter and set user message if self registration not allowed.

Testcases:
auth__self_registration

auth::set_email_verified (public)

 auth::set_email_verified -user_id user_id

Update an OpenACS record with the fact that the email address on record was verified.

Switches:

-user_id (required)

Testcases:
auth_confirm_email, acs_subsite_expose_bug_1144

auth::update_local_account (public)

 auth::update_local_account -authority_id authority_id \
    -username username -array array

Update the local account for a user.

Switches:

-authority_id (required)
-username (required)
-array (required)
Name of an array containing the registration elements to update.

Returns:
Array list containing the following entries:

update_status: ok, data_error, update_error, failed_to_connect. Says whether user update succeeded.
update_message: Information about the problem, to be relayed to the user. If update_status is not ok, then either update_message or element_messages is guaranteed to be nonempty, and both are guaranteed to be in the array list. May contain HTML.
element_messages: list of (element_name, message, element_name, message, ...) of errors on the individual registration elements. to be relayed on to the user. If update_status is not ok, then either update_message or element_messages is guaranteed to be nonempty, and both are guaranteed to be in the array list. Cannot contain HTML.
All entries are guaranteed to always be set, but may be empty.

Testcases:
auth__update_local_account

auth::verify_account_status (public)

 auth::verify_account_status

Verify the account status of the current user, and set [ad_conn account_status] appropriately.

Testcases:
auth__verify_account_status

[ show source ]