« Back Issue #307
  • 2011-01-06 16:38 Reported by administrator
  • 2013-12-17 12:38 Marked fixed
Status: Marked fixed
Priority: Medium

Add support for anonymous account creation

administrator 2011-01-06 16:38

Allow people to create accounts anonymously. Accounts by default have access to a splash page. Basic accounts allow users to change their password and have default search settings. Basic accounts also allow users to create and manage crawl mixes.

administrator 2011-07-22 10:06

Bumping this along to a later version.

administrator 2013-01-04 13:48

Manage Accounts should also collect an email address for each user. This will be used as part of the anonymous account creation.

perepamallika 2013-12-15 13:08

Hi Professor,

I have please do look into this patch. When I am trying to apply the apply i am getting this error: "error: configs/config.php: does not match index". I had to define anonymous_account field in config.php.

Please do let me know what should I do regarding the error.

Thanks, Mallika

administrator 2013-12-15 16:31

Hi Mallika,

I am little bit worried about some of the changes this patch makes. I list the things I am worried about below:

In profile_model.php you seem to delete GROUPS and a couple of other tables without adding them back:

                PUBDATE INT, SOURCE_NAME VARCHAR(16))",

- "CREATE TABLE GROUPS (GROUP_ID INTEGER PRIMARY KEY $auto_increment, - GROUP_NAME VARCHAR(128), CREATED_TIME INT(11), - CREATOR_ID INT(11))", - "CREATE TABLE USER_GROUP (USER_ID INTEGER , GROUP_ID INTEGER, - PRIMARY KEY (GROUP_ID, USER_ID) )", - "CREATE TABLE GROUP_ROLE (GROUP_ID INTEGER , ROLE_ID INTEGER)", - ); - /* NOTE: We are not using singular name GROUP for GROUPS as - is a reserved SQL keyword - */ - foreach($create_statements as $statement) { - if(!$dbm->execute($statement)) {return false;} + ); + foreach($create_statements as $statement) {; + if(!$dbm->execute($statement)) {echo $auto_increment; return false;}

In signin_view.php

@@ -56,48 +56,52 @@ class SigninView extends View

     *  @param array $data  contains the anti CSRF token
     *  the view
     */

- function renderView($data) { + function renderView($data) + {

breaks one true brace Please also incorporate any general formatting changes I asked for in issue 127.

perepamallika 2013-12-15 16:41

Hi Professor,

Okay. I will makes these changes and upload a revised patch soon. What should I do with the change in config.php file. I am getting an error when applying this patch.

Thanks, Mallika.

administrator 2013-12-15 18:42

You can send that separately if you like.

perepamallika 2013-12-15 20:25

I have generated a new patch. Please add this line "define('ANONYMOUS_ACCOUNT', true);" to config.php file. I will upload the configure.ini file as well. If I add to to the patch I am getting errors.

-Mallika

administrator 2013-12-16 09:41

Hi Mallika,

Please address the following issues below:

(1) I can't see how you are cleaning the form data in your register_controller.php.

(2) Also, all the other controllers have a CSRF token to prevent cross-site request forgery issues, but register_controller doesn't.

(3) The default user role should have manage account, crawl mixes, manage groups (with visibility appropriately restricted), and pages and blogs. What you had was Manage Account and Manage Users. This would allow newly set up accounts to add and delete arbitrary users.

(4) If under configure you have Query Info checked, then on the Signin page and register page the query info is drawn over the page data. This is caused by moving a div from its old position too early in the file.

(5) Under Configure, I modified your code as follows in your revised patch please incorporate this:

           <fieldset class="extra-wide-field"><legend><?php
               e(tl('configure_element_user_accounts'))?></legend>
               <label for="user_accounts"><input
                   id='user_accounts' type="checkbox"
                   name="ANONYMOUS_ACCOUNT" value="true"
                   <?php
                   if($data['ANONYMOUS_ACCOUNT'] == true) {
                       e("checked='checked'");
                   }
                   ?> /><?php e(tl('configure_element_email_registration'));
                   ?></label>
           </fieldset>

The translation of configure_element_user_accounts was User Accounts; that of configure_element_email_registration was Email Registration.

Best, Chris

perepamallika 2013-12-16 20:35

Hi Professor,

I have made the above changes and uploaded a new patch. It seems to be working as expected. Please add this line "define('ANONYMOUS_ACCOUNT', true);" to config.php file. Please use the latest configure.ini file that i have uploaded.

Thanks, Mallika

administrator 2013-12-16 21:00

Hi Mallika,

(1) You can't raw echo REQUEST variables in your views -- that opens up the site to XSS attacks. You have to echo cleaned data that comes from the controllers.

(2) The page is still vulnerable to CSRF attacks because you never use $token_okay to prevent anything. You probably need to add a line like:

if($token_okay && isset($_REQUEST['submit'])) {

(3) In profile model you are deleting my comment which is still relevant

- /* NOTE: We are not using singular name GROUP for GROUPS as - is a reserved SQL keyword - */

These are minor changes. I could make these changes myself but since they are security related I want you to do it so that if it comes up on an important website you know about the issues to watch out for.

perepamallika 2013-12-16 23:33

Professor,

I have uploaded a new patch

-Mallika

administrator 2013-12-17 12:37

Thanks Mallika!

I've pushed this to the repository.

Best, Chris

administrator 2013-12-17 12:38

Initial pass 2971e43

X