Difference between MD5/SHA and PHP encryption

Using MD5 and SHA encryption is a standard way of performing user security. The password that the user uses is encrypted and stored in the database. Then, when the user logs in, the password is encrypted and compared with the value stored in the database. By default, PHsPeed will encrypt the entered value if you have set the password field of type' password'. In all cases, it you enter a password, then encrypting will always lead to the same result.

The PHP Method works differently. Passwords are encrypted, but never in the same way. So if two users should use the same password, it will always lead to a different encrypted value. In this case you cannot supply the encrypted value, but need to use the originalValue property of the field. 

$result=$$root_1->login($$userid->value, $$password->originalvalue);  // use $$password->value on other than PHP method

useAuthorisation

This property will verify if the module is allowed to run. If you use a simple RBA structure, it is sufficient to set isLoggedOn(userNum). If you use the full module, the 'isLoggedOn' status will be set if you have 'access' to the RBA tables.

If you have no access, the user will be redirected to the configured 'main application', usually the login page (if can run stand-alone is false) or generate an error message that the user has no access.

useSecurityModule

This property will include the full RBA access module so that the application can determine what kind of rights a user has for a certain module. It retrieves the full access, read, update, create, and delete security status.

useLogonModule

For some pages you need to be able to ignore the logged-in status. For example, the login page itself, a page that allows the user to register etc. 

useAuditTrail

Setting this property to true will log the login access of the user. To be able to, you must have enabled and created the audit-trail tables. 

Preference table in conjunction with RBA

If you use the user registration page or want to inform the user how to reset their account, you need to send emails. PHsPeed uses phpMailer for that purpose. To send email PHsPeed requires some basic information, like the mail server, credentials, etc. You can provide that information in several ways, but the most flexible is to use a table to store that information. PHsPeed uses the preferences table to store that information. 

Depending on the hosting provider, it might be a small puzzle to get all the settings correct, but you can use the preferences all over your projects once done. 

Templates table in conjunction with RBA

If a user registers or has forgotten his password, you might want to send an email to confirm. This email can differ and is easily be defined using the templates module. 

The templates component has different ways to read a template. You can provide it by code, the database, or in simple situations by property. 

Parameters

To define parameters, enter these in the parameter property. I.e.' code'. Then in the template text (simple model) you could have a text like:

Hi,<br><br>To reset your account, please use the following code: {%code%}<br><br>Best regards,<br><br>Support<br>

Then the only thing you need to do is to provide a value:


function form_1_onSubmitForm($app) {
   $$tpl_1->setParameter('code', '1234');
   $$mail_1->htmlbody = $$tpl_1->getText();


This is the method used in the forgotten password and registration page. As providing codes might be different, the templates leave that part for you to implement. The signup page provides a sample how you can provide this code. You will also find the code for sending the templated email.

Alternative login

In many cases, the standard login might not be sufficient. For instance, because you need to bind to a Saml or LDap Server. 

To implement the alternative login, you must set the customLogin property to true. That will enable the 'onLogin' event where you can apply your code. 

Alternative RBA

It is also possible to bypass the security and implement your own RBA. To do that you need to set the customRBA property to true. That will enable two events that must be used to implement your own RBA. These events replaces the internal RBA!


function root_1_onLogin($app, $userid, $password)


the function must return true when the login process is successful (or false for unsuccessful)    

onGetModuleRightsOf

This event is called whenever the system requires to know the access rights of a module:


function root_1_onGetModuleRightsOf($app, $userid, $module)      


the function must return an array of allowed access:


  $r[]['access']
  $r[]['create'])
  $r[]['read'])
  $r[]['update'])
  $r[]['delete'])


A value of 'Y' will declare 'allow,' a value of 'N' will declare 'disallow'.

onRequestAccessTo

This event is called whenever the system requires to know if the access is allowed. (can be followed up by calls to onGetModulesRightsOf).


function root_1_onRequestAccessTo($app, $userid, $module)


the function must return true for access or false for denying.