The authentication plugin is no longer available as a free download. It is available for phpPeanuts version 1.4.beta1 and higher only for paying customers of MetaClass and developers that have made a substantial contribution to the development of the framework and its extensions.
To install make a backup copy of your web servers folder where you installed phpPeanuts into. Extract the authentication archive you downloaded. This results in a 'phpPeanuts ... authendication' folder with a file 'pntx.auth.mysql.sql' and with folders 'admin', 'classes' and 'example13'. In the folder classes are several login related classes, and folders 'admin', 'example13' and 'pntx'.
The folders in the 'pntxAuthentication..' folder need to be copied to the folder on your web server where you installed phpPeanuts. Do not copy the files that are directly in the 'pntxAuthentication..' folder. Some of the folders will have the same names as some of the existing folders in your phpPeanuts install. The contents of those folders will have to be added to the corresponding folders on your web server. There should be no collisions. If you have existing classes with the same name as the login related classes, or an 'admin' folder, you may want to rename them first.
To get the user authentication working you need to create some tables on the database that is used by your phpPeanuts install. The table creation commands for MySQL are in the
'pntx.auth.mysql.sql' file. If you use a different database you may have to change the datatypes and replace the key clauses by create index statements.
To make the administration app and its submenu show up in the menu you need to add the content of the file 'additionTo_includes_skinMenuPart.php' to skinMenuPart.php in the includes folder of your phpPeanuts install.
After installing the files and folders, creating the tables and editing skinMenuPart you can try to log in to the admin application using the username 'admin' with the password 'admin'. If you do not get te login page, you are probably using an older version of phpPeanuts. The authentication plugin will not work until you upgrade your phpPeanuts to version 1.4.beta1 or higher.
If you get the login page it will probably tell you that a secure connnection is required and after a few seconds redirect you to the same url under https. If your server is not capable of https or you want to use the admin application with http, you have to modify the method in the admin classFolder. (Using http is not recommended in production environments).
If you get the message that your username password combination is wrong, maybe your md5 function does not produce exactly the same result as ours. You can switch off the security on the admin application by renaming the SecurityManager class in the admin classfolder. The default SecurityManager from you root classFolder will cick in, allowing everyone to use the admin application. You can now enter a new password for user 'admin' and update the database. Then restore the name of the SecurityManager class in the admin classfolder and see if you can log in with the new password.
If you can log in you can view and edit the users, roles and groups. Users will have all the credentials of all the UserGroups they are in. You are advised to replace the passwords of the users by proper passwords*.
Installing the plugin files should only affect your existing example13 application. If you do not have an existing example13 application you can still install the examples so that you can try out the authentication and authorization added to example 13.
Installing should have no effect any other applications. To add authentication and authorization to other applications you need to either edit the SecurityManager class in your root classFolder or add a SecurityManager class to each application classFolder you want to protect. To see what code to put in your SecurityManager class(es), take a look at the SecurityManager classes in the admin and example13 classFolders and read how to add user authentication to an application.
PS. The authentication plugin relies on PHP's session to store its information for the authentication of users after they are logged in. To prevent session ids to be leaked through urls, consiter to ini_set('session.use_only_cookies', '1'); Also consider to take additional measures to secure session content from other application running on the same physical server or to store authentication information in a safer place.
* when you replace the passwords, PntxUser will use sha256 hashing if available. If you later upload your user data to a server that does not support sha256 you will not be able to log in. |
