Mail Index


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ApacheGallery] Proposal for an admin site



Hello Apache Gallery users.

Below you'll find a patch to -dev which enables basic authentication.

To give it a try, visit https://gallery.vandewolfshaar.com.

To bring up the password form, set any value for "auth"; for instance visit
https://gallery.vandewolfshaar.com?auth=yes.

The password is currently "password", which I have set in my httpd.conf file
this way:

        PerlSetVar   AdminPassword 'password'

If you pop in 'password' in the form and press submit, you'll be
authenticated. The menu on directory screens will change to notify you to
that effect. The image screen will obviously be modified significantly to
allow for future features as well, but I haven't done that yet.

I used an MD5 hash in a user cookie, so this should be reasonably secure. I
also use Apache::Request based cookies; thanks for introducing me to those.
Finally, I use CGI for the form, but I deferred that use command because it
should be relatively rare that an administrator view the site vis-a-vis a
regular user, and so I attempt to defer or avoid that if possible; I
understand use CGI is on the expensive side.

If you don't add "$AUTH" somewhere in your index.tpl, of course the password
form does not appear.

I am requesting input on coding style, suggestions for improvement, because
I would be saddened to go too far down this path only to learn my humble
project doesn't meet your admittedly high standards and you wouldn't
integrate this into your -dev tree.

My next step from here will be to attempt to develop (for authenticated
users of course) file upload capabilities, image rotation, and image
annotation.

Best and kindest regards, with renewed thanks for an excellent product.

Paul

[email protected]> diff Gallery.pm Gallery.pm.orig
16,17d15
< use Apache::Cookie;
< use MD5;
92,136c90
<               my %cookies = Apache::Cookie->fetch;
<               my $authenticated ;
<               if ( $cookies{'password'} )
<               {
<
<                   my $hash=new MD5;
<
$hash->add(Apache->request()->dir_config('AdminPassword'));
<                   my $digest = $hash->digest();
<
<                   if ( $cookies{'password'}->value eq unpack("H*",
$digest) )
<                   { $authenticated = '( User authenticated )
   }
<               }
<               $tpl->assign(MENU => $authenticated . generate_menu($r));
<
<
<               if ( $apr->param('auth')  )
<               {
<
<                   if ( $apr->param('password')  )
<                   {
<                       my $authenticated = authenticate_user(
$apr->param('password') );
<                       $tpl->assign(AUTH => $authenticated );
<                       if ( $authenticated eq 'User authenticated.' ) {
<                           my $hash=new MD5;
<                           $hash->add($apr->param('password'));
<                           my $digest = $hash->digest();
<                           my $cookie = Apache::Cookie->new($apr,
<                              -name    =>  'password',
<                              -value   =>  unpack("H*", $digest) ,
<                              -expires =>  '+3h',
<                              -secure  =>  1
<                                      );
<
<                       $cookie->bake;
<                   }
<
<                   } else {
<
<                       $tpl->assign(AUTH => build_auth_form());
<
<                   }
<                  } else {
<                      $tpl->assign(AUTH => '' );
<               }
<
---
>               $tpl->assign(MENU => generate_menu($r));
648,677d601
< }
<
< sub build_auth_form {
<
<     use CGI;
<     my $form;
<     my $query = new CGI;
<     $form = $query->startform();
<     $form = $form . $query->password_field(-name=>'password',
<                                -value=>'');
<     $form = $form .
$query->submit(-name=>'submit_button', -value=>'submit');
<     $form = $form . $query->endform();
<
<
<     return $form;
< }
<
< sub authenticate_user {
<
<     my $password = shift;
<     my $returnstring;
<     if ( Apache->request()->dir_config('AdminPassword') eq $password )
<     { $returnstring = 'User authenticated.';
<
<       } else {
<         $returnstring = 'User authentication failed.' ;
<         }
<
<     return $returnstring;
<


---------------------------------------------------------------------
Apache::Gallery users mailinglist. http://apachegallery.dk/
To unsubscribe, e-mail: [email protected]