Single user system across multiple sites using Codeigniter and XenForo - codeigniter

I've got several sites that I'd basically like to have the same user system for.
One of the sites runs XenForo, the others all run Codeigniter, or systems built on Codeigniter (e.g PyroCMS).
I need to somehow be able to let a user login on any of the sites with the same username/password combination, in addition to be able to register.
I know there are a number of ways of going about this, such as an OpenID server, however I'm not 100% sure which is best for my situation given that I'm using two systems that arent exactly going to play nice together.
I'm not too bothered about having it autologin across all sites at once, but just dont want people to have to use multiple different credentials.
Would I be right in thinking something along the lines of a central OpenID server, with openid authentication on the 'slave' sites would be my best option?
I'd ideally like to use the XenForo user table as the 'master' user table in this situation.
Any input or suggestions would be greatly appreciated.

I wrote one here a while ago, I've not updated it in a while though should still be good :
http://www.jeremyhutchings.com/2010/12/xenforo-and-codeigniter-intergration.html

Related

Architecture/Technical Challenges in Handling Authentication/Permissions in Elixir Channels/Sockets

So I have decided to rewrite an application I have been writing in Node.js to Elixir because of all the extra complexity working with Node that Elixir comes with out of the box.
My issue was something I didn't have quite right in Node and is becoming just as complex in Elixir and I am not entirely sure how to go about approaching it.
I am trying to recreate a lot of how Discord does permissions. I am essentially building a CRM system, with different roles like "Sales Manager", "Sales", "Customer Service Rep" etc... But they all are able to do different things based on their "role".
Some things I need to do is be able to update a permission on the fly for a person or role. Maybe the "Sales Manager" role can't look at company financial data like an "Accountant" but we need to give that specific person access for a few days. Or I have a "Customer Service Rep" and we give that entire role the ability to add things to a calendar. I also would like to have the ability to kill sessions.
So there are a few ways I've seen said around Elixir forums, like:
Using Guardian, I really want to like tokens and think not having to hit the database every time sounds wonderful, but I don't think it's practical for this. Unless there is a good solution to updating tokens on the fly which I haven't found.
Giving each person their own process and just kill and start the process on changes with new changes. This seems pretty neat, but I'd rather not kill processes unless there is an actual error, I think this solution will come with big problems, like tracing problems. Although I am not familiar enough to know if this might actually cause problems, or if this is a bad solution for other reasons.
Use Guardian with Guardian_DB, which then defeats the purpose of using tokens, but at least I'd have a trackable session. My only problem with this is I do plan on using a load-balancer so that if a socket connection dies I can reconnect it to the same server and I am not sure there is a way to do that with tokens or if the socket itself has a session attached to it. This is not really that big of an issue though and is pretty close to what I had with Node.js.
Use Redis which I'd like to stay away from, and then update session data in Redis based on user_id when updates occur and hit Redis on every request to see if the user has permissions. I plan to put this across multiple servers eventually which means ETS is not viable unless I can load-balance socket connections like I could in Node.js.
So I guess my questions are,
Can I attach sessions to sockets? Is this a bad idea?
Should I still use a token, and just use Redis to check the token on every request?
Is a token still a better choice than a session?
Is there a much better/easier solution that I have not even mentioned?
I'm sorry this was pretty drawn out and long, I've never had to do something as permission bound as this project professionally and am pretty new to Elixir.
Phoenix channels are stateful. You can put data in the assigns field and it stays there for the duration of the connection. That is where you normally put your user_id after authenticating the user on join.
I also use the channels assigns to store client state that I need on the server.
WRT to the role to permissions question, I'm doing exactly this. What I do is load the load the role permissions from the database on startup and build an ETS store with them. You can do the same with a Task or a GenServer. If the permissions change for a given role, i update the database and the ETS table.
My user model supports a list of roles for each user.
When in need to validate the permissions for a given user, I call the Permission model api like Permission.has_permission?("create-room", user, scope). I have two level of permissions, global and per room. That is what the scope is used for.

Automation layer above a site

I'm looking into creating a website that sits on top of another site. I wish for this site to be a sort of driver/auto-mater of the original site. The original site is slow and you need to input the same data repetitively (and lots of it - which is infuriating)
What would be the best way of doing this.
I have started using watir-webdriver in ruby, and it seems to work well! Would I be able to host this? I know it launches an explorer (fire-fox in my case) and my worry is not being able to host the application?
I don't want to place all my eggs into this one basket and find out later there's a stumbling block to getting it done!
The short answer
I think there are better tools for web scraping than web testing tools (watir and others), and your end result might require a lot more work than you imagine.
The long answer
This sounds like a case of the façade pattern in which your application would act as the new frontend and the old/existing site as the backend for the improved experience of the service.
Some things to think about before jumping into programming:
If the old site requires users to register, would your users be willing to re-register to your site so that you could log them in into the old site programmatically?
How frequently is the same data required to be inputted and how would you prevent it?
The existing site may have expectations on the request headers which might cause you extra headache and require quite some work to circumvent.
Are you allowed to use the existing site's user interface material or do you need to start from scratch?
How often is the existing site changed and how would it affect your application?
In summary, there are lots of factors and issues to take into account depending on how the existing site is implemented and who are your visioned users. Suggesting a best way to do it would require a lot more knowledge of both the existing site and how you'd want to improve it.
I haven't used watir-webdriver myself but if it is like Selenium and starts a new browser instance any time you run it, then hosting it would most likely not work as you'd expect. There are better tools for what you are thinking of doing, i.e. web scraping, and you may want to take a look at the following, for example:
https://www.ruby-toolbox.com/categories/Web_Content_Scrapers
https://www.ruby-toolbox.com/categories/http_clients

rails flexible authorization

I'm working on a project that needs to have flexible authorization. What I mean by that is this:
My users will be divided in to client groups, so each client could have many users.
Each user needs to be able to have different roles, but the definitions of these roles needs to be able to be set on a per client basis, and ideally in a way that, say, a user with an ultra_admin role would be able to edit the roles for her client group.
I've looked in to the following:
CanCan
Declarative Auth
acl9
and a handful of others, and I can't see a way to do this in them, although I think it's probably possible in acl9 it doesn't look like it's what it was designed for.
Is there an existing authorization gem that makes this easy? Is there a reason that this isn't out there (i.e. am I missing an obvious solution that is simpler)? If it's possible with one of the above gems is there an example anywhere?
I couldn't find anything like this either, and so I rolled my own.
https://github.com/PRX/badges
I'm working on an update, and rename, which will work very much the same way and be out soon, but this version on github we use in production.

How to create a group that can only manage registered users in Joomla

I'm making a website for a client and Joomla, I want the client to be able to manage users on the site / delete them if necessary, but that is it, I don't want them to be able to see or do anything else on the site, what is the best way of doing that?
Ideally I would have liked to have this done through the front end, I was looking to make a simple list osf users that only the admin group can access and manually delete them from the DB directly, but I'd rather do it through Joomla if that was possible for security reasons.
I looked at ACL's a bit but couldn't really figure out how to limit the functions to what I want, any help is really appreciated.
From the front end you won't have much luck with that. As far as user management all of that is handled on the backend.
If you're looking to do that sort of thing you'll simply have to get much more familiar with the ACL - there's a good amount of documentation on www.joomla.org
Even by utilizing the ACL I don't think there will be much you can do to limit a particular group to having access to JUST the userbase specifically. The best bet would be to educate your client about Joomla, how it works, what to change, how to change it and why to leave everything else alone. I know that may be problematic for things in the future, but unfortunately I don't know of any (and have not heard of any) front end solutions for what you're looking to do. I haven't heard of any back end solutions either however.
I think certain things will be so intertwined to certain levels of permission you won't be able to have that kind of granularity.
**edit: I'm almost 100% positive there's no way this is possible on 1.5.23 (or earlier versions) because the ACL simply isn't there. So my advice above is aimed specifically at versions up to 1.7.

getting started with Single Sign On / Windows Authentication

First off, The Problem:
We have a Web App with a Flash front-end that talks to our ASP.NET web service via SOAP which then deals with all of our server side code (C#).
Right now, we implement a simple user sign on in our application, storing the info in our MSSQL DB.
A client has requested what I understand to be Windows authentication through our application using the currently logged in user.
So, I have been tasked with investigating this. Nobody, including myself, has any experience in this area.
I have been reading up on some basic Active Directory information, and some simple tutorials. I understand how to get access to the directory using ADSI through code. What I'm really interested in seeing is how the entire thing should be architected. I don't want to throw together a hacky solution.
Does anyone know of a good tutorial for this kind of thing or have any advice on getting started? More importantly, does this even sound viable?
I know I haven't given much information, but feel free to ask and I will provide answers.
Thanks.
Edit:
Will, to give you an idea of the scope of this, the network will include every computer in a large hospital. So yes, this is huge. Clearly I need to start small. I would like to come up with something that will work at my office first. Maybe ~10 Windows computers on a single domain. One Domain Controller.
I am also open to any good books on the subject.
If you are going to tie into Active Directory you will want to take a look at the System.DirectoryServices namespace. The implementations can vary wildly depending on your system architecture, but this should give you a good starting point.
Enjoy!

Resources