2718.us blog » plugin

OpenID Works!

2718.us — Tue, 20 Oct 2009 00:53:12 +0000

Several weeks ago, I attempted to enable OpenID logins on this blog. It didn’t work well. It didn’t work at all. Bad Behavior, which I consider absolutely critical in cutting down the impact of spambots, also broke the chain of redirects/reposts that enable OpenID logins. Now, however, with Bad Behavior 2.0.30 (and 2.0.31), the RPX plugin from JanRain works!

It is now possible to log in with OpenID, automatically creating an account, and to associate an existing account with an OpenID for future logins.

Personally, I suggest MyOpenID (from JanRain) because it gives the option of using PhoneFactor’s phone-call-based 2-factor authentication.

(Yo)URL Shortening and Twitter-Announcing of Posts

2718.us — Mon, 21 Sep 2009 09:07:29 +0000

A while back, I’d looked at a couple of plugins to automate the announcing of new blog posts on Twitter, but hadn’t really found one that I liked. Today, I found myself playing with really short (one-character) IDNs, which led to thinking about URL shortening, which led to YOURLS, which led back to WordPress and using Twitter to announce new posts (YOURLS plugin).

So, I’m posting this partly to spread the word and partly to see if the existence of this post will be successfully tweeted complete with short URL.

(NOTE: while YOURLS itself supported the IDN seamlessly, its WordPress plugin seemed to choke silently when pointed at the unicode form of the IDN for the YOURLS API and needed the punycode version to make it work.)

2718.us Blog: Now with OpenID

2718.us — Mon, 31 Aug 2009 02:37:14 +0000

I’m now trying the RPX plugin from JanRain to enable OpenID logins on this blog. On the negative side, I’m committed to using BadBehavior to knock down server load from bots and BadBehavior seems to trap the redirect back here from your OpenID provider. If you try to log in with OpenID and get an error screen instead of being redirected back to the blog, just go to your address field and hit enter to soft-reload the page and things should be fine.

Edit: actually, OpenID login now seems to be entirely broken. Hmm…

Authenticating with WordPress 2.6 (part 3)

2718.us — Sun, 03 Aug 2008 23:55:48 +0000

So, as a followup to parts 1 and 2, per WordPress Trac ticket #7001, WordPress 2.6 has split up the login cookies into three parts:

what was the one and only login cookie in 2.5 is now limited to /wp-admin
there’s a copy of that one that’s just limited to /wp-content/plugins, for backward compatibility with plugins
there’s a new cookie that is at COOKIEPATH (which can be defined in your config file), that is checked by calling
```
is_user_logged_in()
```
(but perhaps this isn’t intended for secure authorization?)

So, it appears the way to go may be to change

auth_redirect()

if (!is_user_logged_in()) auth_redirect();

Maybe more to follow on this when I’ve more thoroughly explored it.

Authenticating with WordPress 2.6 (part 2)

2718.us — Wed, 30 Jul 2008 04:32:54 +0000

Having stated the problem and now played further, I’ve got good news and bad news.

The good news is that there’s an action hook, ‘set_auth_cookie’, that gets called whenever the cookies are set, so if the stuff for which you want to authenticate is on the same server but at a different path, you can create a plugin (or maybe use functions.php in your theme?) with something like the following:

function your_unique_name_here_set_auth_cookie($auth_cookie, $expire, $expiration, $user_id, $scheme) {
setcookie(AUTH_COOKIE, $auth_cookie, $expire, '/path/to/your/stuff', COOKIE_DOMAIN);
}
add_action('set_auth_cookie','your_unique_name_here_set_auth_cookie',10,5);

The bad news is that if your WordPress install is at example.com/something and you want to use it to authenticate at portal.example.com, you can’t set a cookie for portal.example.com from a script on example.com, so your only choice would be to set a cookie with path / on .example.com (note the leading period), which completely breaks the security added by the separate cookies.

Hopefully, there’ll be a “part 3″ to this wherein I solve this last problem somehow, since that’s the setup I’m dealing with.

Hiding the WordPress Dashboard

2718.us — Thu, 10 Jul 2008 20:34:55 +0000

I use WordPress as the backbone of a site I run, including using it for user authentication. This means a lot of people who aren’t invovled in running the site are logging in and could see the dashboard. Now, it’s not that there’s anything really secret there, but it makes things look a lot less “finished” to have users deposited on a page that has no relevance to them. This is where the Hide Dashboard plugin from Patrick/DeepWave comes in. It does a nice job of getting users to their profile page and generally hiding most of the dashboard things that regular users don’t need to see.

I, however, wanted a little more. I wanted to make sure that regular users who might be, well, “curious” about the inner workings of the site and who have some knowledge of wp-admin URL structure to be unable to get at anything but their profile page. To this end, I added a little to the code:

// add after line 41, which reads: if(!current_user_can('level_10')){
if (strpos($_SERVER['REQUEST_URI'],'/wp-admin') !== FALSE
and strpos($_SERVER['REQUEST_URI'],'/wp-admin/profile.php') !== 0){
wp_safe_redirect('/wp-admin/profile.php');
}

This should redirect any non-admin user off of any /wp-admin* page to /wp-admin/profile.php. This might, however, cause issues for mid-level users (i.e. authors/editors/etc may not be able to access needed functions) and I haven’t tested it thoroughly and there might be a better way to do this. YMMV. See also some comment-discussion on these changes at the plugin’s own page: me Patrick me.

Oh, so that’s why the WordPress.com stats plugin said I had no traffic…

2718.us — Thu, 01 May 2008 20:38:24 +0000

It seems that some themes that I’d used as the bases for my own themes on my WordPress installs (other than this one) didn’t have

in the footer.php file, like they should, I guess, since that seems to be what the WordPress.com stats plugin needs to register hits. I had been wondering why the numbers on my dashboards didn’t even remotely match my awstats numbers.

Using WordPress for User Authentication, Part 2

2718.us — Wed, 16 Apr 2008 18:08:33 +0000

After implementing other pages that used WordPress to authenticate users and deal with access control, I went to move these pages off to a subdomain, and suddenly found that auth_redirect wasn’t quite working right. When auth_redirect is called and doesn’t find a logged-in user, it redirects to login and passes the URI of the current page… well sort of. It passes the request string, but it ignores the server part. So, when the login page is done and tries to redirect, it’s going back to the main WordPress server, not the subdomain. Fortunately, auth_redirect is a very simple function to duplicate and it is designated as pluggable–that is, a plugin can be used to redefine auth_redirect, so I’ve now got a plugin that overrides auth_redirect() with auth_redirect($use_current_host = FALSE) so that if I want auth_redirect to pay attention to the host, I call auth_redirect(TRUE).

This is all fine and good, but still doesn’t quite work, since WordPress is smart and won’t just redirect anywhere willy-nilly. It will only redirect to authorized-for-redirecting servers (wp_safe_redirect, which doesn’t have any documentation in the Codex). Though undocumented (or at least not well documented in the Codex), the way the authorized host list is handled allows for a plugin to add a filter hook that modifies the allowed list (since the allowed list by default only includes the actual WordPress server name and isn’t exposed as an option/setting anywhere). Toss that hook into my plugin, add on a settings page to allow the admin to input a comma-separated list of allowed-for-redirecting hosts, and now I can use WordPress to authenticate users on subdomains.

If anyone is interested in this plugin, please let me know and I’ll try to clean it up engouh to make it public.