2718.us blog » wp http://2718.us/blog Miscellaneous Technological Geekery Tue, 18 May 2010 02:42:55 +0000 en hourly 1 http://wordpress.org/?v=3.0.4 OpenID Works! http://2718.us/blog/2009/10/19/openid-works/ http://2718.us/blog/2009/10/19/openid-works/#comments Tue, 20 Oct 2009 00:53:12 +0000 2718.us http://2718.us/blog/?p=189 Several weeks ago, I attempted to enable OpenID logins on this blog.  It didn’t work well.  It didn’t work at all.  Bad Behavior, which I consider absolutely critical in cutting down the impact of spambots, also broke the chain of redirects/reposts that enable OpenID logins.  Now, however, with Bad Behavior 2.0.30 (and 2.0.31), the RPX plugin from JanRain works!

It is now possible to log in with OpenID, automatically creating an account, and to associate an existing account with an OpenID for future logins.

Personally, I suggest MyOpenID (from JanRain) because it gives the option of using PhoneFactor’s phone-call-based 2-factor authentication.

]]>
http://2718.us/blog/2009/10/19/openid-works/feed/ 0
2718.us Blog: Now with OpenID http://2718.us/blog/2009/08/30/2718-us-blog-now-with-openid/ http://2718.us/blog/2009/08/30/2718-us-blog-now-with-openid/#comments Mon, 31 Aug 2009 02:37:14 +0000 2718.us http://2718.us/blog/?p=167 I’m now trying the RPX plugin from JanRain to enable OpenID logins on this blog.  On the negative side, I’m committed to using BadBehavior to knock down server load from bots and BadBehavior seems to trap the redirect back here from your OpenID provider.  If you try to log in with OpenID and get an error screen instead of being redirected back to the blog, just go to your address field and hit enter to soft-reload the page and things should be fine.

Edit: actually, OpenID login now seems to be entirely broken.  Hmm…

]]>
http://2718.us/blog/2009/08/30/2718-us-blog-now-with-openid/feed/ 1
WordPress 2.6 + bbPress 0.9.0.2 http://2718.us/blog/2008/08/16/wordpress-26-bbpress-0902/ http://2718.us/blog/2008/08/16/wordpress-26-bbpress-0902/#comments Sat, 16 Aug 2008 23:48:33 +0000 2718.us http://2718.us/blog/?p=93 In case anyone was still curious following my previous headache post, it is possible to integrate WP2.6 and bbPress 0.9.0.2.  I say “possible” because while I’ve got it working as far as I can tell (without having modified core code in either WP or bbP), I haven’t really tested it and it’s a mess.  More or less, a specially-crafted plugin for WP plus a specially-crafted plugin for bbP got me nearly there.  The one hangup was the login cookie (the new one that is at the root of the site), which while my bbPress plugin seemed to be duplicating it, WP didn’t want to recognize it (I couldn’t find any difference between the cookie set by my bbP plugin and the one set by WP, but WP didn’t like mine anyway).  I got around this by bypassing the bbP login mechanism entirely and using the WP login with a redirect back to bbPress.

Of course, it’s also annoying that while there’s a set_auth_cookie action hook, there’s no clear_auth_cookie, so my plugins had to override the clear_auth_cookie function wholesale rather than hooking into it as they do with set_auth_cookie.

If you have some twisted desire to make this unholy integration that I now seem to have working and would like some of my code, leave me a comment.

]]>
http://2718.us/blog/2008/08/16/wordpress-26-bbpress-0902/feed/ 3
WordPress 2.6 is Giving Me a Headache http://2718.us/blog/2008/08/03/wordpress-26-is-giving-me-a-headache/ http://2718.us/blog/2008/08/03/wordpress-26-is-giving-me-a-headache/#comments Mon, 04 Aug 2008 03:30:08 +0000 2718.us http://2718.us/blog/?p=89 Now, I’m really big on *not* complaining about new versions of things and I especially dislike the practice of complaining about how a new version of WordPress broke some plugin that is of dire importance to someone’s website, but WordPress 2.6 is starting to give me a headache.  I’ve already posted thrice about issues with integrating an external site into WP2.6′s user authentication.  Honestly, I consider that to be my own problem to solve and not WP’s fault, since I’m hooking into WP in a way that wasn’t intended, so I have no right to expect them to preserve my ability to (mis)use it.

However, I just came across this in the bbPress forums:

As of July 2008, do NOT try to integrate WordPress 2.6 with bbPress 0.9 Use WP 2.5.1 – the reason for this is simple – WordPress has radically changed the way cookies are used. If you have already installed WP 2.6, don’t worry you have not broken anything, you’ll just need to downgrade and install 2.5 instead. 2.5.1 is perfectly stable and has no known security issues – 2.6 only adds a few new features to WP. There is an updated version of bbPress in the works to support the new cookie method but it might be awhile before it’s available in a mainstream release.

Now, ostensibly, WP and bbPress are coming from the same people/place/company/organization/whatever, so I think I should be able to expect the one to work with the other and to *not* have the left hand tell me to ignore what the right hand is doing.  This is almost enough (*almost*) to make me give up on trying to piece together a decent way to hook into the is_user_logged_in() thing for the non-WP part of the WP-based site I’m working on, since the bbPress part of the site won’t work even if I do fix the non-WP part of the site.

]]>
http://2718.us/blog/2008/08/03/wordpress-26-is-giving-me-a-headache/feed/ 1
Authenticating with WordPress 2.6 (part 3) http://2718.us/blog/2008/08/03/authenticating-with-wordpress-26-part-3/ http://2718.us/blog/2008/08/03/authenticating-with-wordpress-26-part-3/#comments Sun, 03 Aug 2008 23:55:48 +0000 2718.us http://2718.us/blog/?p=82 So, as a followup to parts 1 and 2, per WordPress Trac ticket #7001, WordPress 2.6 has split up the login cookies into three parts:

  • what was the one and only login cookie in 2.5 is now limited to /wp-admin
  • there’s a copy of that one that’s just limited to /wp-content/plugins, for backward compatibility with plugins
  • there’s a new cookie that is at COOKIEPATH (which can be defined in your config file), that is checked by calling
    is_user_logged_in()

    (but perhaps this isn’t intended for secure authorization?)

So, it appears the way to go may be to change

auth_redirect()

to

  1. if (!is_user_logged_in()) auth_redirect();

Maybe more to follow on this when I’ve more thoroughly explored it.

]]>
http://2718.us/blog/2008/08/03/authenticating-with-wordpress-26-part-3/feed/ 8
Authenticating with WordPress 2.6 (part 2) http://2718.us/blog/2008/07/29/authenticating-with-wordpress-26-part-2/ http://2718.us/blog/2008/07/29/authenticating-with-wordpress-26-part-2/#comments Wed, 30 Jul 2008 04:32:54 +0000 2718.us http://2718.us/blog/?p=70 Having stated the problem and now played further, I’ve got good news and bad news.

The good news is that there’s an action hook, ‘set_auth_cookie’, that gets called whenever the cookies are set, so if the stuff for which you want to authenticate is on the same server but at a different path, you can create a plugin (or maybe use functions.php in your theme?) with something like the following:

  1. function your_unique_name_here_set_auth_cookie($auth_cookie, $expire, $expiration, $user_id, $scheme) {
  2.     setcookie(AUTH_COOKIE, $auth_cookie, $expire, '/path/to/your/stuff', COOKIE_DOMAIN);
  3. }
  4.  
  5. add_action('set_auth_cookie','your_unique_name_here_set_auth_cookie',10,5);

The bad news is that if your WordPress install is at example.com/something and you want to use it to authenticate at portal.example.com, you can’t set a cookie for portal.example.com from a script on example.com, so your only choice would be to set a cookie with path / on .example.com (note the leading period), which completely breaks the security added by the separate cookies.

Hopefully, there’ll be a “part 3″ to this wherein I solve this last problem somehow, since that’s the setup I’m dealing with.

]]>
http://2718.us/blog/2008/07/29/authenticating-with-wordpress-26-part-2/feed/ 1
Authenticating with WordPress 2.6 (part 1) http://2718.us/blog/2008/07/29/authenticating-with-wordpress-26-part-1/ http://2718.us/blog/2008/07/29/authenticating-with-wordpress-26-part-1/#comments Wed, 30 Jul 2008 03:03:51 +0000 2718.us http://2718.us/blog/?p=68 I’ve been hoping for the last hour or two that there’d be just one post on this topic, giving the problem and solution all together, but I have yet to solve it and so I’m just going to post the issue for now, until I have a solution.

As a security measure in WP2.6, login cookies are now split into what seem to be at least three different cookies—two with paths like /wp-admin and /wp-content/plugins that are the full cookie that auth_redirect() checks against and one that’s different, with path / [paths relative to the blog root].  Near as I can tell, this immediately breaks any attempt to use auth_redirect() for authentication (e.g. this and this) outside the /wp-admin and /wp-content/plugins directories.  It is also not immediately clear to me how to authenticate against the whole-site cookie, if there’s any way to do that at all.

A temporary, but very bad fix would be to completely defeat the security by defining ADMIN_COOKIE_PATH to be the site root, rather than the path to /wp-admin.  I’m thinking that, from a quick skim of pluggable.php, there might be plugin action hooks to allow setting other cookies that would allow authentication on other paths…

]]>
http://2718.us/blog/2008/07/29/authenticating-with-wordpress-26-part-1/feed/ 2
Hiding the WordPress Dashboard http://2718.us/blog/2008/07/10/hiding-the-wordpress-dashboard/ http://2718.us/blog/2008/07/10/hiding-the-wordpress-dashboard/#comments Thu, 10 Jul 2008 20:34:55 +0000 2718.us http://2718.us/blog/?p=48 I use WordPress as the backbone of a site I run, including using it for user authentication.  This means a lot of people who aren’t invovled in running the site are logging in and could see the dashboard.  Now, it’s not that there’s anything really secret there, but it makes things look a lot less “finished” to have users deposited on a page that has no relevance to them.  This is where the Hide Dashboard plugin from Patrick/DeepWave comes in.  It does a nice job of getting users to their profile page and generally hiding most of the dashboard things that regular users don’t need to see.

I, however, wanted a little more.  I wanted to make sure that regular users who might be, well, “curious” about the inner workings of the site and who have some knowledge of wp-admin URL structure to be unable to get at anything but their profile page.  To this end, I added a little to the code:

  1. // add after line 41, which reads:  if(!current_user_can('level_10')){
  2. if (strpos($_SERVER['REQUEST_URI'],'/wp-admin') !== FALSE
  3.     and strpos($_SERVER['REQUEST_URI'],'/wp-admin/profile.php') !== 0){
  4.         wp_safe_redirect('/wp-admin/profile.php');
  5. }

This should redirect any non-admin user off of any /wp-admin* page to /wp-admin/profile.php. This might, however, cause issues for mid-level users (i.e. authors/editors/etc may not be able to access needed functions) and I haven’t tested it thoroughly and there might be a better way to do this. YMMV.  See also some comment-discussion on these changes at the plugin’s own page: me Patrick me.

]]>
http://2718.us/blog/2008/07/10/hiding-the-wordpress-dashboard/feed/ 4
Child Themes to Upgrade-Proof Your Theme Changes http://2718.us/blog/2008/07/03/child-themes-to-upgrade-proof-your-theme-changes/ http://2718.us/blog/2008/07/03/child-themes-to-upgrade-proof-your-theme-changes/#comments Fri, 04 Jul 2008 04:52:30 +0000 2718.us http://2718.us/blog/?p=47 I’ve had yet another why-didn’t-anyone-tell-me-sooner moment–child themes in WordPress.  From How To Protect Your WordPress Theme Against Upgrades (via Parent Child Themes and How I used a WordPress Child Theme To Redesign My Blog The Smart Way):

Problem: You’ve finally found a theme you like but you want to modify it. The modifications are pretty simple but what happens when you want to upgrade the theme? Do you really want to go through all those files again hunting down the changes? Don’t you wish you could just upgrade and be done with it?

So, basically, install the theme you want, create a new theme directory for you modifications, and in the style.css file, which defines the metainfo for the style, designate the original (unedited) theme as the template.  If need be, use functions.php to make more modifications.  Just note that any template files in your own version’s directory beyond style.css and functions.php will be ignored.

When it comes time to upgrade the theme, you upgrade the “parent” theme and your modifications are unchanged in their own directory.

]]>
http://2718.us/blog/2008/07/03/child-themes-to-upgrade-proof-your-theme-changes/feed/ 0
Another WordPress+bbPress Integration Gotcha http://2718.us/blog/2008/05/01/another-wordpressbbpress-integration-gotcha/ http://2718.us/blog/2008/05/01/another-wordpressbbpress-integration-gotcha/#comments Thu, 01 May 2008 21:37:29 +0000 2718.us http://2718.us/blog/?p=33 Somehow (my best guess is it happened with the database update in the WP2.5.1 upgrade), the database secret, stored as “secret” and visible on /wp-admin/options.php, changed making the logins for bbPress and WordPress clobber each other (both apps using the same cookie, but each app rewriting the cookie with its own contents, rather than recognizing the other app’s contents).  If you’re having trouble with WordPress 2.5.1 + bbPress 0.9.0.2, especially if you’ve already watched the cookies go by and are sure that both apps are using the same cookie, check your secret (in bbPress, it’s in Admin > Settings > WP Integration).

]]>
http://2718.us/blog/2008/05/01/another-wordpressbbpress-integration-gotcha/feed/ 2