Scribd Logo
Upload

Welcome to Scribd!

  • PHP Make

    Uploaded by

    Pedro Escalano
    383 views8 pages
    PHPMaker supports two types of security - User ID and user level. User ID security secures data at record level. User Level Security secures at table level. When User ID security is enabled, users can only access their records.

    Original Description:

    Original Title

    Php Make

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    PHPMaker supports two types of security - User ID and user level. User ID security secures data at record level. User Level Security secures at table level. When User ID security is enabled, users can only access their records.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    383 views8 pages

    PHP Make

    Uploaded by

    Pedro Escalano
    PHPMaker supports two types of security - User ID and user level. User ID security secures data at record level. User Level Security secures at table level. When User ID security is enabled, users can only access their records.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    Security Settings

    FieldDescription:
    Administrator Login (Hard-Coded) Administratoruseridandpassword
    Login Name LoginNameforadministrator
    Password Passwordforadminsitrator
    Use Existing Table Linktoexistingtableforloginnameandpasswordvalidation
    Table Existingtableindatabasecontainingloginnameandpasswordinformation
    Login Name Field LoginNamefieldintableusedforauthentication
    Password Field Passwordfieldintableusedforauthentication
    Login Options
    Loginoptionsintheloginpage:
    Auto-login-Autologinuntiltheuserlogoutexplicitly
    Whenyouenabletheauto-loginfeature,afewcookieswillbeplacedontheuser'scomputertoidentify
    theuser,meaningthattheuserdonothavetotypeusernameandpasswordeverytimehe/shevisitthe
    Page1of8 SecuritySettings
    13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
    site.Forthisreason,youshouldadviseyourusersnottousethisfeatureonapublicorsharedcomputer,
    asanyotheruserofthecomputerwillbeabletoaccesstheaccount.

    Remember username-Savetheuser'susernameincookie

    Always ask-Donotsaveusernameandpassword,alwaysaskforthemintheloginpage

    Advanced Security
    AdvancedSecurityfeatureallowsyoutosetupUserID,assignUserLevelstousersandcreateacompleteuserregistrationsystem.Tosetup,
    clickthe[Advanced] button.
    PHPMakersupportstwotypesofsecurity-User IDandUser Level.UserIDSecuritysecuresdataatrecord level.UserLevelSecuritysecures
    dataat table level.Theycomplementseachotherandtheycanworkindependentlyortogether.UsersgettheirUserIDandUserLevelafter
    login.Beforelogin,anuser'sidentityisunknownandtheuserisanAnonymous User.

    Anonymous User
    ThepermissionsforAnonymoususersaredefinedinthisform.
    StepstosetupAnonymousUserpermissions:
    Clickon Anonymous User intheleftpane, 1.
    Definethepermissionsforeachtable. 2.

    User ID
    UserIDSecuritysecuresdataatrecord level.ProtectedtablesmusthaveanUserIDfieldforidentifyingwhichuserarecordbelongsto.The
    UserIDfieldnamescanbedifferentintablesthough.WhenUserIDsecurityisenabled,userscanonlyaccesstheirowndata.
    Page2of8 SecuritySettings
    13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
    StepstosetupUserIDsecurityfordifferenttables/views:
    ClickonUser IDintheleftpane.

    1.
    Selectthe[User ID field]fromyourusertable,thisfieldisusuallytheprimarykeyoftheUserTable.(Note: ifthisfieldisnotset,the
    featureisdisabled)

    2.
    (Optional)Selectthe[Parent User ID field]fromyourusertable.ParentUserIDfieldstorestheparentUserIDthattheuserbelongs
    to,parentusercanmodifythechilduser'srecords.ParentUserIDishierarchical,parentuserscanaccesstherecordsownedbythechild
    usersoftheirchildusers.(Note: ifthisfieldisnotset,theParentUserfeatureisdisabled.)

    3.
    Inthe[User ID Field]column,selecttheUserIDFieldforthetables/viewsthatrequiresUserIDsecurity.

    4.
    (Optional)Enable[Allow View All] ifyouallowallloggedinusers(notincludingAnonymous User)tolist/search/view(butnot
    add/copy/edit/delete)allrecordsinthetable.
    5.

    User Level
    UserLevelSecuritysecuresdataat table level.Eachuserlevelisgrantedwithspecificpermissionstotablesinthedatabase.
    Thereare2typesofUserLevelsecurity:
    1. Static User Levels-theUserLevelsandthepermissionsaredefinedinthisformandtheUserLevelsarenottobechangedafterscript
    generation.
    Page3of8 SecuritySettings
    13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
    StepstosetupstaticUserLevelsecurityfordifferenttables/views:
    ClickonUser Levelsintheleftpane, 1.
    Selectaninteger fieldinyourusertableasthe[User Level field],(Note: ifthisfieldisnotset,thefeatureisdisabled) 2.
    Defineyouruserlevels,click 3. icontheaddanuserleveland icontodeleteanuserlevel.
    2. Dynamic User Levels-theUserLevelsandthepermissionsaredefinedin2tablesinthedatabase,theUserLevelscanstillbechangedwith
    thegeneratedscripts.
    Page4of8 SecuritySettings
    13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
    StepstosetupdynamicUserLevelsecurityfordifferenttables/views:
    ClickonUser Levelsintheleftpane, 1.
    Selectaninteger fieldinyourusertableasthe[User Level field],(note: ifthisfieldisnotset,thefeatureisdisabled) 2.
    Switchtothe [Dynamic User Levels]tab,check [Enable Dynamic User Levels], 3.
    Selectyour User Level TableandUser Level Permission Tableandtherequiredfields. 4.
    TheUser Level TableandUser Level Permission Tablemusthavethefollowingfields,notethedatatypes,UserLevelIDandthePermission
    fieldsmustbeofintegertype,thefieldnamescanbedifferentthough:
    IfyouwantPHPMakertocreatethese2tablesinyourdatabase,clickthe[Create tables] button,thefollowingformwilldisplayforyouto
    changethetable/fieldnamesifnecessary.Youcanchangethetable/fieldnamesandthenclickOKtocontinue.

    IfyouhaveprojectscreatedbypreviousversionsofPHPMakeryoumaywanttousedynamicUserLevelsandmigratethepreviouslydefined
    staticUserLevelsintheprojecttothedatabase.AfterselectingorcreatingtheUserLevelandUserLevelPermissiontables/fields,justclickthe
    [Migrate]buttontoletPHPMakerdothatforyou.
    Aftersettingtheuserlevels,PHPMakerwillpopulatetheuserlevelstotheUserLevelfield'sEditTag(alsoseeFieldSetup)soadministrators
    canassignuserlevelsusingthegeneratedpages.
    Therearetwobuilt-inuserlevels:
    Administrator-Administratoruserlevelisabuilt-inuserlevelthathasallpermissionsplustheprivilegestomodifyUserIDsandUserLevels.
    Itspermissionsaresameasthatofthehard-codedAdministrator.TheUserLevelIDofAdministratoris-1.
    Default-Defaultuserlevelisbuilt-inuserlevelwithuserlevel=0.SinceUserLevelfieldisanintegerfield,ifyousetadefaultvalueof0for
    thisfield,thisuserlevelwillbecomethedefaultuserlevelfortheuserafterregistrationandbeforetheAdministratorassigninganotherhigher
    userlevel.
    ImportantNotesonUserLevels
    EvenyouenableallpermissionsforanuserdefinedUserLevel,theUserLevelwillNOTbecomesameasthisAdministratorUser
    Level.UserdefinedUserLevelswillnothavethepermissionstomanageusers(althoughparentusershassomecontrolontheirchild
    users).
    1.
    Fromv9,thepermissionsforList/Search/Viewareseparateinnewlycreatedprojects.However,forbackwardcompatibility,the
    permissionsforList/View/Searchinconvertedprojects(createdbypreviousversions)arethesameunlessyouhaveenabledSeparate
    permssions for List/View/SearchinAdvancedSettings.
    2.
    Youmayneedtousethehard-codedAdministratorLogintologonandassigndynamicuserlevelstousersinitially. 3.
    ItispossibletousesingleloginandcommonDynamicUserLevelsformultipleprojectsprovidedthatALLprojectsusethesame
    projectnameandsameAdvancedSecuritytables(i.e.UserTable,UserLevelTableandUserLevelPermissionTable).Ifallprojects
    4.
    Page5of8 SecuritySettings
    13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
    usesthesamedatabaseandsameAdvancedSecuritytables,thenthelatterconditionisautomaticallyfulfilled.However,iftheprojects
    usedifferentdatabases,youneedtouseDatabase_Connectingservereventtochangetheconnectioninfosotheusercangetthe
    DynamicUserLevelsfromthecommonAdvancedSecuritytablescorrectlyduringlogin.Fortheprojectsnotusingthedatabasewith
    thecommonAdvancedSecuritytables,youstillneedtocreatedummyAdvancedSecuritytables(withsametable/fieldnamesasthe
    commonAdvancedSecuritytables)intheprojectdatabasesoyoucansetupAdvancedSecurity.

    User Login Options


    UserLoginOptionsallowsyoutocreateacompleteuserregistrationsystemforyourWebsite,withoptionstoletuserregister,changepassword
    andrecoverpassword.
    Login
    Track failed attempts
    Ifenabled,numberoffailedloginattempts(invalidpassword)willbetracked.Ifexceeded,theuser
    willbelockedoutandthepasswordmustbereset.

    Maximum failed attempts


    Themaximumnumberoffailedloginattempts
    Failed attempts windows (minutes)
    Thetimewindow,inminutes,duringwhichfailedpasswordattemptsaretracked.
    Disallow concurrent login
    Ifenabled,onlyonesessionisallowedforeachuser(exceptthehard-codedAdministrator).Ifone
    userhasalreadyloggedin,otheruserstryingtologinwiththesameusername(andpassword)willbe
    rejected.
    NoteUsersaredistinguishedbySessionIDasrecognizedbythewebserver.Ifyouloginagainwith
    yourPCinanotherwindowofthesamebrowserorinjustanothertabofyourbrowser,youcanstill
    Page6of8 SecuritySettings
    13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
    login.IfyouloginagainwithanotherbrowseroranotherPC,theSessionIDwillbedifferentandthe
    loginwillberejected.
    Login status timeout (minutes)
    Thenumberofidleminutesafterwhichtheloginstatuswillbeconsideredasloggedoutandlogin
    willbeallowedagain.
    Ifalogged-inuserdoesnotexplicitlylogout(forexample,closethebrowserdirectly),theuser
    sessionisnotclosedandtheuser'sloginstatuswillremainas"loggedin".Attemptstologinagain
    willfail.Thistimeoutsettingensuresloginwillbeallowedagainafteraperiodofidletime.

    CAPTCHA (requires extension)


    Optionallyrequiresusertotypelettersordigitsfromadistortedimagethatappearsonthescreen..
    NoteRequiresCAPTCHAextension,clickTools->Extensionsfromthemainmenutoenable.Also
    seeThird-partyTools.
    Password
    MD5 password
    UseMD5password
    Notes
    IfyouenableMD5password,makesurethatthepasswordsinyourusertablearestoredas
    MD5hash(32-characterhexadecimalnumber)ofthecleartextpassword.Ifyoualsouse
    case-insensitivepassword,convertthecleartextpasswordstolowercasefirstbefore
    calculatingMD5hash.Otherwise,existinguserswillnotbeabletologin.MD5hashis
    irreversible,passwordwillberesetduringpasswordrecovery.Notethattheresetpassword
    isalsointheformatof16-characterhexadecimalnumber,itisNOTtheMD5hashofthe
    oldpassword.
    1.
    PHPMakerwilltrytodetectsaltedpasswordcreatedbyotherapplication.(PHPMakeritself
    doesNOTcreatesaltedpassword.)Ifsalted,thepasswordmustbestoredin
    '<hashedstring>:<salt>'format,andthehashedstringmustbethemd5hashofthe
    concatenatedstringofthecleartextpasswordandthesalt.Othersaltalgorithmisnot
    supported,youcanhowevercustomizethefunctionew_EncryptPassword()inthetemplate
    tosuityourapplcation.
    2.
    Case-sensitive password
    Usecase-sensitivepassword
    Enable password expiry
    Ifenabled,userpasswordwillexpireafteraperiodoftime(exceptthehard-codedAdministrator
    password)
    Password expiry time (days)
    ForusewithEnable password expiry,userpasswordwillexpireafterthespecifiednumberofdays
    User Registration Page
    Enabled
    Generateuserregistrationpageandaddalinkinloginpage.
    Fields
    Selectfields(fromtheusertable)toshowintheregistrationpage.Clickthe[...]buttontheselectthe
    fields.
    CAPTCHA (requires extension)
    Optionallyrequiresusertotypelettersordigitsfromadistortedimagethatappearsonthescreen..
    NoteRequiresCAPTCHAextension,clickTools->Extensionsfromthemainmenutoenable.Also
    seeThird-partyTools.
    Confirm before submit
    Optionallysendemailconfirmationafterregistration
    Send email
    Optionallysendemailconfirmationafterregistration
    Requires activation
    Optionallyrequiresuserclickanactivationlinkintheemailsentafterregistrationtoactivatetheuser
    account.
    NoteSend emailmustbeenabledforsendingtheemailwithactivationlink.
    Auto login after registration/activation
    Optionallyauto-logintheuserafterregistrationoractivation.
    NoteRequires activationisenabled,theuserisnotactivatedyetafterregistration,autologinwillbe
    appliedwhentheuserclickstheactivationlinkintheemail.
    Change Password Page
    Enabled
    Generatechangepasswordpage
    Page7of8 SecuritySettings
    13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...
    Send email
    Optionalemailconfirmationafterchangingpassword
    CAPTCHA (requires extension)
    Optionallyrequiresusertotypelettersordigitsfromadistortedimagethatappearsonthescreen.
    NoteRequiresCAPTCHAextension,clickTools->Extensionsfromthemainmenutoenable.Also
    seeThird-partyTools.
    Password Recovery Page
    Enabled
    Generatepasswordrecoverypage(forgotpasswordpage)andaddalinkinloginpage.Username
    andpasswordwillbesenttotheuser'semailaddress.
    CAPTCHA (requires extension)
    Optionallyrequiresusertotypelettersordigitsfromadistortedimagethatappearsonthescreen.
    NoteRequiresCAPTCHAextension,clickTools->Extensionsfromthemainmenutoenable.Also
    seeThird-partyTools.
    User Table Fields
    Email address field Emailaddressfieldinusertableusedforsendingemail
    Activated field
    Emailactivatedfieldinusertableusedforstoringthestatusofuser.Abooleanfieldis
    recommended,althoughanintegerfieldorastringfieldwillalsowork.
    Notes
    Toenableuseraccountactivation,theRequires activationandSend email optionsunder
    User Registration Page mustbechecked.Theuserneedstoclickanactivationlinkinthe
    emailsentafterregistrationtoactivatetheuseraccount.
    1.
    Ifenabled,makesuretheactivatedfieldforexistingusersinyourusertableisupdatedwith
    youractivationvalues(e.g.True/False,1/0,Y/N)ortheexistinguserscannotloginbecause
    theyarenotrecognizedasactivated.YoucanenableMulti-Updatefeaturefortheusertable
    soadministratorscanactivateordeactivateexistinguserseasily.
    2.
    Profile field
    Amemofieldforpersistingalltheadditionaluserinformation.Thisfieldisrequiredifthefollowing
    optionsareused:
    Track failed attempts
    Disallow concurrent login
    Enable password expiry

    Email Template
    Theemailsendingfunctionandtheemailcontentscanbecustomizedinthetemplate.Thefollowingspecialtagsareusedintheemailtemplates:
    <!--$From-->issenderemailaddress
    <!--$To-->isuseremailaddress
    <!--$Password-->isuserpassword
    <!--FieldName-->(withoutthe$symbol)isthefieldvalue.
    Forexample,<!--LastName-->isthefieldvalueofthefield"LastName".
    Theemailformatcanbeeither"TEXT"or"HTML".IfyouuseHTML,changetheline"Format:TEXT"to"Format:HTML"andenterHTML
    contentbelowit.
    YoucanalsodynamicallychangetheemailbycodeusingEmail_Sendingeventbeforetheemailissent.(SeeServerEventsandClientScripts)

    Also See:
    Tutorial-UserIDSecurity
    Tutorial-StaticUserLevelSecurity
    Tutorial-DynamicUserLevelSecurity
    Tutorial-UserRegistrationSystem

    2002-2014e.WorldTechnologyLtd.Allrightsreserved.
    Page8of8 SecuritySettings
    13/05/2014 mk:@MSITStore:C:\Archivos%20de%20programa\PHPMaker%2010\PHPMaker.ch...

    You might also like