Forced login means loggin someone into EE transparently without need to enter username and pass. This should be used for special cases only.

EXAMPLE:

I have a gallery http://photography-on-the.net/gallery/list.php?exhibition=13 which is linked from http://www.yle.fi/rso/ (link on the right: "PEKKA SAARISEN KUVA-ALBUMI"). Because those visitors come from the orchestra site, they should not see my other exhibitions like heavy metal stuff.

So, I create a user (he gets user id 1) who can only see the RSO gallery. Then I add to SETUP_settings.php under line

$ee_passes[] = array("id" => "off", "user_id" => "0", "redirect_exhibition" => "");

a new line

$ee_passes[] = array("id" => "rso", "user_id" => "1", "redirect_exhibition" => "13");

Now, anyone who enters URL

http://photography-on-the.net/gallery/index.php?id=rso

Gets into my EE, and EE logs the visitor in as "RSO User" and redirects him to list page. If I had used line

$ee_passes[] = array("id" => "rso", "user_id" => "1", "redirect_exhibition" => "");

The visitor would have remained on index page.

Note the syntax:

$ee_passes[] = array("id" => "rso", "user_id" => "1", "redirect_exhibition" => "13");

"id" => "xxxxxxxxx" tells ee a pass parameter which logs the visitor in as
"user_id" => "999999", and then if exhibition is available
"redirect_exhibition" => "12345678"
redirects him there.

IMPORTANT TO UNDERSTAND: this feature really logs people in as they'd enter username and pass (in this case: username: rso, pass: rules).

Pekka, at the end of your post you mention that the password is "rules". Where in the code does this go?

Also, what are the requirements for username and password lengths (if any)?

Is it possible to redirect users to a group?

Well I answered my third question, and possibly my first.

To redirect to a group, I just limited the user to only view certain groups. These then were the only groups visible after the forced login.

The password doesn't seem to be needed, as it works without entering one.

Pekka, at the end of your post you mention that the password is "rules". Where in the code does this go?

Password "rules" is what I had defined for user "rso". So if you login with rso/user you see that same galleries as with forced login id=rso.

Forced logins do not give out any info on login names and login passwords.

Also, what are the requirements for username and password lengths (if any)?

Theoretically there is no limit. User editor limits:

Username: 255 chars
Password: 255 chars

Forced login id can be any URL compliant string. Safest is to avoid spaces and special characters, and use underscore as space. So

Bad ids:

Johnny/2
+secret?
guess who
'lost'

Good ids:

Johnny2
secret_____
guess_who
4815162342


Is it possible to redirect users to a group?

EE has exhibition level permissions. Logged users sees all groups which contain allowed exhibitions.

Well I answered my third question, and possibly my first.

To redirect to a group, I just limited the user to only view certain groups. These then were the only groups visible after the forced login.

When thinking about permissions think exhibitions, not groups.

The password doesn't seem to be needed, as it works without entering one.

See above.

Pekka,

I followed the instructions above, and when I go to the link http://www.dancewithlight.com/gallery/index.php?id=mypassparameter

It says "All Unique Photos, Search: nothing found". I checked, and this particular user is allowed to a private gallery #17. But for some reason it does not show. Could you please let me know what I could have missed?

Thank you!

Check that the user login works (with username / pass) and you see what you expect to see. Is the gallery 17 added into structure? Giving user permissions to view it is not enough, it has to be part of a visible group (or index group).

Thanks Pekka, I did not put the "Client" group that this Private Exhibition belongs to into the Index Group. Now it works.

Forced login means loggin someone into EE transparently without need to enter username and pass. This should be used for special cases only.
does this mean that we cannot put the username and password directly into a link somewhere? i have a few exhibits that i want to be accessed only by a particular "user", not that it is very important...

basically, i have given a few folk their own gallery by creating a private exhibition group in EEv1.5... they'd send me their photos and comments and i'd place them in their private gallery... then they'd list the link somewhere with their "password"... those that clicked saw only those exhibits that "belonged" to that user...

would this be one of those "special cases" you mention?

i know that all this is changing with v2 and i'm just trying to get a clear handle on it as well as hopefully clarifying things for others... it would be nice if this could be done without having to edit the php source files because it is possible that a security fix or upgrade would replace the edited file(s) and then those edits would be lost...

i've gone ahead and implemented this and it looks to be very similar to the old way used in EEv1.5... however, what i did was to place the forced logins in a seperate php file and include_once that file in the same place you indicate in your original message... like this...
$ee_passes = array(); // leave this row even if you do not use passes
$ee_passes[] = array("id" => "off", "user_id" => "0", "redirect_exhibition" => "");
include_once ("forced_logins.php");and then i used the following for forced_logins.php which is stored in the basecode directory with SETUP_settings.php...
<?php
// *****************************************
// * forced login syntax *
//
//$ee_passes[] = array("id" => "xxxxxxxxx", "user_id" => "999999", "redirect_exhibition" => "12345678");
//
//"id" => "xxxxxxxxx" is the username
//"user_id" => "999999", is the user id
//"redirect_exhibition" => "12345678" is the exhibit to redirect to
//"redirect_exhibition" => "" leaves the user on the index page
//
//use one line per forced login user

$ee_passes[] = array("id" => "user1", "user_id" => "1", "redirect_exhibition" => "");
$ee_passes[] = array("id" => "user2", "user_id" => "2", "redirect_exhibition" => "5");


?>i also note that in your original message and in the SETUP_settings.php file, you say "id=password" when really it is the user's login name as created in the user editor ;) (ie: login_name=user1, user_info_name="user1 viewer", login_password=foo where login_name is used with id= instead of login_password as indicated by instructions)

what happens if you get the username and the id incorrect? (ie: user1, id=2 based on my examples above)

how would you direct them to a specific exhibition group? is this where leaving them at the index and having those groups listed comes in? that is how i'm seeing it apparently working... and it is a plus over EEv1.5 because you couldn't limit visible groups... only visible exhibits and if a group contained all hidden exhibits, it wasn't visible at all... only the exhibits...

lastly, is there something that i should put in the top of my forced_logins.php file to prevent the kiddies from overriding any of the internal variables?

does this mean that we cannot put the username and password directly into a link somewhere? i have a few exhibits that i want to be accessed only by a particular "user", not that it is very important...

basically, i have given a few folk their own gallery by creating a private exhibition group in EEv1.5... they'd send me their photos and comments and i'd place them in their private gallery... then they'd list the link somewhere with their "password"... those that clicked saw only those exhibits that "belonged" to that user...

would this be one of those "special cases" you mention?

Yes, that could be one.

i know that all this is changing with v2 and i'm just trying to get a clear handle on it as well as hopefully clarifying things for others... it would be nice if this could be done without having to edit the php source files because it is possible that a security fix or upgrade would replace the edited file(s) and then those edits would be lost...

i've gone ahead and implemented this and it looks to be very similar to the old way used in EEv1.5... however, what i did was to place the forced logins in a seperate php file and include_once that file in the same place you indicate in your original message... like this...
$ee_passes = array(); // leave this row even if you do not use passes
$ee_passes[] = array("id" => "off", "user_id" => "0", "redirect_exhibition" => "");
include_once ("forced_logins.php");and then i used the following for forced_logins.php which is stored in the basecode directory with SETUP_settings.php...
<?php
// *****************************************
// * forced login syntax *
//
//$ee_passes[] = array("id" => "xxxxxxxxx", "user_id" => "999999", "redirect_exhibition" => "12345678");
//
//"id" => "xxxxxxxxx" is the username
//"user_id" => "999999", is the user id
//"redirect_exhibition" => "12345678" is the exhibit to redirect to
//"redirect_exhibition" => "" leaves the user on the index page
//
//use one line per forced login user

$ee_passes[] = array("id" => "user1", "user_id" => "1", "redirect_exhibition" => "");
$ee_passes[] = array("id" => "user2", "user_id" => "2", "redirect_exhibition" => "5");


?>

This is fine.

i also note that in your original message and in the SETUP_settings.php file, you say "id=password" when really it is the user's login name as created in the user editor ;) (ie: login_name=user1, user_info_name="user1 viewer", login_password=foo where login_name is used with id= instead of login_password as indicated by instructions)

No, it is not login name. I'm misleading there. It is an arbitrary pass phrase, totally separate of user's username, login name or pass.

what happens if you get the username and the id incorrect? (ie: user1, id=2 based on my examples above)

User row can not be incorrect, as it is an arbitrary pass phrase. As long as its URL compliant it is ok. The important thing is id row, which is the actual user the forced login redirects to.

how would you direct them to a specific exhibition group? is this where leaving them at the index and having those groups listed comes in? that is how i'm seeing it apparently working... and it is a plus over EEv1.5 because you couldn't limit visible groups... only visible exhibits and if a group contained all hidden exhibits, it wasn't visible at all... only the exhibits...

Currently you can redirect to exhibition, not group. I'll add this to wishlist.

lastly, is there something that i should put in the top of my forced_logins.php file to prevent the kiddies from overriding any of the internal variables?

Add $ee_passes = array(); in front of array rows. If anyone can inject ee_passes array (e.g. with register globals off) that would erase it. There is really no way to inject there, though, so this is only for some unknown hack methods.

No, it is not login name. I'm misleading there. It is an arbitrary pass phrase, totally separate of user's username, login name or pass.oh? http://www.wpusa.dynip.com/smiles/thinking.gif oh!! you are saying that this pass is not linked to the userrecord... only the user number! oh!! i get it now... now the nest step is to remember it

what happens if you get the username and the id incorrect? (ie: user1, id=2 based on my examples above)User row can not be incorrect, as it is an arbitrary pass phrase. As long as its URL compliant it is ok. The important thing is id row, which is the actual user the forced login redirects to.yes, this makes sense, now... a lot more than when i (and likely most others) were thinking that it was tied into the actual userrecord by more than just the user id/row number...

Currently you can redirect to exhibition, not group. I'll add this to wishlist. excellent! as i wrote, the only way to redirect to a group or index of groups is to have them all listed on the "master" INDEX page... of course, as has already been pointed out, validation on who sees what is done at the user level...

Add $ee_passes = array(); in front of array rows. If anyone can inject ee_passes array (e.g. with register globals off) that would erase it. There is really no way to inject there, though, so this is only for some unknown hack methods. right... i thought i'd do that and then it hit me that my stuff is after the default ee_passes setup... the above is already in place and if i do it again, wouldn't it wipe the others already set?