and other <a href="http://www.drupal.org/">Drupal</a> web sites. See <a href="#da">Distributed
Authentication</a> for more information on this innovative feature. The username
and password are kept in your database, where the password is hashed so that
no one can read nor use it. When a username and password needs to be checked
the system goes down the list of registered users until it finds a matching
username, and then hashes the password that was supplied and compares it to
the listed value. If the hashes match, the username and password are correct.
Once a user authenticated session is started, and until that session is over,
the user won't have to re-authenticate. To keep track of the individual sessions,
Drupal relies on <a href="http://www.php.net/manual/en/ref.session.php">PHP's
session support</a>. A visitor accessing your web site is assigned an unique
ID, the so-called session ID, which is stored in a cookie. For security's sake,
the cookie does not contain personal information but acts as a key to retrieve
the information stored on your server's side. When a visitor accesses your site,
Drupal will check whether a specific session ID has been sent with the request.
If this is the case, the prior saved environment is recreated.</p>
<p>Authenticated users can select entirely different appearances for the site,
utilizing their own preferences for how the pages are structured, how navigation
lists and other page components are presented and much more. <br />
</p>
<h3>User Administration</h3>
<p>Administrators manage user accounts by clicking on the <i>User Management</i> link in
their Admin interface. There, you will find several configuration pages and
reports which help you manage your users. The following pages are available:</p>
<h4>add new user</h4>
<p>If your site blocks is completely private, and doesn't allow registration for
any old web user (see <a href="#settings">Settings</a> for this feature), then
you'll need to add new users manually. This web page allows any administrator
to register a new user.</p>
<h4>access rules<a name="access"></a></h4>
<p>Access rules enable administrators to filter out usernames and e-mail addresses
which are not allowed in Drupal. An administrator creates a 'mask' against which
each new registration is checked. Disallowed names and e-mail addresses are denied
access to the site. Another handy use for this page is to disallow registration
to your site from an untrusted external authentication server. Just add their
server address to the username mask section and you've effectively blocked all
logins from that server.</p>
<p>To do describe access rules you can use the following wild-card characters:</p>
<ul>
<li> % : matches any number of characters, including zero characters.</li>
<li> _ : matches exactly one character.</li>
</ul>
<p><u>Examples:</u></p>
<ul>
<li>E-mail address bans <code>%@hotmail.com</code>, <code>%@altavista.%</code>, <code>%@usa.net</code>, etc. Used to prevent users from using free e-mail accounts, which might be used to cause trouble.</li>
<li>Username bans <code>root</code>, <code>webmaster</code>, <code>admin%</code>, etc. Used to prevent administrator impersonators.</li>
</ul>
<p>If no access rules are provided, access control is turned off and everybody will be able to access your website. The 'allow' rules are processed prior to the 'deny' rules and are thus considered to be stronger.</p>
<h4>user accounts</h4>
<p>This page is quite powerful. It allows an administrator to review any user's
profile. In addition, administrators may block any user, or assign him a <a href="#roles">role</a>,
using this page.</p>
<h4>user roles<a name="roles"></a></h4>
<p>Roles allow you to fine tune the security and administration of drupal. A role
defines a group of users which have certain privileges. Examples of roles
<I>administrator</I> and so on. By default, Drupal comes with two commonly used
roles:
<UL>
<LI>Anonymous user: this role is used for users that don't have a user account
or that are not authenticated.
<LI>Registered user: this role is assigned automatically to authenticated users.
Most users will belong to this user role unless specified otherwise.</LI>
</UL></p>
<p>These common roles will suffice for most sites. However, for a more complex site where you need to give several users different access privileges, you will
need to add a new role by clicking the "add new role" link. Then define what privileges that role will have by clicking the "permission overview" link and checking the appropriate boxes to give that role the permissions you desire.
<p>To attach a specific user to a role, use the "account" section of the drupal Administration. </p>
<p>Note: If you intend for a user to access certain sections of the administration
pages, they must have "access administration page" privileges. </p>
if (variable_get("account_register", 1)) $output .= " <a href=\"module.php?mod=user\" title=\"". t("Create a new user account.") ."\">". t("REGISTER") ."</a>\n";
$links[] = "<a href=\"module.php?mod=user\" title=\"". t("Create a user account, request a new password or edit your account settings.") ."\">". t("user account") ."</a>";
$output .= form_textfield(t("Username"), "name", $edit["name"], 20, 64, sprintf(t("Enter your %s username, or an ID from one of our affiliates: %s."), variable_get("site_name", "local"), implode(", ", user_auth_help_links())));
$output .= form_password(t("Password"), "pass", $pass, 20, 64, t("Enter the password that accompanies your username."));
$output .= form_submit(t("Log in"));
return form($output);
}
function user_logout() {
global $user;
if ($user->uid) {
watchdog("user", "session closed for user '$user->name'");
/*
** Destroy the current session:
*/
session_destroy();
unset($user);
}
/*
** Redirect the user to his personal information page:
*/
drupal_goto("index.php");
}
function user_pass($edit = array()) {
if ($edit["name"] && $edit["mail"]) {
if ($account = db_fetch_object(db_query("SELECT uid FROM users WHERE name = '". check_input($edit["name"]) ."' AND mail = '". check_input($edit["mail"]) ."'"))) {
user_mail($edit["mail"], t("user account details"), sprintf(t("%s,\n\nyou requested us to e-mail you a new password for your account at %s. You can now login using the following username and password:\n\n username: %s\n password: %s\n\n\n-- %s team"), $edit["name"], variable_get("site_name", "drupal"), $edit["name"], $pass, variable_get("site_name", "drupal")), "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from");
user_mail($edit["mail"], t("user account details"), sprintf(t("%s,\n\nsomoneone signed up for a user account on %s and supplied this e-mail address as their contact. If it wasn't you, just ignore this mail but if it was you, you can now login using the following username and password:\n\n username: %s\n password: %s\n\n\n-- %s team"), $edit["name"], variable_get("site_name", "drupal"), $edit["name"], $pass, variable_get("site_name", "drupal")), "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from");
}
else {
/*
** Create new user account, administrator approval required:
user_mail($edit["mail"], t("user account details"), sprintf(t("%s,\n\nsomoneone signed up for a user account on %s and supplied this e-mail address as their contact. If it wasn't you, just ignore this mail but if it was you, you can login as soon a site administrator approved your request using the following username and password:\n\n username: %s\n password: %s\n\n\n-- %s team"), $edit["name"], variable_get("site_name", "drupal"), $edit["name"], $pass, variable_get("site_name", "drupal")), "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from");
}
return t("Your password and further instructions have been sent to your e-mail address.");
$output .= form_textfield(t("Username"), "name", $edit["name"], 30, 64, t("Your full name or your prefered username: only letters, numbers and spaces are allowed."));
$output .= form_textfield(t("E-mail address"), "mail", $edit["mail"], 30, 64, t("Your e-mail address: a password and instructions will be sent to this e-mail address so make sure it is accurate."));
$output .= form_textfield(t("Username"), "name", $user->name, 30, 55, t("Your full name or your prefered username: only letters, numbers and spaces are allowed."));
$output .= form_textfield(t("E-mail address"), "mail", $user->mail, 30, 55, t("Insert a valid e-mail address. All e-mails from the system will be sent to this address. The e-mail address is not made public and will only be used if you wish to receive a new password or wish to receive certain news or notifications by e-mail."));
$result = user_get_authmaps($user);
foreach (module_list() as $module) {
if ($module != "drupal" && module_hook($module, "auth")) {
$output .= form_textfield(module_invoke($module, "info", "name") . " ID", "authname_" . $module, $result[$module], 30, 55, sprintf(t("You may login to %s using a valid %s."), variable_get("site_name", "this web site"), "<a href=\"module.php?mod=user&op=help#$module\">". module_invoke($module, "info", "name") ." ID</a>", ""));
$output .= form_textfield(t("Homepage"), "homepage", $user->homepage, 30, 55, t("Optional") .". ". t("Make sure you enter a fully qualified URL: remember to include \"http://\"."));
$output .= form_item(t("Theme"), "<select name=\"edit[theme]\">$options</select>", t("Selecting a different theme will change the look and feel of the site."));
$output .= form_select(t("Timezone"), "timezone", $user->timezone, $zones, t("Select what time you currently have and your timezone settings will be set appropriate."));
$output .= form_select(t("Language"), "language", $user->language, $languages, t("Selecting a different language will change the language of the site."));
$output .= form_textarea(t("Signature"), "signature", $user->signature, 70, 3, t("Your signature will be publicly displayed at the end of your comments.") ."<br />". t("Allowed HTML tags") .": ". htmlspecialchars(variable_get("allowed_html", "")));
$output .= form_item(t("Password"), "<input type=\"password\" name=\"edit[pass1]\" size=\"12\" maxlength=\"24\"> <input type=\"password\" name=\"edit[pass2]\" size=\"12\" maxlength=\"24\">", t("Enter your new password twice if you want to change your current password or leave it blank if you are happy with your current password."));
$output .= form_submit(t("Save user information"));
$output = form($output);
}
return $output;
}
function user_menu() {
$links[] = "<a href=\"module.php?mod=user&op=view\">". t("view user information") ."</a>";
$links[] = "<a href=\"module.php?mod=user&op=edit\">". t("edit user information") ."</a>";
/*** Administrative features ***********************************************/
function user_conf_options() {
$output .= form_select("Public registrations", "user_register", variable_get("user_register", 1), array("Only site administrators can create new user accounts.", "Visitors can create accounts and no administrator approval is required.", "Visitors can create accounts but administrator approval is required."));
$output .= form_textfield("Password words", "user_password", variable_get("user_password", "foo,bar,guy,neo,tux,moo,sun,asm,dot,god,axe,geek,nerd,fish,hack,star,mice,warp,moon,hero,cola,girl,fish,java,perl,boss,dark,sith,jedi,drop,mojo"), 55, 256, "A comma separated list of short words that can be concatenated to generate human-readable passwords.");
return $output;
}
function user_admin_settings($edit = array()) {
global $op;
if ($op == "Save configuration") {
/*
** Save the configuration options:
*/
foreach ($edit as $name => $value) variable_set($name, $value);
}
if ($op == "Reset to defaults") {
/*
** Reset the configuration options to their default value:
*/
foreach ($edit as $name=>$value) variable_del($name);
}
$output .= user_conf_options();
$output .= form_submit("Save configuration");
$output .= form_submit("Reset to defaults");
return form($output);
}
function user_admin_create($edit = array()) {
if ($edit["name"] || $edit["mail"]) {
if ($error = user_validate_name($edit["name"])) {
// do nothing
}
else if ($error = user_validate_mail($edit["mail"])) {
// do nothing
}
else if (db_num_rows(db_query("SELECT name FROM users WHERE LOWER(name) = LOWER('". $edit["name"] ."')")) > 0) {
$error = sprintf(t("The name '%s' is already taken."), $edit["name"]);
}
else if (db_num_rows(db_query("SELECT mail FROM users WHERE LOWER(mail) = LOWER('". $edit["mail"] ."')")) > 0) {
$error = sprintf(t("The e-mail address '%s' is already taken."), $edit["mail"]);
}
else {
$success = 1;
}
}
if ($success) {
watchdog("user", "new user: '". $edit["name"] ."' <". $edit["mail"] .">");
db_query("UPDATE role SET name = '". $edit["name"] ."' WHERE rid = '$id'");
}
else if ($op == "Delete role") {
db_query("DELETE FROM role WHERE rid = '$id'");
}
else if ($op == "Add role") {
db_query("INSERT INTO role (name) VALUES ('". $edit["name"] ."')");
}
else if ($id) {
/*
** Display role form:
*/
$role = db_fetch_object(db_query("SELECT * FROM role WHERE rid = '$id'"));
$output .= form_textfield("Role name", "name", $role->name, 32, 64, "The name for this role. Example: 'moderator', 'editorial board', 'site architect'.");
$output .= form_submit("Save role");
$output .= form_submit("Delete role");
$output = form($output);
}
if (!$output) {
/*
** Render role overview:
*/
$result = db_query("SELECT * FROM role ORDER BY name");
$queries = array(array("ORDER BY timestamp DESC", "active users"), array("ORDER BY uid DESC", "new users"), array("WHERE status = 0 ORDER BY uid DESC", "blocked users"), array("WHERE role != 'authenticated user' ORDER BY uid DESC", "non-regular users"));
