user registration without username

Monday 28 April 2008 1:19:02 pm - 3 replies

3 replies

Author	Message
Piotrek Karaś	Tuesday 29 April 2008 7:23:53 am Hi Jacek, 1) The fact that you modify the presentation layer of the application will not always have any effect on the way the application logic works. In fact, it should not, otherwise it's a security bug. 2) What you have done caused eZ Publish to skip the login attribute and accept the attribute, and this is a bug, especially when it comes user datatype. It's the problem of "weak attribute validation", I've already submitted it as a bug. Meanwhile, the reason this particular attribute behaved the way it did was: function validateObjectAttributeHTTPInput( $http, $base, $contentObjectAttribute ) { if ( $http->hasPostVariable( $base . "_data_user_login_" . $contentObjectAttribute->attribute( "id" ) ) ) { (...) } return eZInputValidator::STATE_ACCEPTED; } As you can see, it only validates the login part of user datatype, otherwise accepting it. 3) To answer your question - I'm not sure if it is possible to skip this part. I mean this may be possible if you modify the user account datatype or write your own, but the value might be used internally somewhere, so I would carefully test it first. -- Company: mediaSELF Sp. z o.o., http://www.mediaself.pl eZ references: http://ez.no/partners/worldwide_partners/mediaself eZ certified developer: http://ez.no/certification/verify/272585 eZ blog: http://ez.ryba.eu
Bruce Morrison	Tuesday 29 April 2008 4:00:13 pm Hi Jacek I'd think the easiest way to get around this issue is to modify the override the ezuser.tpl edit template so that the username input is hidden. Set the value of the input to a random unique username, you might need a custom template operator for this. Also you'll want to modify all the ezuser templates as well as any other that reference the username (activation emails etc). All a bit smoke n' mirrors but it should do the job. cheers Bruce My Blog: http://www.stuffandcontent.com/ Follow me on twitter: http://twitter.com/brucemorrison Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish
Jacek S	Tuesday 06 May 2008 11:53:51 am Thank you both for help. I resolved this problem slightly other way - my code is just filtering user email with some regexp(removing all non alphanumerics signs) and putting it in username.

Author

Message

Tuesday 29 April 2008 7:23:53 am

Hi Jacek,

1) The fact that you modify the presentation layer of the application will not always have any effect on the way the application logic works. In fact, it should not, otherwise it's a security bug.

2) What you have done caused eZ Publish to skip the login attribute and accept the attribute, and this is a bug, especially when it comes user datatype. It's the problem of "weak attribute validation", I've already submitted it as a bug. Meanwhile, the reason this particular attribute behaved the way it did was:

function validateObjectAttributeHTTPInput( $http, $base, $contentObjectAttribute )
    {
        if ( $http->hasPostVariable( $base . "_data_user_login_" . $contentObjectAttribute->attribute( "id" ) ) )
        { (...) }
        return eZInputValidator::STATE_ACCEPTED;
    }

As you can see, it only validates the login part of user datatype, otherwise accepting it.

3) To answer your question - I'm not sure if it is possible to skip this part. I mean this may be possible if you modify the user account datatype or write your own, but the value might be used internally somewhere, so I would carefully test it first.

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

Bruce Morrison

Tuesday 29 April 2008 4:00:13 pm

Hi Jacek

I'd think the easiest way to get around this issue is to modify the override the ezuser.tpl edit template so that the username input is hidden. Set the value of the input to a random unique username, you might need a custom template operator for this. Also you'll want to modify all the ezuser templates as well as any other that reference the username (activation emails etc).

All a bit smoke n' mirrors but it should do the job.

cheers
Bruce

My Blog: http://www.stuffandcontent.com/
Follow me on twitter: http://twitter.com/brucemorrison
Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish

Jacek S

Tuesday 06 May 2008 11:53:51 am

Thank you both for help.
I resolved this problem slightly other way - my code is just filtering user email with some regexp(removing all non alphanumerics signs) and putting it in username.

You must be logged in to post messages in this topic!