Currently User_CustomValidate() can let you pass user validate, however, it will also skip the most impossible part: LOAD PERMISSION SETTING. Without loading permission, what can you do with the system? How useful of User_CustomValidate()?
Please consider this comment, thanks.
Read Server Events and Client Scripts in the help file:
If you use Advanced Security, you still need the user information such as User ID and User Level. The user table is still required to store user information, although the password field is unnecessary. And you need to return FALSE to continue with default validation.
Thanks for quick reply.
Yes, I am using Advanced Security, and enabled Dynamic User Levels.
I read Server Events and Client Scripts in the help file, it shown return TRUE to skip default validation, and FALSE to continue with default validation.
And then I dig generated file: phpfn8.php, I found in cAdvancedSecurity->ValidateUser(), almost all code will be skip if "Call User Custom Validate event" return TRUE.
Those code aims to:
Once User_CustomValidate() return TRUE, all skipped.
And because they are hard-code in cAdvancedSecurity->ValidateUser(), I have no way to call them internally with User_CustomValidate() return TRUE. Only way for me to do this, copy codes from generated to User_CustomValidate().
If the user passes your own validation and you need to use Advanced Security, don't return TRUE, try:
if (...your validation...) {
$this->setCurrentUserName($usr); // Set the current user name
$_SESSION[EW_SESSION_STATUS] = "login"; // Login the user
}
return FALSE; // Continue with default validation after event exits
I just tried, however it shown me "Incorrect user ID or password".
I do believe this is causing by ew_ComparePassword() returning FALSE, because the password I submitted not matching with user's one in database.
If you use custom validation, the password in the user table is not used and is supposed to be empty, if that is the case you can set $pwd = "". If you do have a second password in the user table, the user does need to pass the checking to get through Advanced Security. If the password is not md5 encrypted, you can set $pwd = ew_ExecuteScalar("SELECT YourPasswordField FROM YourUserTable WHERE `YourUserNameField = '" . ew_AdjustSql($usr) . "';"). If the password is md5 encrypted, you'll need to have some method to provide the decrypted password so the user can get through. We'll see how we can make this easier in future versions.
Addressed in v9, see Server Events and Client Scripts in help file.
In both v9 and v10, both Code Repository and Help state, that (after successfully authorizing the user)
function User_CustomValidate(&$usr, &$pwd) {
....
if ($ldapconn && ldap_bind($ldapconn, $usr, $pwd)) {
$this->setCurrentUserName($usr); // Set the current user name
return TRUE;
}
}
I've come to situation, where I've used different variables for the ldap_bind() call instead of $usr, like:
$usr_domain = $usr . "@domain.addr.net";
ldap_bind($ldapconn, $usr_domain, $pwd);
$this->setCurrentUserName($usr_domain); // Set the current user nameand was finally surprised, that the current user name was missing "@domain.addr.net".
While digging in the code of class cAdvancedSecurity, it turned out, that in function ValidateUser(&$usr, ...), after return from User_CustomValidate(&$usr, ...), the current user name is immediately overwritten once again with
$this->setCurrentUserName($usr); // Load user nameand my modified user name was lost.
Regardless of whether my code was correct or useful, I think that the
$this->setCurrentUserName($usr); // Set the current user namecall (just after a successful ldap_bind()) should be omitted from the example and documentation and it should be stated instead, that the contents of &$usr will be used afterwards to set the authenticated username, shouldn't it?
It totally depends on your case. If you need to change the user name during validation, you should use, e.g.
$usr .= "@domain.addr.net";