Problem / Motivation :
I really don't want admins/superadmins to be able to use the functionality of this module.
Since permissions are additive, a person which has both a role that is granted the permission "login via url" and a role without that permission, the user will have access and will be able to login using urllogin.
So let's say a user has the superadmin role, which doesn't have the permission.
The same user also has a regular-user role, which does have the permission.
Now this superadmin can login using urllogin.
Solution :
- Create an extra setting where you can exclude roles.
- Do an extra check to see if the user that is trying to log in has any of the excluded roles.
| Comment | File | Size | Author |
|---|---|---|---|
| #4 | urllogin-excluded_roles-2471543-4.patch | 2.69 KB | bonrita |
| #3 | urllogin-excluded_roles-2471543-3.patch | 1.62 KB | daluxz |
Comments
Comment #1
daluxz commentedPatch attached.
Comment #2
daluxz commentedI found out that the patch wasn't working as expected.
Added an array_filter() to filter out the roles that are not selected, otherwise all roles are handled as if they were excluded.
Attached a new patch.
Comment #3
daluxz commentedNew version:
- Removed authenticated userrole from options
- Made message translatable
- Added sanitation
Comment #4
bonrita commented