Setting up User Registration[Permalink]SynopsisXataface optionally enables you to allow users to register for an account in your application. If your users table includes a column for email, it will also perform email validation before the account is activated. Before tackling user registration, it is good to have an understanding of Xataface's authentication and permissions faculties. Enabling RegistrationTo enable registration, simply add the following to the _auth section of the conf.ini file:
e.g. after adding this, your _auth section might look like:
After doing this, you'll notice a little Register link below the login form. Clicking on this link will produce a registration form for the user which is essentially a "New Record" form on your users table. Some features of this registration form include:
Setting up Permissions to Support RegistrationXataface <= 1.2.4: You must ensure that unlogged-in users have permission to add new records to the users table. This means that your getPermissions() method on the users table should, at least, provide the new permission. In addition these users must be granted the register permission in order to be able to register to begin with. Xataface >= 1.2.5: You no longer need to provide the new permission to allow users to register. You simply need to provide the register permission. Sample Permissions on Users TableIn the tables/users/users.php file (assuming my users table is actually named "users")
Note that this example is only applicable for Xataface 1.2.5 or higher. In Xataface 1.2.4 you needed to provide users with the ''new'' permission rather than the ''register'' permission, which opens up a small security hole since users could potentially just use the "new" action if they new the URL and by-pass the registration and activation email altogether. Some notes on this example:
Restricting Permissions on Particular FieldsYou probably don't want users to be able to set their access level when the register for an account, and your "users" table will quite often contain some field like "role" which stores this information. So the previous example is not quite realistic. You will also need to restrict permissions on the "role" field (and any other fields that you want to prevent users from setting themselves.
This will cut off the user's ability to set their own role when they register. You will likely want to set the default role value either in the mysql table definition or in the beforeInsert? trigger. Email ValidationAs mentioned above, registration works by sending an activation email to the address specified in the user's registration. This email contains a link back to the activate action of your Xataface application, which will create the user account and log the user in. This implies that your users table must store an email address for your users. If you add a field named email to the users table, Xataface will assume that you mean to use this field as the user's email address, and thus, for email validation. However you can override this functionality and use *any* field as an email field by setting the email directive of the appropriate field in the fields.ini file for the users table. Example: Assigning the my_addr field of the users table to be used for email validation: In the tables/users/fields.ini file:
Disabling Email Validation99% of the time, email validation is the preferred way of ensuring that people who register are who they say they are. You may, however, prefer to let users register directly without requiring the email activation step. You can disable email validation by overriding the register action in the actions.ini file as follows: In your application's actions.ini file:
After setting this, the user account will automatically be created, and the user logged in upon saving the registration form. Triggers: Overriding Registration WorkflowXataface provides a number of triggers in the Application Delegate Class to override and extend the behavior of the user registration and activation process. For a list of available triggers see Application Delegate Class. Preventing Spam with CAPTCHAOne problem with enabling automatic registration is that it invites SPAM in the form of bots that can learn how to automatically register for user accounts and then leave unwanted input into your application. The Xataface reCAPTCHA module allows you to avoid these problems to some extent by forcing users who aren't logged in to fill a CAPTCHA field in order to successfully submit the form. This is especially helpful for registration forms. After installing the reCAPTCHA module the registration form will include a CAPTCHA field like the one depicted below: For more information about the reCAPTCHA module click here. blog comments powered by Disqus |