Authentication

From ISPWiki
Jump to: navigation, search

User authentication

First, the control panel checks COOKIE authentication.

Then it calls the action authenticate. It does not perform any actions itself. It is supposed that all of the authentication methods will be performed through the event handlers that are executed before that action.

authenticate can be called in one of the following cases:

  1. User authentication
  2. User internal authentication
    In this case the handler takes the username from Authen. It will not check the user password. It will only check that the user exists. If so, it will send the XML in the same format as in case of common authentication.

In any case, if the user is identified, the XML with the following tag will be sent:

<ok level=«access level» name=«username» method=«authentication method name»>
  [<ext name=«name»>value</ext>]
  ...
</ok>
  • Access level — access level of the authorized user. The control panel reserves the following access levels:
    0 (lvNobody)
    not authorized users
    1 (lvRegistered)
    all authorized users has level of access 1 and higher
    29 (lvAdmin)
    control panel administrator
    30 (lvSuper)
    server administrator
    31 (lvInternal)
    maximum access level (it is used for internal calls)
  • Username — we don't know beforehand where it can be taken, that's why the event should tell us the username.
  • Authentication method (method) — this value is used for the following actions:
    1. Action authenticate.<method> with the parameter username must return the tag <ok/>, if the user is found. This action is available only for administrator.
    2. Action authenticate.<method>.setpass with the parameter password will change the password of the current user.
    3. Actionauthenticate.<method>.isowner with the parameter username must return the tag <ok/>, if the current user is the owner of the user username.
    If any of the above actions is not implemented, the corresponding function will not be available.
  • Tag ext — any additional information. It will be kept along with the user session and will be available to actions and events.

Once the handler managed to identify the user, the event handlers will be executed. The event handlers of the action authenticate that are executed after that action, will be also executed.