This is a pre-production deployment of Warehouse, however changes made here WILL affect the production instance of PyPI.
Latest Version Dependencies status unknown Test status unknown Test coverage unknown
Project Description

Introduction

The One Time Token PAS allows users to login using a special token. The token is generated and can only be used one. This allows members to login without supplying their username and password. You can send an e-mail with the special login url, so the member can access the portal easily.

Installation

This product is written for Plone 2.5 but can easily be used for 3.x.

  • Install thru the quick installer
  • Activate Authentication and Extraction in the OTT plugin, move this plug-in to the top.

Usage

  1. Generate a token:

    tokenTool = getToolByName(self, 'onetimetoken_storage')
    
    token = tokenTool.setToken(userId)
    
    'http://myplone/@@do_some_nice_stuff?token=%s' % token = token
    
  2. Send url with logincode to user

The user can use the token only once and it’s valid for three weeks. The expiration time can be set in the tool.

Or you can generate temporary user and delete it later:

tokenTool = getToolByName(self, 'onetimetoken_storage')

# get token and create temporary user
token = tokenTool.setToken()


# user uses token to do some nice stuff
'http://myplone/@@do_some_nice_stuff?token=%s' % token = token

# inside that view
userid = self.verifyToken(token)

# do some stuff with user (login, get some girls, etc)
# ...

# delete temporary user
tokenTool.deleteTemporaryUser(userid)

Manager’s usage

Users with Manage portal permission on Plone site root are allowed to login as any other user by visiting @@login_as browser view and entering target user name. This feature has been taken from niteoweb.loginas package and modified.

Safety

Why not let users login themselves instead of using this plug-in? In specific cases it’s usefull to auto-login the user. For example; a member participates in a program to save energy and keep track of his energy usage. Every month he receives an email to auto-login and updates his usage. Another example; a portal is used for informing members of newly published newsletters, these letters aren’t public. The member get’s a link with auto-login to the newsletter so he can read it.

It’s all about making it easier for the user and there’s no obstacle to login. In above cases the members are normal users with no elevated rights. Ofcourse there could be cases where a one time token is not usefull and/or safe.

The logincode that is included in the url contains the loginname and the token in base64. Every token is a uniquely generated md5 hash of random data and can only be used once. If there’s is a succesfull match between the given username, token and the stored token with username you’re authenticated.

Clearing old tokens

Old tokens can be cleared bij calling clearExpired on the token storage. Using crontick and cron4plone this job can be automated.

Add this call in cron4plone: portal/onetimetoken_storage/clearExpired

Todo

  • Some doc or unit tests would be nice
  • Control panel for setting expriation time.
  • Checking a member is disabled when generating a token. This is because we had performance problems with generating large amounts of keys (> 15,000) and SQL PAS. Add this as an option in the control panel.

Changelog

0.3 - 2013-12-27

  • fixed Plone 4 install code compatibility [Radim Novotny]
  • subclass all token exceptions with Products.OneTimeTokenPAS.config.TokenError [Domen Kozar @ niteoweb]
  • added some tests coverage [Domen Kozar @ niteoweb]
  • added ability to create temporary user when issuing .setToken(). Also added .deleteTemporaryUser(userid) method [Domen Kozar @ niteoweb]
  • fixed bug then .clearExpired() will never actually do anything [Domen Kozar @ niteoweb]

0.2 - 2009-10-12

  • added @@login_as browser view which allows to login as any user. Idea and part of code taken from niteoweb.loginas. Thanks! [naro]

0.1.1 - 2009-09-02

  • re-released, added metadata.xml

0.1 - Unreleased

  • Initial release
Release History

Release History

0.3

This version

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.2

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.1.1

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.1

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.1dev-r84263

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

Download Files

Download Files

TODO: Brief introduction on what you do with files - including link to relevant help section.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
Products.OneTimeTokenPAS-0.3.zip (21.0 kB) Copy SHA256 Checksum SHA256 Source Dec 27, 2013

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting