Correct me if I'm wrong but as of now the registration page has to be edited outside of the plugin (in my theme's form template), and the login page has to be edited inside the plugin (the plugin's form template). This makes things pretty confusing when you want them both to look the same, and want to be able to use one template for both of them.

Is there a better way for me to go about this? Maybe it's too late to get this in the next release but could we maybe have the registration be included in the plugin as it's own page+template?

In order to differentiate between users more easily and serve them more targeted content it would be a great feature to specify the page to which a user is redirected in the user's account.yaml file, which would overwrite the default route set in the login.yaml

Is there any current support or planned future support for LDAP Auth? If it's in the plans, has anything been written down about how it may function so I could potentially develop it?

If you access your site via https://www.example.com and you want to login you get the following:

The information you have entered on this page will be sent over an insecure connection and could be read by a third party.

Are you sure you want to send this information?

also plugin redirects not to https:// again after login just to http://

Even though user registration is disabled, it is still possible to access the register page.

Is there a way to move the /user/accounts directory to another location outside the webroot for security reasons? I'm not seeing a config for that and it seems like user://accounts/ is being used a number of times in the code.

redirect: /main

is set in the login.yaml file, and reflects under the 'redirect on login' section of the admin dashboard as well. Here's the login function of my LoginController.php:

public function taskLogin()
    {
        $t = $this->grav['language'];
        if ($this->authenticate($this->post)) {
            $this->setMessage($t->translate('PLUGIN_LOGIN.LOGIN_SUCCESSFUL'));
            $referrer = $this->grav['uri']->referrer('/');
            $this->setRedirect($referrer);
        } else {
            $user = $this->grav['user'];
            if ($user->username) {
                $this->setMessage($t->translate('PLUGIN_LOGIN.ACCESS_DENIED'), 'error');
            } else {
                $this->setMessage($t->translate('PLUGIN_LOGIN.LOGIN_FAILED'), 'error');
            }
        }

        return true;
    }

and everything looks kosher to me, but I'm not even sure I'm looking in the right place... and I'm level 0 in the PHP skilltree.

Do I need to be looking in the Controller.php at the redirect functions there instead? Thanks in advance.

Registration and Login are working great. But, I login and try to access a private page, I get Access denied. How can I debug this?

config/plugins/login.yaml

parent_acl: true
protect_protected_page_media: true
user_registration:
  enabled: true
  fields:
    - firstname
    - lastname
    - company
    - 'job title'
    - email
    - username
    - password
  access:
    site:
      login: 'true'

accounts/user.yaml

access:
  site:
    login: 'true'

default.md

access:
  site:
    login: true

Is there a reason why dots are not allowed in usernames?

We use a schema of firstname.lastname throughout our systems to simplify authenticating.

The password reset for the admin account was done on the public side /forgot_password. After clicking the link in the email, here is the password reset page.

Password Reset
Username: {{uri.param('user')}}

I have a page with login needed to access, is there a way to make the files in the directory also protected?
Let's have the following structure:
02.private/
├── default.md
└── protected.file.txt

I want to include the 'protected.file.txt' in default.md, but 'protected.file.txt' shouldn't be accesible for non-logged in users.

If you're setting up a protected site with subpages and enabling the dropdown menu for those subpages the drop down menu(links to subpages) is also shown when you're not logged in. It would be better if the dropdown menu is also hidden when the parent page is protected.

Would see allot of benefits with this possibility!

When updating GRAV and the following plugins on an environment (local) that uses apache the error shown above doesn't occur. GRAV version before update is v1.0.0-rc.4 after update is v1.0.0-rc.6

The plugins are...

When moving from local to production (using nginx + php-fpm) with these updates this error occurs on Chrome, Firefox, and Safari on first page load. After that this error message occurs intermittently.

I mistyped my password while trying to login to the backoffice but instead of the simple error message Login failed added to the original login page I got this full error page:

…/­system/­src/­Grav/­Common/­Twig/­Twig.php300

Whoops \ Exception \ ErrorException (E_ERROR)

Call to a member function content() on a non-object
Open: /srv/data/web/vhosts/reachcontent.com/htdocs/system/src/Grav/Common/Twig/Twig.php

     */
    public function processSite($format = null)
    {
        // set the page now its been processed
        $this->grav->fireEvent('onTwigSiteVariables');
        $pages = $this->grav['pages'];
        $page = $this->grav['page'];
        $content = $page->content();
        $config = $this->grav['config'];

GET Data empty
POST Data
username _[correct login used]_
password _[wrong password typed; displayed in clear]_
task login
admin-nonce $2y$10$fHaePQnnA37EbUSLASHMyKeUrOhfMJxcjCbiJwefZSLASHSgtMsxLzsWPDc6K
Files empty
Cookies
grav-site-360e8fa-admin na964dfl6opnql30fb8a3oc7q0
Session
user Grav\Common\User\User Object ( [gettersVariable:protected] => items [items:protected] => Array ( ) [blueprints:protected] => [storage:protected] => )
expert
messages RocketTheme\Toolbox\Session\Message Object ( [messages:protected] => Array ( > [5ab00046cc2b8a920d69eba0a5350300] => Array ( [message] => Login failed [scope] => error ) ) )
Server/Request Data
USER hosting-user
HOME /
FCGI_ROLE RESPONDER
REDIRECT_STATUS 200
etc. etc.

Clicking the activation link goes to the front page.
It should go to the login page so you can see the User activated successfully message and to login.

Under User Registration>Options, all options are checked except for Login the user after registration.

Also, I don't get the admin notification that a new user has registered.

Using develop and Antimatter theme.

E.g. In the "execute" method in Controller.php. I've changed:
$this->setMessage($e->getMessage());
to
$this->setMessage($e->getMessage(), 'error');

Also where the following error messages are used in the plugin, I've made the same change:

• PLUGIN_LOGIN.ACCESS_DENIED
• PLUGIN_LOGIN.LOGIN_FAILED
• PLUGIN_LOGIN.OAUTH_PROVIDER_NOT_SUPPORTED

Steps to reproduce:

1. Type in an incorrect password for a valid username.
2. Instead of the "login failed" message, the user is redirected back to the login page and the message "you have successfully been logged in" is displayed.
3. Type in an incorrect username and any password.
4. The login page displays the "login failed" message as expected for step 2.

Solution:

In LoginController.php, I changed the lines 214-218 to:

                // Authenticate user.
                $user->authenticated = $user->authenticate($form['password']);

                if ($user->authenticated) {
                    $this->grav['session']->user = $user;

and lines 237-238 to:

    // Authorize against user ACL
    $userAuthorized = $user->authorize('site.login');
    $user->authenticated = ($user->authenticated && $userAuthorized);

    return $user->authenticated;

to get the login form to work as expected.

With my custom registration form, I keep getting Username already exists, please pick another username even though there is currently only one user with a different username.

When the Login form has a route set, when accessing pages protected by login, the user is redirected to the login form route, and thus forgets the referral to get back to the original page.

As a result, after the login the user is still being shown the login form.

Hello, I see it is possible to lock access to frontend pages individually. However, is there a way to lock the full frontend site and ask for the password whatever the page ?

Correct working user rights on user.yaml are
access:
access:
site:
login: true

what oauth generates

access:
site.login: '1'

problem is not weather there is true or '1' but in the formatting which leads to setting rights manually.
@flaviocopes

Getting the RuntimeException Email not configured message when registering and email has not been configured.

Right now their is no gitignore for the account's config file. That mean it's very easy to commit them by mistake and publicly publish password (encrypted) and account information.

I didn't check your code but I guess you are using strong encryption that is hard to break (not like md5) so it's should not be a problem. But still, I'm not sure it's a good idea to let peoples commit those files by default. Do you feel comfortable with that?

If you feel comfortable to commit those files, I think a short comment in the file explaining it's not a risk to commit those file would be a nice helper. Otherwise adding a gitignore in the account folder to exclude account config is the way to go.

(I'm very new to grav)

I want to set a page protected, this works in the way that a "login display" is provided for the site, but there is also the content of the site shown.

theme: antimatter

the file is:

bash-4.1$ cat pages/06.private/default.md

title: Private
access:
site.private: true

admin.login: true

protected stuff

protected stuff

protected stuff

protected stuff

![2016-01-27-201629_1918x1179_scrot](https://cloud.githubusercontent.com/assets/348359/12626251/13b35432-c538-11e5-829f-1d6a3e81aab9.png

Steps to Reproduce:

1. On the Forgot Password page, enter a username that does not exist, or leave the username blank.
2. Press "Send Reset Instructions".
3. A 404 message is displayed instead of the validation error message.

Solution:

The redirect links for error messages in the taskForgot method of LoginController.php have been hardcoded to the route "/forgot".

In the taskForgot method replace all the lines:
$this->setRedirect('/forgot');
with:
$this->setRedirect($this->grav['config']->get('plugins.login.route_forgot'));

So I have found a couple of issues with the login plugin used on the front end. I don't know whether this is something to do with my setup or actually the plugin.

These happen if I try to access a page that my chosen user does not have permission for. After the login form has been completed the user does see the "Access Denied" message for the page, however I am also seeing the actual content of that page to which I am supposed to be denied.

By removing the {{ content }} token form the login-form.html.twig This can be resolved but then content of the login plugin such as its headers has to be manually inserted into the template.

Also once at the access denied screen I am still seeing the login submit button (no other form components), and there is no way to go back to a new login screen whit out doing a hard reload. Ideally I would like there to be a log out and try again button.

Dear all,

I have my website in two different languages.
Before you login you choose your language, it sets it's locale based on the url, /fr/home or en/home,
en/home is default, but when choosing fr/home and logging in, it redirect me back to en/home.
Somehow it is working on my localhost, but not on the dev server.

Any ideas?
Thanks!

Now the CLI of this plugin let you create a new user with "bin/plugin login new-user". You can modify account by simply editing the user's files in user/accounts. But it's harder to quickly edit the password.

It would be nice to have a command to change the password something like:
$ bin/plugin login passwd username
$ new password :

If the username is not in the system, the Send Reset Instructions generates an error 404 page.

It's cool that there's a setting to control whether login.css is included, but I'm wondering if it'd be possible to include the CSS file through the Twig templates instead. Maybe the setting could still be kept around, but that would automatically exclude the CSS unless the template that it concerns is deliberately included in the theme.

Steps To Reproduce:

1. Generate a reset password email using the "Forgot Password" page for a user account where you have access to the email.
2. Click the reset link in the email.
3. Enter a blank password or one that does not meet the complexity requirements, e.g. "123".
4. A 404 message is displayed instead of the validation message.

Solution:
The redirect link is not set before the validation is checked, the reset password page needs user and token params in the url to be displayed.
Add the following lines to the taskReset method before $user->validate(); is called
in LoginController.php:

                $param_sep = $this->grav['config']->get('system.param_sep', ':');
                $resetLink = $this->grav['base_url_absolute'] . $this->grav['config']->get('plugins.login.route_reset') . '/task:login.reset/token' . $param_sep . $token . '/user' . $param_sep . $username . '/nonce' . $param_sep . Utils::getNonce('reset-form');
                $this->setRedirect($resetLink);
                $user->validate();

Reset and Forgot password forms contain text strings from Admin plugin.

Since release 1.0, CHANGELOG.md is not updated and GitHub release did not contains the change

I'm attempting to restrict access to some content pages. The login screen is displayed, but attempting to login causes "Login failed..." to display and the login page continues to display.

The same login is able to access the admin dashboard.

My frontmatter:

access:
    site.login: true
    admin.login: true

I have a new installation of grav and added a redirect to the login.yaml like this:

redirect_after_login: '/profile'

But it does not work. Is this a known issue or did I oversee anything?

Thank you & cheers

Hi,

After update last update of grav, my website on server throws 500 error.
Inspecting error_log file give notice that there is something wrong with login plugin:

[22-Nov-2015 15:12:11 UTC] PHP Fatal error:  Call to a member function header() on a non-object in ***/public_html/solofront.com/user/plugins/login/login.php on line 206

Would be great to have a anonymous user/group to define rights for visitors who are not logged in.

@Sommerregen getting this error while logging in using GitHub (not sure you've already seen this before)

So if [email protected] where name is set to 'John Smith' logs in has user created john_smith.google then [email protected] who aswell has name 'John Smith' tries log in he doesn't get a user created because john_smith.google allready exists.

If a page is locked and one user try to login and he err the access, the content of page is showed even so.

Hi everybody,

I had a little problem on login, it happens sometimes only:

I type my username and password, and I get the error "Invalid security token" (or something like that). It happens 2-3 times after submit and then logs in normally.

I checked php logs and nothing, tried to empty cache and delete cookies, no success.
Obviously I have all necessary rights, login is true and admin super also.

This is definitely not a big deal but for some users could be difficult.

Hi,
I noticed that the tab key doesn't switch between the username and password field. Would be great to save time using tab to switch between input fields when entering credentials.

Currently, it is possible to bombard password reset requests. Please limit it to 1 per hour or a configurable time.

Hi,

groups defined in 'user/config/groups.yaml' are not working.

user/config/groups.yaml :

premium:
  readableName: 'Premium Members'
  description: 'The group of premium members'
  access:
    admin:
      login: true
      super: true
    site:
      login: true
      paid: true

user/accounts/user.yaml

...
groups:
  - premium

I missed something?

References: http://learn.getgrav.org/cookbook/general-recipes#use-group-based-permissions

Look into using onPageProcessed to set the page's menu visibility based on user access if logged in.

Hi,

Two bugs for Username and Password fields

• translation does not work
• attributs "for" and "id" are missing respectively for label and input

Those example are from the plugin maintenance...

Thanks ^^

Validate double entered password is disabled yet the register page has 2 password fields.

Hi all,

i get the following error while register :

Class 'Grav\Plugin\Login\Utils' not found

I think its because in /plugins/login/classes/Login.php there is

use Grav\Plugin\Login\Utils as LoginUtils;

but there is no file "Utils.php" ... maybe it should be:

use Grav\Plugin\Email\Utils as LoginUtils;

Greetings,

Chris

Bye the way: Installed everything yesterday. Current Grav and Login Plugin.
Edit: Changed

use Grav\Plugin\Login\Utils as LoginUtils;
to
use Grav\Plugin\Email\Utils as LoginUtils;

and everything seems to work.

Oauth is setup and Yaml settings are correct and everything is enabled but provider links are not showing up. @Sommerregen