Check out the LimeSurvey source code on GitHub!
Welcome, Guest
Username: Password:
  • Page:
  • 1
  • 2

TOPIC: Bypassing the authentication of Lime Survey

Bypassing the authentication of Lime Survey 3 years 9 months ago #92973

  • JVG
  • JVG's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 7
  • Karma: 0
Hi,

We are developing an app based on CI and integrating it with lime survey.
The requirement is that when admin logs in into our app and clicks onto the survey link he should be redirected to the admin panel. But the problem we are facing is bypassing the limesurvey authentication.

We have tried with delegating authentication to webserver but we are unable to do so. I've gone through the instructions of optional seetings and implemented it too..But it throws an error with invalid username/password when authWebServer is set to true..i am unable to track the problem or is there something to do with enabling authentication at the web server?

So we request you to suggest a wayout for this.
The administrator has disabled public write access.

Bypassing the authentication of Lime Survey 3 years 9 months ago #92976

  • Ben_V
  • Ben_V's Avatar
  • Offline
  • Platinum Lime
  • Posts: 1897
  • Thank you received: 469
  • Karma: 118
You can copy the login form in an external file, setting user & password default values.
Use JQuery for submit button emulation.

To help you to find a way, I attach 2 html samples (depend on your LS version):
Just adapt:
YOURDOMAIN
USERNAME
PASSWORD

No need to upload; can work from your desktop if the 'action' url value is correct...

If you have to use some differents sets admin+password, just change it for php file and set variables.

File Attachment:

File Name: skip_auth.zip
File Size:3 KB
Benoît

EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
All LS releases => bit.ly/1VMuTDu | 2.06lts => bit.ly/1Qv44A1
Demo surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
The administrator has disabled public write access.
The following user(s) said Thank You: JVG

Bypassing the authentication of Lime Survey 3 years 9 months ago #92978

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9600
  • Thank you received: 1376
  • Karma: 390
JVG wrote:
We have tried with delegating authentication to webserver but we are unable to do so. I've gone through the instructions of optional seetings and implemented it too..But it throws an error with invalid username/password when authWebServer is set to true..i am unable to track the problem or is there something to do with enabling authentication at the web server?
What is your version ?

There are some patch for authWebServer in the last version.

Denis
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (use private message).
The administrator has disabled public write access.

Bypassing the authentication of Lime Survey 3 years 9 months ago #92980

  • JVG
  • JVG's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 7
  • Karma: 0
I am using 2.0 version. Can u please attach the link for the patch. Does it bypass LimeSurvey authentication?
The administrator has disabled public write access.

Bypassing the authentication of Lime Survey 3 years 9 months ago #92981

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9600
  • Thank you received: 1376
  • Karma: 390
JVG wrote:
I am using 2.0 version.
Buils number ?
Can u please attach the link for the patch. Does it bypass LimeSurvey authentication?
LS oficial core last build number : github.com/LimeSurvey/LimeSurvey
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (use private message).
The administrator has disabled public write access.

Bypassing the authentication of Lime Survey 3 years 9 months ago #92983

  • JVG
  • JVG's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 7
  • Karma: 0
I am using LS with build number is 130206.Will my problem be solved if i replace it with above build?
The administrator has disabled public write access.

Bypassing the authentication of Lime Survey 3 years 9 months ago #92995

  • JVG
  • JVG's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 7
  • Karma: 0
I tried installing the latest build that you suggested but still there is a problem. What I need is when I login through my app and when I click on the link 'Add survey' it should bypass LimeSurvey authentication and show me the admin panel directly.

I installed the new build and reset the authWebserver variable to 'true' and edited the admin name from 'lime_users' table to the same name as is in my app login for admin. When I was done with al these changes and clicked on link 'Add survey' it redirects to this page
http://localhost/LimeSurvey-master/index.php/admin/authentication/sa/login with error Invalid username/password

Please help me through this.

Thank you
The administrator has disabled public write access.

Bypassing the authentication of Lime Survey 3 years 9 months ago #93007

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9600
  • Thank you received: 1376
  • Karma: 390
Never used autWebServer,

Can you set debug to 2 and fill a bug report ?

Denis
www.limesurvey.org/en/community-services/bug-tracker
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (use private message).
The administrator has disabled public write access.

Bypassing the authentication of Lime Survey 3 years 9 months ago #93009

  • JVG
  • JVG's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 7
  • Karma: 0
I didnt get u? what is debug to 2?

Yes, will fill a bug report

Thank You.
The administrator has disabled public write access.

Bypassing the authentication of Lime Survey 3 years 9 months ago #93020

  • JVG
  • JVG's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 7
  • Karma: 0
Ben_V Wrote:
To help you to find a way, I attach 2 html samples (depend on your LS version):
Just adapt:
YOURDOMAIN
USERNAME
PASSWORD



Thank You so much. I tried with the script and its working!!! :)
Last Edit: 3 years 9 months ago by JVG. Reason: forgot to add few lines
The administrator has disabled public write access.

Bypassing the authentication of Lime Survey 3 years 9 months ago #93024

  • Ben_V
  • Ben_V's Avatar
  • Offline
  • Platinum Lime
  • Posts: 1897
  • Thank you received: 469
  • Karma: 118
Yes it's working and could be ok with some extra (php) security settings (avoiding the direct call of the page, etc.)

This said, if LS new releases provide such kind of feature (cf. authWebserver), I think it will always be much better and secure to use it... So, it will be really helpful if you can go further this way, reporting your experience and encountered bugs; I'm pretty sure that you'll get everything working very soon ;)
Benoît

EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
All LS releases => bit.ly/1VMuTDu | 2.06lts => bit.ly/1Qv44A1
Demo surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
The administrator has disabled public write access.

Bypassing the authentication of Lime Survey 4 months 1 week ago #139830

  • carl05
  • carl05's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 5
  • Thank you received: 1
  • Karma: 0
I have LS running on a secure server, 2.50 - and this solution throws a 500 server error. I wonder, Ben, if there's something else going on based upon the version? What is the best solution do you think, in this case?
The administrator has disabled public write access.

Bypassing the authentication of Lime Survey 4 months 1 week ago #139837

  • Ben_V
  • Ben_V's Avatar
  • Offline
  • Platinum Lime
  • Posts: 1897
  • Thank you received: 469
  • Karma: 118
Hi,
The workaround provided above is outdated and probably fully incompatible with new releases (including 2.06 )...

I think the only ways to go are now:
- using LimeSurvey RC2 api
- changing some standard config. in config-default.php to switch to server authentication mode:
https://github.com/LimeSurvey/LimeSurvey/blob/master/application/config/config-defaults.php#L154
Benoît

EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
All LS releases => bit.ly/1VMuTDu | 2.06lts => bit.ly/1Qv44A1
Demo surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
The administrator has disabled public write access.
The following user(s) said Thank You: carl05

Bypassing the authentication of Lime Survey 4 months 1 week ago #139858

  • carl05
  • carl05's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 5
  • Thank you received: 1
  • Karma: 0
Really appreciate the advice.

I think another way might be to use AuthWPbyDB - which is pretty similar in many ways. But in trying to hack the AuthWPbyDB code to pass through HTTP headers, I've found some aspects tricky. I'm a bit stuck with this:

if($this->addWpDb()){
$this->getEvent()->getContent($this)
->addContent(CHtml::tag($tag, array(), "<label for='user'>" . gT("Username") . "</label><input name='user' id='user' type='text' size='40' maxlength='40' value='' />"))
->addContent(CHtml::tag($tag, array(), "<label for='password'>" . gT("Password") . "</label><input name='password' id='password' type='password' size='40' maxlength='40' value='' />"));
}else{// No login form if unable to access to Wp DB


I'd like value to autopopulate the fields with my HTTP header variables, so people can just click once - but I don't know how to approach this syntax to pass through a value. The other way is just to strip out the login functionality altogether, but that might be an issue for superadmins. Ben, or anyone, if you can dig me out of this, it would be amazing!
The administrator has disabled public write access.
The following user(s) said Thank You: Ben_V

Bypassing the authentication of Lime Survey 4 months 1 week ago #139864

  • carl05
  • carl05's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 5
  • Thank you received: 1
  • Karma: 0
Sorry, re question above, got it fixed. thanks again
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.668 seconds
Imprint                   Privacy policy         General Terms & Conditions         Revocation information and revocation form