[ic] userdb and mv_username question

[Rick Bragg]

On Wed, 2009-03-25 at 15:08 -0400, Mike Heins wrote:
> Quoting Davor Ocelic (docelic at spinlocksolutions.com):
> > On Wed, 25 Mar 2009 16:31:03 +0000
> > Rick Bragg <lists at gmnet.net> wrote:
> > 
> > > Hello,
> > > 
> > > I am using the affiliate database and I set up a login page that works
> > > fine. I am using the email login, so the "affiliate" column has
> > > "U0001" and the email column is unique.  Again, all that works
> > > perfect.  I can log in, create accounts, etc and everything is
> > > perfect.
> > > 
> > > However, when I use the following code, I get logged in fine, but
> > > there is nothing in [value mv_username]!
> > 
> > Hey,
> > 
> > As I understand it, mv_username is primarily a CGI variable which
> > you pass from a form to Interchange when you want to log in (and
> > when you use the default Interchange's UserDB functions which
> > expect the username in mv_username).
> > 
> > After the user is logged in, [data session username] or 
> > $Session->{username} is what you should be using, not 
> > value mv_username.
> 
> Absolutely correct. And when you realize that [value ...] is settable by
> the user, that makes sense. You don't want someone appending
> "&mv_username=admin" on their URL and changing the catalogs behavior.
> 
> Appending &fname=Fooboy is OK, because you set that stuff in the
> forms the user controls anyway.
> 
> -- 
> Mike Heins
> Perusion -- Expert Interchange Consulting    http://www.perusion.com/
> phone +1.765.328.4479  <mike at perusion.com>
> 
> The sun, with all those planets revolving around it and dependent on it,
> can still ripen a bunch of grapes as if it had nothing else in the
> universe to do. -- Galileo


hmmm, in my case since I am using email based login. I have the
following in catalog.cfg

UserDB    affiliate    indirect_login  email
UserDB    affiliate    assign_username 1

So [data session username] and [value mv_username] are always different
anyway.  (session is something like U0001, and value is always a unique
email address.

I am giving these "affiliates" the ability to upload files, manage
tables etc...  It is basically a full blown social networking site for a
city.  I chose to use the affiliate table because I want to tightly
control who can sign in (captcha, email verification etc.) And I like
the fact that affiliates can link back to the site and we can track the
source.  At the same time, I want to let "normal" users check out carts
in userdb w/o having to sign in like this.  So is it safe to do this?
Is there anything I should watch out for here? 

Thanks!
Rick





-- 
This message has been scanned for viruses and
dangerous content by Green Mountain Network, and is
believed to be clean.