As mentioned in bug 4134, we need a mechanism that can let a user log in and then track who is logged in (via a session cookie) and other bits of information (in a database, probably). For the database, we could either ask the fdo people to hook us up with one in whatever RDBMS they use, or we could go with DBD::Trini or SQLite or something along those lines, or, in a pinch, flat files. Then we can wrap a couple of easy Class::DBI classes around it and use it site-wide. Basically, what goes on, conceptually, is this: 1. Upon visiting the site initially, the user will be anonymous, 2. If the user logs in (by entering a username and password into a form that goes to a login cgi, which checks against the db), then two things happen: 2A: A record is created in the DB in a sessions table, that holds the user id, possibly some other info (such as an IP address and expiration datetime), and a pseudorandom unique session ID string. 3A: The session ID string is sent to the user in a cookie. 3. Any page that wants to know if the user is logged in can check the cookie, look up the session ID string in the database, and get the user id from the record. The user id is then also a key into the users table and possibly some other tables. 4. A cron job can periodically delete expired sessions from the sessions table; also, when the user logs in, the login script could clear out any old sessions from that user before adding the new one. 5. When a new user wants to create an account, we ask them for (among other things) an email address, and the account is created with an inactive status and a datestamp, and an email is sent to the provided address containing a magic token, which is also stored in the newly created user record. The user retrieves the email and feeds the magic token from it into the account-activation form, proving the address is valid, and the account is then activated so that the user can log in. A captcha could also be employed if we have problems with bogus accounts, but I suspect that will not be necessary, at least for now. The advantage of getting an RDBMS account is that PHP portions of the site could also access it; whereas, with something like Trini that would be rather harder to do directly. Ways this would be used on the site are many and varied, but some examples: * The upload clipart form could auto-prefill the author portions (both author name and URI); the user would still be able to edit the values before submitting. * If we offer a choice of stylesheets, we can store the user's preference and always use it when the user logs in. We could also store preferences for other things, such as which sidebar sections to show, and stuff. * When the DMS is in place, we can make it so that logged-in users can update their own clipart and/or its metadata. * Also with the DMS in place, we can make it so that users can leave feedback about specific items of clipart; anyone would be able to view this feedback, and the author can be notified next time he logs in. Private feedback for just the author is also a possibility, if that is a desired feature. * With the DMS in place, we can add an interface whereby users can help with categorization, and a given user's contributions in this regard can be tracked, so that if a vandalism problem develops they can be reverted.
this is all done by cchost now... yay!
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.