Provides username/password access to edit a Participants Database record.
Product Setup
To configure the plugin for use, start by making sure your “Participant Record Page” is correctly configured by visiting the “Record Form” tab in the main Participants Database settings. This tells the login form which page to go to when the login is accepted.
Configure the Login Form
On the Participant Login settings page, you can configure the form to show one or two fields that the user will need to fill in to access their editable record. The first field is called the “Username” field, and it is used as the primary identifier. This can be an email address, an ID number of some kind, or really anything that can be used to uniquely identify the user.
The second field is called the “Password” field, but it can also be anything you want. It is usually used to verify the user, especially if the Username field is something that would be generally known, such as an email address. It is also possible to set up the form to use only a single input field by unchecking the “Require Password” checkbox. When this is unchecked, only the Username field will be shown in the form. You might do this if your username field was something only the user would know, such as an ID number.
When selecting the field to use for the password field, it is important understand that “password” type fields store the password in encrypted form, which means an administrator cannot know what the password is. If you need to be able to tell people what their password is, use a text-line field for your password field, then you will be able to look up their password because it will be stored in plaintext.
Create Your Login Page
Once you have configured the login form, you should create a page that will be the login page. On that page, place the [pdb_login] shortcode to show the login form. It is possible to use a custom template for the login form if you need.
This shortcode will accept the following attributes to override the global settings if needed:
- template for using a custom template
- record_page to set the page (use the page name or ID) that the user goes to after successfully logging in; that page must have the
[pdb_record]shortcode. - login_button_text to set the text on the submit button for the login form
Use with the Signup Form
When using this plugin on a site with a signup form, you may want to change the default way the “Signup Thanks” email is set up: sending the user the Private Link to use to edit or complete their record. Instead, you can send new users a link to the PDb Login form, along with the credentials they should use to gain access.
Cookies and Persistent Login
The “Use Cookie” preference places a cookie on the user’s browser when they use the login form, which authorizes them to open their record for editing. When the “Extended Access” preference is checked, the user will be able to access their record without logging in for a 24 hour period. This period can be changed using a code filter.
If cookies are disabled, the login form will use the private link to take them to their record for editing. They will need to use the login form again if they want to go back edit their record after they leave the record edit page, but they can use their private link any time to access the record as usual.
Logout
To end the persistent login before it expires, you can use a logout link. You may need to use this if you have users that must have access to more than one record. The logout URL is simply the login URL with “?pdb-logout” appended to it. For example, if your Participants Database login page is at /pdb-login, your logout link would look like this:
/pdb-login?pdb-logout
If you are not using pretty permalinks, you need to do it slightly differently. For example, if your login page is on a page with an ID of 2034, your logout link would look like this:
/?p=2034&pdb-logout
It’s a good idea to put the logout link in a menu somewhere where the user can find it.
Product Settings
Login Form Settings
Username Field
Selects the field that holds the username. This could be an email address, a made-up username, or even a member ID number. If the password is not required, this will be the only field shown. This field should hold a value that uniquely identifies the record. If more than one record matches the value, the first record found will be used.
Username Not Found Feedback Message
Message to show if the username does not match any record.
Username Field Extra Attributes
This setting provides a way to add attributes to the username input element. This can be used to add client-side validation to the input, which can be helpful to users typing in the correct thing for the input. It can also be used to add simple javascript interactivity to the input.
This setting uses the same format as the “attributes” setting in the field definition: name::value,name::value etc. Because the comma is used to separate attributes, you must use the HTML entity , to represent the comma if it is in the value.
To set up a client-side validation, use the required and pattern attributes. The link provides the details on using the pattern attribute. Here is a simple example setting:
pattern::[a-z]{3,20},required,title::username must be all lowercase letters between 3 and 20 characters
That pattern will only accept lowercase letters and the length of the input must be at least 3 characters and no more than 20. You can use the “title” attribute to add a message to the pop-up that is seen when the validation fails.
Require Password
If this is checked, both the username and the password must match an existing record for the login to be accepted. If unchecked, no password will be required, and a correct entry into the username field will take the user to the record edit screen. Be careful with this, it could allow data to be changed by unauthorized persons.
Password Field
This is where you set the field that is used for your “password.” This field can be a “Text Line” type or a “Password” type field. If the field you want to use does not appear in the selector, you should either create it if it doesn’t exist or change its form element type to one that is valid for this setting.
If you select a text-line field for this, it will be stored in the database as plaintext. This will often be the case if you are using something like a customer ID for this field. If you use a “password” type field, the password will be encrypted in the database when the user saves their password.
It is important to understand that you cannot switch from or to a password field after the record data has been entered. Changing the field type cannot encrypt or decrypt passwords, so if there is data in this field, it will become incompatible with the field type. If the password field is empty, that is OK, the password will be saved in the correct format when the user enters it.
Login Button Text
This is where you can set the text that is shown on the login form submit button.
Bad Password Feedback Message
Message shown if the password doesn’t match the value in the database.
Use Cookie
If checked, a cookie is stored on the user’s browser when they successfully log in, so that when they are directed to the record edit page, the URL does not show the private ID of the record. This can also be used to allow the user to bypass the login for a while if the setting below is set. If this is unchecked, the login form will use the “private link” to take the user to their record. The private link can be used any time to access the record without using the login form which is how things normally work.
Extended Access
This sets the cookie to stay valid for 24 hours, allowing them to bypass the login for that period of time. This requires the the “Use Cookie” setting be selected as well. When a user with such a cookie visits the Participant Login page, they will be immediately redirected to their record edit screen. The 24-hour period can be changed to another value by using a code filter.
Password Recovery Settings
Show Lost Password Link
Provides a way to send the direct link to the user’s record so their password can be changed or recovered. This requires the the “Resend Private Link” functionality in Participants Database be correctly configured. This does not send the password or set a new password, it functions in the normal way for Participants Database: it provides the recipient with a private link to edit their record. They may use that link to change their password if they wish.
Lost Password Form Shortcode
This shortcode is used to generate the lost password form. This setting allows you to customize the shortcode, primarily so that a custom template may be used. the default value here is [pdb_request_link].
One-Time-Use Private Link
Password recovery works by emailing the user a “private link” which can be used to access their record edit page, bypassing the login form. When checked, this setting will change the private ID every time it is used to access the record edit page. This keeps the private link secure because it can only be used once. This feature uses a cookie on the user’s browser so they can submit changes to the record without getting logged out. Don’t use this if your users need to be able to use a static URL to access their record edit page. This plugin is often used as a way to make it easy for users to get access to their record, while other users may be using the “Private Link” to gain access to their record. Don’t use this feature if you have users using their private link to access their record.
Reset Private ID on Page Access
If the “One-Time-Use Private Link” is used, this setting determines when the private id code is changed. Unchecked, the code is only changed when the user saves the record. If checked, the code is changed when they open the record edit page, they don’t need to make any changes for the link to expire.
F.A.Q.
Is it possible to use the login form to show a list of records?
If you want to only show the list of records to people who are registered, you can set the destination of the login form to the page with the list shortcode. You can use the “record_page” attribute in the shortcode to direct the user to any page, for example:
[pdb_login record_page="show-list"]
How does the "brute-force" protection work?
Every time the form is tried, the attempt is recorded with a timestamp and and the user’s IP. If there are over 10 attempts in a hour from a single IP, that IP is not allowed any more attempts for an hour.
Can I change the number of login attempts are allowed before the IP is shut out?
Yes, it quires the use of a filter callback. The number of attempts allowed is filtered by pdb-login_max_attempts and defaults to 10. The time within which this number of attempts is allowed is filtered by pdb-login_attempt_timeframe and defaults to 1 hour in seconds, or 3600.
What if someone loses or forgets their password?
The plugin uses the “Resend Private Link” function that Participants Database uses. There is a setting to include the link in the login form. If someone doesn’t know their password, when they click the link and enter their identifying information (usually an email) a “private link” is sent to them that they can use to access their record. They can change their password at that time if they wish.
How secure is the login form?
The login form provides a reasonable amount of security for non-critical applications. While security is very important to the design and operation of Participants Database, the plugin is not recommended for storing high-value information such as credit card numbers, social security numbers, passwords, etc.
The level of security when using this plugin is largely determined by it’s configuration by the administrator. Security is always a trade-off between convenience and how hard it is to break in. If you opt for convenience, it will be at the expense of security, that’s just how it works.
This plugin is designed to be useful in low-security situations where things link single-field logins and plaintext passwords are desirable. The security can be enhanced by using encrypted strong passwords, and hard-to-guess usernames that are not publicly viewable.
How do I use encrypted passwords?
The first thing to do is to use a “Password” type field for your designated password field in the Participant Login settings.
If you want to use encrypted passwords, you will need to give the user the opportunity to create one. The way this usually works is when the record is created, either by a signup submission or in the backend, the user will receive an email (given that this is properly configured) with their “private link” that takes them to their editable record. They can enter a password at that time, then after that, they can use the PDB login form to access their record.
It is also possible to include the password field in the signup form so that the user can set their password when they sign up.
The use of encrypted passwords is not compatible with the use of plaintext passwords, so if there are records in the database that already have a value for the designated password field, changing the field type to or from a password type field can cause problems. If you do that, the data will become invalid, and cannot be used to validate a login.
If you were using plaintext passwords and decide you need to change to using encrypted passwords, you must have your users go to their record using the private link, then enter a password. After that, they can use the password in the login form.
Is there any way to find out what someone's password is?
If you are using encrypted passwords, there is no way to know what the password is. In that case, the user must set a new password. If you are using plaintext passwords, then yes, no problem, the password will be visible to an administrator. The password will also be visible to the user when they edit their record.
How can I prevent the private ID from being seen in the URL after they log in?
In the Participant Login settings enable the “Use Cookie” setting. Now, when someone uses the login form, they will be directed to the record edit form without any indication of the record ID or private ID in the URL.
Is it possible to direct the user to a different page depending on a value in their record?
Yes, there is a filter that is used to get the URL of the page the user goes to after they successfully log in. The filter is ‘pdb-login_after_validate_submission’ and it passes in the user’s record and whether it was validated or not. (This means this can also be used to change where they go if the login wasn’t valid.)
I have created a simple plugin that demonstrates how this can be done:
You can download this demo plugin and make the changes needed to work for your situation.
How can I add a CAPTCHA to the login form?
It is possible to add reCAPTCHA protection to the login form if you have the PDb reCAPTCHA add-on installed and working. You need to use a custom template, I have provided an example of the template you can use for this.
You will need to understand a bit about how custom templates are set up, ready this article for the details:
Using Participants Database Custom Templates
Once you have the template in the correct location, you can use that template in the login form with this shortcode:
[pdb_login template=recaptcha]
When a new users is added to the Participant Database the default form has a question asking if they would like to be included in the Mailing List. Now that I have some folks signed up I would like to e-mail those folks using WordPress each time a new blog post is published(using Post Status Notifier Plugin) but on order for that to work it appears they have to be assigned a WP Role for that to work. Does giving them this login page create a WP user record for them in addition to the Participant Database record so that I can email them? If not is there anyway to assign participants to a WP Role when they sign up?
People who register using Participants Database are not also WordPress users, they are separate. I am not sure how you would best do what you want to do, I’ve never looked into this. Normally, something like this would require some custom code that either adds your PDB signups as a WP user, or more simply, notifies everyone on your list when a new post is published.
This is actually a great feature idea for the Email Expansion Kit add-on, I’ll look into it.
lorielue, I just published an update to the Email Expansion Kit add-on that will email all your list members when a new blog post is published. How to set that up is explained in the “instructions” tab of the product description.
When a user creates a new account, the link takes them to the page, but it shows “no record is found”
Ive tried same page and putting the short cut on a thank you page.
If I set the password for them, they can then log in and edit their information. But this wont work. I bought about $100 worth of add on plugins hoping I could make this do what I need, but so far I’m a bit disappointed. I’ve been doing WordPress for a few years, and this is just frustrating.
thanks
Hi Chris,
Consult the “Setup Guide” in the admin menu to check your configuration and placement of shortcodes. The “Participant Record Page” is the page that is configured to be your record edit page, and the page the link provided in the email takes them to. On that page should go the [pdb_record] shortcode.
If you are using the “Pretty Permalinks” add-on, it is very important that it be configured correctly and the permalinks refreshed before testing those links. You may want to do your initial testing with that add-on deactivated.
Hi!
can we add a parameter in the shortcode [pdb login] or another, that will return on a different page according to a parameter defined and present in the Participant database ? Example: an Admin participant who would be returned on a page (PageA) and a Visitor participant returned on a page (pageB). Thanks
It’s possible, you’ll need to write some php to filter the redirect. I’ve put together an example plugin that shows how it would be done, you’ll need to modify it to your needs.
https://gist.github.com/xnau/6b9b703b719978d3fe2c9f990d8a2b3b
Hi,
I’m sorry but I think there is a problem in your php file. When I try to activate this plugin as you told me (after modification and without modification) here is the message I get:
https://user-images.githubusercontent.com/36070788/35727689-437d6a16-0809-11e8-9f31-33c205b3f7ce.png
Please can you help me ? :)
Thanks
Yes, you are correct, I shouldn’t have used the “public” keyword there. You can just remove it from the script if you want.
I have updated the gist, thank you for letting me know.
Hi!
Sorry to disturb you but when I install your redirect-PDB-login plugin, none of my shortcode [pdb_login] works and redirects me to an http error 500 page. Also, when I uninstall the redirect-PDB-login plugin all my [pdb_login] work. So does this come from my changes made during the switch / case or does it come from another problem. I specify that I only changed the $record [‘type’] and the value of $redirect in the cases.
Hi Andrew,
I’m sorry that script was so buggy! I had to make a couple of changes to get it to work. Please download the plugin from the gist page again. You will need to delete the one you have and start over…sorry for the inconvenience.
https://gist.github.com/xnau/6b9b703b719978d3fe2c9f990d8a2b3b
Hi,
i’m a new developper and i would like to know if it was possible to change the redirection page when a user connects to be redirected elsewhere than on the record_form and which files need to be modified?
Thanks :)
You can set up your redirection in the shortcode using the “action” attribute. For instance, when using the [pdb_record] shortcode, to redirect the user to a page named “update-thanks” after submitting the form, set up your shortcode like this:
Shortcode attributes are described in detail here:
Shortcodes and Their Attributes
Sorry, I didn’t understand you were referring to the Participant Login form.
For this one, you need to use the “record_page” attribute… like this (going to a page named “user-record”)
Hi Roland,
I apologize if this question has already been addressed, like many others that have posted, I am new to databases.
My question is: Each user (login) will have multiple entries. I would like to make sure that they may edit all their and only their entries.
The Participants Database Login only provides access to a single record that is associated with the user. It does not provide a persistent login that gives the user privileges. For that, your users need a WordPress registration and login.
Take a look at this article for a discussion of how to do something like what you describe: Using Participants Database with WordPress Users
I’m trying to do a multigroup signup, but all I’m getting is a “sign up” message. No name, address or anythin. This is the shortcode I’m using:
[[pdb_signup groups="contact,driver"]]
Any suggestions?
I know this might not be clear from the instructions, but when using the “groups” attribute, you also need to enable the individual fields in the “signup” column on the manage database fields page.
Hi Roland!
Thanks for an amazing plugin!
Have one question regarding this plugin, is it possible to generate a random password when the user registers?
Thanks
Ruben Salas
The plugin doesn’t have this built in, you can do something like this with javascript, if you know how to write the code.
Hi. I’m pretty new to this and I’m afraid I don’t understand how I get the log-out component working -I’ve read the instructions but I guess I’m to green to understand them. Could you please do screen shots of what the instructions mean, please.
Sorry to be such a nit-wit
All it is is a special URL that you can use to make a log out button or link. Let’s say your login page is
https://xnau.com/participant-login
well, to make a log out button just give the button (or text link) the URL
https://xnau.com/participant-login?pdb-logout
that’s it: you have to figure out where you want your log out link to be. I usually put it in as a menu item next to the “login” item.
Hi,
I am new to this plugin and quickly see how I will need to add on the Combo MultiSearch which I will if this question/problem can be solved.
I am making the database visible to all. However, I don’t want an entry added to the database if ALL the required fields have not been entered/filled.
My test allows a visitor to start an entry and then back out without providing the required fields. The entry is still added to the database without the required fields.
How do I prevent an entry from being added like this?
Other than that, this plugin is terrific!!!
Are you using a multiple-page form? With a single page form, a new record is not created unless all the validations are met. Using a multiple-page form, each page is a separate form submission, so if the first page is complete, but the second is not, the first page will still be in the database.
Hi! I’ve got Participant Database running on my website and actually my usersgoes to their page with private link.
Now I’d like to implement access to their page only if they’re logged in with username and password.
Cai I do this with this addon?
Yes, it’s possible, but you don’t need the add-on for that. If they are already logged in, you can use their user ID or username to show a Participants Database record that is linked to their WordPress account. You have to set this up by creating a field in Participants Database that holds their WP account ID or username.
This article explains how that can be done:
Using Participants Database with WordPress Users