modules/private_number/README.txt

$Id$


Description
---------------
Private Number defines a CCK field type for numbers which should be kept 
private, such as government-issued identification or account numbers. The 
module enables two of the industry standard best practices for handling 
confidential data: masking the number when viewed by users without view private 
number access permission and encrypting the number with a md5 block cipher in 
128 bit CFB mode when stored.

Private Number fields can optionally have a validation pattern, which 
will both validate input and provide a human-readable form of the pattern for 
field descriptions and error messages. The module exposes a hook for private 
number access to be integrated with contributed or custom modules.

2009-04-06: Going forward, 5.x will be supported with bug fixes only. A demo 
of Private Number can be viewed at http://demo.ossemble.com.


Dependencies
---------------
CCK Content module


Related Modules
---------------
Secure Pages (http://drupal.org/project/securepages)
  private information should also be encrypted during transmission via SSL.

GnuPG (http://drupal.org/project/gnupg)
  OpenPGP API for encrypting emails.

encrypted_text (http://drupal.org/project/encrypted_text)
  CCK widget that encrypts fields with MySQL's AES_ENCRYPT() function, but 
  does not handle access for display.


Features
---------------
* Access permissions

  Private Number introduces two access permissions, view private number and 
  view own private number. Private numbers are displayed as 'Ending in 123' for 
  users without this permission. The number of digits displayed can be changed 
  in Site Configuration, or set to 0 which would show <hidden>.

* md5 block cipher encryption

  Private Number data can optionally be stored in the database with md5 block 
  cipher encryption. This setting is recommended enabled to help thwart 
  identity theft if access to your database becomes compromised. A unique 
  site key must be set in either the $conf array of settings.php or in an 
  external file outside of docroot. See Key Management below.

* Validation patterns

  Validation patterns can optionally be added for any Private Number field. 
  In addition, validation patterns will (usually) output a human-readable form 
  for field descriptions and error messages. The human regex error messages can 
  be disabled at the field level. See Validation Patterns below.

* Third-party module integration

  Private Number can be integrated with contributed or custom modules by 
  implementing hook_private_number_access() to enable view or edit access. See
  Developers below.


Installation
---------------
1. install module: copy private_number directory and all its contents to your 
   modules directory
2. enable module: admin/build/modules
3. configure module: admin/settings/private_number
4. configure access permissions: admin/user/permissions#module-private_number
5. set a unique site key before using module: see Key Management below


Download
---------------
Download package and report bugs, feature requests, or submit a patch from the 
project page on the Drupal web site.
http://drupal.org/project/private_number


Key Management
---------------
Private Number implements md5 block cipher encryption which requires a unique 
cipher (or site) key. Note that changing the key will make previously stored 
Private Numbers unreadable! By default, a site key is set in the $conf array of 
settings.php with the $conf['private_number_key'] variable. 

For more security, use the site key path and create a text file named 
private_number.key one level above the Drupal installation (e.g. above www).
Place your key on the first line of that file. Change permissions on the 
file to 0444. The file can be moved to another location or name changed by 
altering the $conf['private_number_key_file'] variable.


Validation Patterns
-------------------
Private Number validation patterns are passed through preg_match with start and 
end of string delimiters automatically appended. It is beyond the scope of the
module to provide support for crafting your own regular expressions, but there
are numerous resources on the subject (a particularly good one is
http://www.regular-expressions.info/examples.html).

Examples of common validation patterns:

For a U.S. telephone number, the pattern would be:
$pattern='\(\d{3}\) \d{3}\-\d{4}';

which would output in human-readable form as:
(999) 999-9999

For a U.S. social security number, the pattern would be:
$pattern='\d{3}\-\d{2}\-\d{4}';

which would output in human-readable form as:
999-99-9999

We chose to use phrases for quantifiers because it provided more understandable 
output than the 9 notation, but can quickly get cumbersome when more than one
quantifier is used in an expression.

\d?     0 or 1 digit
\d+     1 or more digits
\d*     0 or more digits
\d{1,3} 1 to 3 digits

Be sure to escape meta characters in your validation pattern. For more 
information on preg_match, visit this page: 
http://us.php.net/manual/en/function.preg-match.php


Developers
---------------
Private Number can be integrated with contributed or custom modules by 
implementing hook_private_number_access() to enable view or edit access.

Examples:

// View all friend's private number fields (in pseudo code).
function example_private_number_access($op, $node, $field, $account) {
  if ($op == 'view') {
    if ($account->uid IS FRIEND OF $node->uid) return TRUE;
  }
}

// Enable users in role ID 3 to edit a private number field named field_secret.
function example_private_number_access($op, $node, $field, $account) {
  if ($op == 'edit' && $field['field_name'] == 'field_secret') {
    if (in_array(3, array_keys($account->roles))) return TRUE;
  }
}


Author
---------------
John Money
ossemble LLC.
http://ossemble.com
What can we ossemble for you? ossemble provides web application development and 
consulting for mission-critical Drupal projects.

Module development sponsored by LifeWire, a service of About.com, a part of 
The New York Times Company.
http://www.lifewire.com
1	$Id$
2
3
4	Description
5	---------------
6	Private Number defines a CCK field type for numbers which should be kept
7	private, such as government-issued identification or account numbers. The
8	module enables two of the industry standard best practices for handling
9	confidential data: masking the number when viewed by users without view private
10	number access permission and encrypting the number with a md5 block cipher in
11	128 bit CFB mode when stored.
12
13	Private Number fields can optionally have a validation pattern, which
14	will both validate input and provide a human-readable form of the pattern for
15	field descriptions and error messages. The module exposes a hook for private
16	number access to be integrated with contributed or custom modules.
17
18	2009-04-06: Going forward, 5.x will be supported with bug fixes only. A demo
19	of Private Number can be viewed at http://demo.ossemble.com.
20
21
22	Dependencies
23	---------------
24	CCK Content module
25
26
27	Related Modules
28	---------------
29	Secure Pages (http://drupal.org/project/securepages)
30	private information should also be encrypted during transmission via SSL.
31
32	GnuPG (http://drupal.org/project/gnupg)
33	OpenPGP API for encrypting emails.
34
35	encrypted_text (http://drupal.org/project/encrypted_text)
36	CCK widget that encrypts fields with MySQL's AES_ENCRYPT() function, but
37	does not handle access for display.
38
39
40	Features
41	---------------
42	* Access permissions
43
44	Private Number introduces two access permissions, view private number and
45	view own private number. Private numbers are displayed as 'Ending in 123' for
46	users without this permission. The number of digits displayed can be changed
47	in Site Configuration, or set to 0 which would show <hidden>.
48
49	* md5 block cipher encryption
50
51	Private Number data can optionally be stored in the database with md5 block
52	cipher encryption. This setting is recommended enabled to help thwart
53	identity theft if access to your database becomes compromised. A unique
54	site key must be set in either the $conf array of settings.php or in an
55	external file outside of docroot. See Key Management below.
56
57	* Validation patterns
58
59	Validation patterns can optionally be added for any Private Number field.
60	In addition, validation patterns will (usually) output a human-readable form
61	for field descriptions and error messages. The human regex error messages can
62	be disabled at the field level. See Validation Patterns below.
63
64	* Third-party module integration
65
66	Private Number can be integrated with contributed or custom modules by
67	implementing hook_private_number_access() to enable view or edit access. See
68	Developers below.
69
70
71	Installation
72	---------------
73	1. install module: copy private_number directory and all its contents to your
74	modules directory
75	2. enable module: admin/build/modules
76	3. configure module: admin/settings/private_number
77	4. configure access permissions: admin/user/permissions#module-private_number
78	5. set a unique site key before using module: see Key Management below
79
80
81
82	Download
83	---------------
84	Download package and report bugs, feature requests, or submit a patch from the
85	project page on the Drupal web site.
86	http://drupal.org/project/private_number
87
88
89	Key Management
90	---------------
91	Private Number implements md5 block cipher encryption which requires a unique
92	cipher (or site) key. Note that changing the key will make previously stored
93	Private Numbers unreadable! By default, a site key is set in the $conf array of
94	settings.php with the $conf['private_number_key'] variable.
95
96	For more security, use the site key path and create a text file named
97	private_number.key one level above the Drupal installation (e.g. above www).
98	Place your key on the first line of that file. Change permissions on the
99	file to 0444. The file can be moved to another location or name changed by
100	altering the $conf['private_number_key_file'] variable.
101
102
103	Validation Patterns
104	-------------------
105	Private Number validation patterns are passed through preg_match with start and
106	end of string delimiters automatically appended. It is beyond the scope of the
107	module to provide support for crafting your own regular expressions, but there
108	are numerous resources on the subject (a particularly good one is
109	http://www.regular-expressions.info/examples.html).
110
111	Examples of common validation patterns:
112
113	For a U.S. telephone number, the pattern would be:
114	$pattern='\(\d{3}\) \d{3}\-\d{4}';
115
116	which would output in human-readable form as:
117	(999) 999-9999
118
119	For a U.S. social security number, the pattern would be:
120	$pattern='\d{3}\-\d{2}\-\d{4}';
121
122	which would output in human-readable form as:
123	999-99-9999
124
125	We chose to use phrases for quantifiers because it provided more understandable
126	output than the 9 notation, but can quickly get cumbersome when more than one
127	quantifier is used in an expression.
128
129	\d? 0 or 1 digit
130	\d+ 1 or more digits
131	\d* 0 or more digits
132	\d{1,3} 1 to 3 digits
133
134	Be sure to escape meta characters in your validation pattern. For more
135	information on preg_match, visit this page:
136	http://us.php.net/manual/en/function.preg-match.php
137
138
139	Developers
140	---------------
141	Private Number can be integrated with contributed or custom modules by
142	implementing hook_private_number_access() to enable view or edit access.
143
144	Examples:
145
146	// View all friend's private number fields (in pseudo code).
147	function example_private_number_access($op, $node, $field, $account) {
148	if ($op == 'view') {
149	if ($account->uid IS FRIEND OF $node->uid) return TRUE;
150	}
151	}
152
153	// Enable users in role ID 3 to edit a private number field named field_secret.
154	function example_private_number_access($op, $node, $field, $account) {
155	if ($op == 'edit' && $field['field_name'] == 'field_secret') {
156	if (in_array(3, array_keys($account->roles))) return TRUE;
157	}
158	}
159
160
161	Author
162	---------------
163	John Money
164	ossemble LLC.
165	http://ossemble.com
166	What can we ossemble for you? ossemble provides web application development and
167	consulting for mission-critical Drupal projects.
168
169	Module development sponsored by LifeWire, a service of About.com, a part of
170	The New York Times Company.
171	http://www.lifewire.com