One method around this is performing the hashing manually. To do this you have to tell your users controller you want to perform your own hashing. Edit
/app/controllers/users_controller.php and add the following function:
function beforeFilter(){
parent::beforeFilter();
if($this->action == 'add' || $this->action == 'edit' || $this->action == 'password'){
$this->Auth->authenticate = $this->User;
}
}Now when you are using the add or edit actions authentication is done manually. You'll see why the action password is in there later.
Next edit the users model
/app/model/users.php and add the following functions:
function hashPasswords($data, $enforce=false) {
if($enforce && isset($this->data[$this->alias]['password'])) {
if(!empty($this->data[$this->alias]['password'])) {
$this->data[$this->alias]['password'] = Security::hash($this->data[$this->alias]['password'], null, true);
}
}
return $data;
}
function beforeSave() {
$this->hashPasswords(null, true);
return true;
}Now your users model will hash the passwords before save, allowing validation to take place first.
Another problem, however, is when editing a user, the hashed password is used in the password field of the form and becomes hashed again on save, actually changing the password! I'm surprised this issue isn't addressed in the core of CakePHP.
One way around this is to modify your edit view to clear the password field of the hashed password. Edit
/app/views/users/edit.ctp and change this
echo $this->Form->input('password'); to this
echo $this->Form->input('password', array('value' => '')); This will require you to enter a password every time you edit the user because your validation is set to require 5 characters in the password field.
So to get around that simply remove the
password field from your edit form. You can also remove the edit action from your beforeFilter function in the users controller. Now you can edit the user without worrying about the password.
Then, to edit the password create a
password function in your controller and a separate view. Edit /app/controllers/users_controller.php and add this function:
function password($id = null){
/* Only edit own account unless admin */
if(!$this->Auth->user('admin')){
$id = $this->Auth->user('id');
}
if (!$id && empty($this->data)) {
$this->Session->setFlash(__('Invalid user', true));
$this->redirect(array('action' => 'index'));
}
if (!empty($this->data)) {
if ($this->User->save($this->data, array('fieldList' => array('password')))) {
$this->Session->setFlash(__('The password has been saved', true));
$this->redirect(array('action' => 'index'));
} else {
$this->Session->setFlash(__('The password could not be saved. Please, try again.', true));
}
}
if (empty($this->data)) {
$this->data = $this->User->read(null, $id);
/* Don't display current hashed password */
$this->data['User']['password'] = '';
}
Now create /app/views/users/password.ctp
<div class="users form">
<?php echo $this->Form->create('User'); ?>
<fieldset><legend>Change Password</legend>
<?php
echo $this->Form->hidden('id');
echo $this->Form->input('password', array('label' => 'New Password'));
echo $this->Form->input('confirm_password', array('type' => 'password'));
?>
</fieldset>
<?php echo $this->Form->end('Save Password'); ?>
</div>
Then modify your users model /app/models/user.php and add the following validation rules and functions:
'password' => array(
'Your password must be at least 5 characters' => array(
'rule' => array('minlength', 5)
),
'You must enter the same password twice' => array(
'rule' => array('matchPasswords', 'confirm_password'),
'on' => 'update'
)
),
'confirm_password' => array(
'rule' => 'notEmpty'
)
function matchPasswords($data, $confirm_password){
if ($data['password'] != $this->data[$this->alias][$confirm_password]) {
$this->invalidate($confirm_password, 'You must enter the same password twice');
return false;
}
return true;
}Set appropriate authentication as desired, upload the files and you should be all set.
No comments:
Post a Comment