On 9/7/07, David <[EMAIL PROTECTED]> wrote:
> Sorry, I wasn't clear. I've never seen Auth hash the username, but it
> will hash the password if both it and a username are passed to the
> action. While this is great if we're in the login action, what if
> we're in the register action? By the time we've got to our register
> code, Auth has automatically hashed the password for us, meaning that
> we can't do things like check its length or check that it has some non-
> alphanumeric characters in it.
There's an easy way to get around that problem: when you use a second
field for verifying what the user has entered as a password, you can
use that second field to check for things like length or
non-alphanumeric characters, etc. I did a similar thing for a project
and put the code into a model's beforeSave()
function beforeSave() {
if ($this->id) {
if (isset($this->data['Client']['oldpsword']) &&
isset($this->data['Client']['newpsword1']) &&
isset($this->data['Client']['newpsword2'])) {
if (Security::hash(CAKE_SESSION_STRING .
$this->data['Client']['oldpsword']) == $this->field('psword')) {
if ($this->data['Client']['newpsword1']
==
$this->data['Client']['newpsword2']) {
$this->data['Client']['psword']
=
Security::hash(CAKE_SESSION_STRING .
$this->data['Client']['newpsword1']);
return true;
} else {
$this->invalidate('newpsword2');
return false;
}
} else {
$this->invalidate('oldpsword');
return false;
}
}
}
return true;
}
The Security::hash thing is kind of ugly. I *think* you can use
$this->Auth->password() instead but I'd actually have to try it before
verifying it.
> >
> > > - In addition to setting the component's $allowedActions, you can
> > > specify which actions should always be allowed (even if not logged in)
> >
> > $allowedActions = array('foo', 'bar', 'baz');
> > $this->Auth->allowedActions = $allowedActions;
> >
> > This will allow non-authenticated users to access any of the actions
> > in the $allowedActions array.
>
> I'm not denying that this functionality exists already - I just
> dislike having to define a beforeFilter in all of my controllers to do
> it. I implemented an additional method where you could set $allow =
> array('foo', 'bar', 'baz') at the top of the controller to do the same
> thing. It's been a while since I used Rails, but I believe that's the
> way those guys do it.
Tomayto, tomahto I guess.
>
> I think that the default behaviour you're talking about is pretty
> standard, but I wasn't talking about authentication - I was talking
> about authorization, i.e. the case that a logged-in user tries to
> access a page that they're not allowed to. Since they're already
> logged in there's no point sending them to the login page: Auth's
> default behaviour is to send them back to the referring page, but I
> wanted the option of specifying a default 'you do not have adequate
> permissions' page.
Wait, I remember now. If you set $this->Auth->authorize() to
'controller', you can add in an action to your controller called
isAuthorized() where you can do some authorization checks. Here's an
example of what I've done:
function isAuthorized() {
if (stristr($this->action, 'admin_')) {
if ($this->Auth->user('role') == 'admin') {
return true;
}
return false;
}
return true;
}
Hope this stuff helps.
--
Chris Hartjes
Senior Developer
Cake Development Corporation
My motto for 2007: "Just build it, damnit!"
@TheBallpark - http://www.littlehart.net/attheballpark
@TheKeyboard - http://www.littlehart.net/atthekeyboard
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
