Thanks for the feedback, guys.
> Well, actually, the easiest way to solve this problem is....don't put
> login in the list of allowed actions because Auth already handles
> login / logout for you. Perhaps this needs to be written down
> somewhere.
I agree with you, but I thought why not go one step further? You know
that you want to use Auth's login functionality if you're in the login
action, so why leave it up to the user to specify this (by
paradoxically not 'allowing' the login action), instead of making Auth
do it automatically? I know it would have saved me a lot of time when
I was getting to grips with Auth...
> I've never seen the username being hashed, so definitely unexpected
> behaviour. You can also very easily do validation checks on a hashed
> password because if someone gives you the password, you can use
> $this->Auth->password('stringcontaininguserenteredpassword') and
> verify it against what's been stored in your database.
Sorry, I wasn't clear. I've never seen Auth hash the username, but it
will hash the password if both it and a username are passed to the
action. While this is great if we're in the login action, what if
we're in the register action? By the time we've got to our register
code, Auth has automatically hashed the password for us, meaning that
we can't do things like check its length or check that it has some non-
alphanumeric characters in it.
> > - Login succeeds on a blank username and password
>
> Never seen that either.
Maybe it's a setup issue, but I don't seem to be the only person
that's experiencing this:
http://groups.google.com/group/cake-php/browse_thread/thread/871ff4c536bc1e00/110ba97bd8a04a23?lnk=gst&q=auth&rnum=11#110ba97bd8a04a23
>
> > - The component seems to ignore loginRedirect and always redirects
> > back to the referring page
>
> Hrm. I'm sensing a pattern here. It seems to me that getting a
> proper Auth configuration is really difficult due to the lack of
> extensive tutorials out there.
I couldn't agree more about the lack of tutorials, but I'm not sure
that this is a configuration issue. The only time loginRedirect is
used in the whole of Auth is inside the redirect() function: if
there's no redirect URL set in the session then we go to the URL
specified by loginRedirect. However, there will always be a URL set in
the session because every time we display the login page we set the
session URL to the page we've come from (line 272).
> > - You can automatically store data from models other than the
> > $userModel in the session, and access them through the user() function
>
> Well, I suppose you could load that info into the session via other
> means. I'd like to see an example of when you need to grab
> authenticated-user information from more than one model.
I have a directory of people. People can add themselves (in which case
they get a username and password) or they can be added by other people
(in which case they don't). Because of this I have had to split the
user data into a table with the login information, and a table with
their personal information (name, etc). This guy also seems to have
the same requirement:
http://groups.google.com/group/cake-php/browse_thread/thread/deb393fc04849829/7755ec7216bdf758?lnk=gst&q=auth&rnum=23#7755ec7216bdf758
>
> > - In addition to setting the component's $allowedActions, you can
> > specify which actions should always be allowed (even if not logged in)
>
> $allowedActions = array('foo', 'bar', 'baz');
> $this->Auth->allowedActions = $allowedActions;
>
> This will allow non-authenticated users to access any of the actions
> in the $allowedActions array.
I'm not denying that this functionality exists already - I just
dislike having to define a beforeFilter in all of my controllers to do
it. I implemented an additional method where you could set $allow =
array('foo', 'bar', 'baz') at the top of the controller to do the same
thing. It's been a while since I used Rails, but I believe that's the
way those guys do it.
>
> > - You can specify an action to redirect to if the authorization fails,
> > or you can choose to always redirect back to the last page
>
> Hrm. I know the default behaviour is to send you to the login page if
> you are not authenticated. Without digging deeper, I don't know if
> you can change that.
I think that the default behaviour you're talking about is pretty
standard, but I wasn't talking about authentication - I was talking
about authorization, i.e. the case that a logged-in user tries to
access a page that they're not allowed to. Since they're already
logged in there's no point sending them to the login page: Auth's
default behaviour is to send them back to the referring page, but I
wanted the option of specifying a default 'you do not have adequate
permissions' page.
> Don't see the need to make a controller available in a view, but that's just
> me.
I admit it's probably lazy of me and I should define a helper, but I
wanted to be able to check whether someone was logged in in a view.
Anway, thanks for replying - I just wanted to reply to your comments.
I wanted to check that I hadn't fundamentally misunderstood how Auth
works in some way before I submitted any tickets :)
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
