Thanks for your answer Ken, but the signin action uses
sfGuardValidatorUser which pass the user object through it.
Here is the 'doClean' method which call 'findOneByUsername' and not
'retrieveByUsername' and the user's status is never checked .
//plugins/sfDoctrineGuardPlugin\lib/validator/
sfGuardValidatorUser.class.php
class sfGuardValidatorUser extends sfValidatorBase
....
...
protected function doClean($values)
{
$username = isset($values[$this->getOption('username_field')]) ?
$values[$this->getOption('username_field')] : '';
$password = isset($values[$this->getOption('password_field')]) ?
$values[$this->getOption('password_field')] : '';
// user exists?
if ($user = Doctrine::getTable('sfGuardUser')->findOneByUsername
($username))
{
// password is ok?
if ($user->checkPassword($password))
{
return array_merge($values, array('user' => $user));
}
}
if ($this->getOption('throw_global_error'))
{
throw new sfValidatorError($this, 'invalid');
}
throw new sfValidatorErrorSchema($this, array($this->getOption
('username_field') => new sfValidatorError($this, 'invalid')));
}
Thanks !
On 7 mayo, 01:01, Ken Marfilla <[email protected]> wrote:
> It does, if you will look closely at PluginsfGuardUserTable.php
>
> class PluginsfGuardUserTable extends Doctrine_Table
> {
> public static function retrieveByUsername($username, $isActive =
> true)
> {
> return Doctrine_Query::create()
> ->from('sfGuardUser u')
> ->where('u.username = ?', $username)
> ->addWhere('u.is_active = ?', $isActive)
> ->fetchOne();
> }
>
> }
>
> On May 7, 4:09 am, Gary Rojas <[email protected]> wrote:
>
> > I was reviewing howsfDoctrineGuardPlugincontrol the sign in and i
> > found that this plugin doesn't make any validation about the status of
> > the user (i think this should be with the is_active field). I realized
> > about this because i have a user with is_active = 0 and this user can
> > sign in without any problems.
>
> > My doubt is if this behavior is normal and we have to ensure or maybe
> > is asecurityproblem.
>
> > Thanks for your answers.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"symfony users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
-~----------~----~----~----~------~----~------~--~---
