On 9/6/07, David <[EMAIL PROTECTED]> wrote:
>
> Hi guys,
>
> I'm quite new to Cake, so forgive me if any of this sounds stupid/
> unnecessary. I've been playing around with Cake 1.2's Auth component,
> and found that there were a few things slightly awry with it:
>
> - If you put 'login' or '*' in the allowed actions, the login code is
> never called, meaning you have to fill in the controller's login()
> function yourself (a lot of people seem to have been doing this)
Well, actually, the easiest way to solve this problem is....don't put
login in the list of allowed actions because Auth already handles
login / logout for you. Perhaps this needs to be written down
somewhere.
> - Passwords are always hashed (in any action) if the username is also
> passed. This can mess up the registration process because you can't
> perform validation checks on a hashed password
I've never seen the username being hashed, so definitely unexpected
behaviour. You can also very easily do validation checks on a hashed
password because if someone gives you the password, you can use
$this->Auth->password('stringcontaininguserenteredpassword') and
verify it against what's been stored in your database.
Speaking from my own personal experience in this matter, your
application should never store an unencrypted password ANYWHERE. Have
the user prove that they know the password, not the system telling
them what it is. If they can't remember it, let them create a new
one. Again, just my own personal experience working with large sites
that have problems with people trying to hack away at passwords.
> - Login succeeds on a blank username and password
Never seen that either.
> - The component seems to ignore loginRedirect and always redirects
> back to the referring page
>
Hrm. I'm sensing a pattern here. It seems to me that getting a
proper Auth configuration is really difficult due to the lack of
extensive tutorials out there. Here's a sample Auth configuration
from a real-world project in AppController::beforeFilter():
$admin = Configure::read('Routing.admin');
$this->Auth->fields = array('username' => 'email', 'password'
=> 'pasword');
$this->Auth->loginAction = array('controller' => 'users',
'action' => 'login', 'prefix' => $admin, $admin => false);
$this->Auth->loginRedirect = array('controller' => 'users',
'action' => 'index', 'prefix' => $admin, $admin => false);
$this->Auth->logoutRedirect = '/';
$this->Auth->loginError = __('Invalid e-mail / password
combination. Please try again', true);
$this->Auth->autoRedirect = false;
$this->Auth->authorize = 'controller';
I highly suggest checking out what is in the API about Auth:
http://api.cakephp.org/1.2/class_auth_component.html
As that gives a great idea of what can and cannot be set.
>
> I also added some functionality that I felt was missing:
>
> - If you add 'last_login' to the $fields array, the component will
> automatically set the last login datetime for the user when they log
> in
I like that idea.
> - You can automatically store data from models other than the
> $userModel in the session, and access them through the user() function
Well, I suppose you could load that info into the session via other
means. I'd like to see an example of when you need to grab
authenticated-user information from more than one model.
> - In addition to setting the component's $allowedActions, you can
> specify which actions should always be allowed (even if not logged in)
$allowedActions = array('foo', 'bar', 'baz');
$this->Auth->allowedActions = $allowedActions;
This will allow non-authenticated users to access any of the actions
in the $allowedActions array.
> - You can specify an action to redirect to if the authorization fails,
> or you can choose to always redirect back to the last page
Hrm. I know the default behaviour is to send you to the login page if
you are not authenticated. Without digging deeper, I don't know if
you can change that.
> - You can specify messages to flash when the user logs in successfully
> and when the user needs to be logged in and is redirected to the login
> page
Interesting idea.
> - The controller is automatically made available in views via the
> $cauth variable
Don't see the need to make a controller available in a view, but that's just me.
>
> Anyway, I'm posting it here in case anyone finds it useful, and as a
> suggestion as to how the Auth component might want to evolve. I've
> tried to put in as many comments as possible, so it should be
> relatively easy to figure out. To use it, just download the file,
> rename it to cauth.php and put it in your components directory. You'll
> need to look through the global vars at the top to get an idea of how
> it works.
I'm with Grant on this one too: you have a bunch of really good ideas
so create tickets for them over at https://trac.cakephp.org and we (I
use the "we" of the core development team since I am part of it) will
take a look at them.
--
Chris Hartjes
Senior Developer
Cake Development Corporation
My motto for 2007: "Just build it, damnit!"
@TheBallpark - http://www.littlehart.net/attheballpark
@TheKeyboard - http://www.littlehart.net/atthekeyboard
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
