I think this is one good example where it is necessary to have mail notification when a plugin is updated (especially for security patch)?
On Fri, Sep 11, 2009 at 10:30 AM, Sid Bachtiar <[email protected]> wrote: > So is 1.2 branch of sfDoctrineGuardPlugin the recommended one to use > for project? > > On Fri, Sep 11, 2009 at 9:13 AM, Tom Boutell <[email protected]> wrote: >> >> Pascal, you are right, but this is not in a released tarball version. >> If you download sfDoctrineGuardPlugin from the symfony site today, you >> still get version 3.0.0 which does not have this important fix. >> Hopefully Jon Wage can take care of that. For our own projects we will >> switch tto using the 1.2 branch via svn externals at least for now >> >> Does anyone know whether this has been fixed in the Propel >> sfGuardPlugin releases (svn and/or tarballs)? >> >> On Thu, Sep 10, 2009 at 4:46 PM, [MA]Pascal<[email protected]> wrote: >>> >>> Hi, >>> >>> I see two places in sfDoctrineGuard where it's implemented : >>> >>> 1 - In >>> http://trac.symfony-project.org/browser/plugins/sfDoctrineGuardPlugin/trunk/lib/validator/sfGuardValidatorUser.class.php#L35 >>> >>> if ($username && $user = Doctrine::getTable('sfGuardUser')- >>>>retrieveByUsername($username)) >>> >>> retrieveByUsername is a custom method defined in >>> http://trac.symfony-project.org/browser/plugins/sfDoctrineGuardPlugin/trunk/lib/model/doctrine/PluginsfGuardUserTable.class.php#L7 >>> doing : >>> >>> public static function retrieveByUsername($username, $isActive = true) >>> { >>> .... >>> ->addWhere('u.is_active = ?', $isActive) >>> .... >>> } >>> >>> 2 - In In >>> http://trac.symfony-project.org/browser/plugins/sfDoctrineGuardPlugin/trunk/lib/validator/sfGuardValidatorUser.class.php#L38 >>> >>> if ($user->getIsActive() && $user->checkPassword($password)) >>> >>> Looks good huh ? >>> >>> Cheers >>> [MA]Pascal >>> >>> On Sep 10, 10:32 pm, Tom Boutell <[email protected]> wrote: >>>> Today it was pointed out to me that sfDoctrineApplyPlugin still lets >>>> you log in if you haven't validated your account yet. >>>> >>>> "Impossible," I thought. "I know for a fact that I'm setting is_active >>>> explicitly to false when I save a new account. And I only set it to >>>> true when you validate your account. >>>> >>>> As it turns out that's true. It does get saved with is_active set to >>>> false. But it doesn't matter because sfDoctrineGuardPlugin doesn't >>>> actually check is_active in sfGuardAuth. >>>> >>>> I figured I must just be missing it, so I grepped my way through the >>>> whole thing... nope. It is not checked anywhere. Not in the form, not >>>> in the validator, not in the action. >>>> >>>> And it's not checked in the old Symfony 1.0 Propel version of >>>> sfGuardPlugin, either. >>>> >>>> This leaves me with questions: >>>> >>>> 1. Is this a bug (going wayyyy back), or did I miss something? >>>> 2. If I did miss something, what is the real purpose of is_active? >>>> 3. If it is a bug, will it be fixed promptly? >>>> >>>> I'd like to get this figured out quickly so that I can work around it >>>> in sfDoctrineApplyPlugin and sfApplyPlugin if that is necessary. >>>> >>>> Thanks! >>>> >>>> -- >>>> Tom Boutell >>>> P'unk Avenue >>>> 215 755 1330 >>>> punkave.com >>>> window.punkave.com >>> > >>> >> >> >> >> -- >> Tom Boutell >> P'unk Avenue >> 215 755 1330 >> punkave.com >> window.punkave.com >> >> >> >> > > > > -- > Blue Horn Ltd - System Development > http://bluehorn.co.nz > -- Blue Horn Ltd - System Development http://bluehorn.co.nz --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
