var $name = 'Users'; var $helpers = array('Html', 'Form', 'Session'); var $components = array('Auth', 'Session');
function beforeFilter() { //actions we allow without authentication, you can also put them in the app_controller.php $this->Auth->allow('index', 'register', 'login', 'logout'); }
function login() { //user already logged in? //checking if session has been written $user_id = $this->Auth->user('id'); if (!empty($user_id) && $this->Session->valid()) { $this->Session->setFlash('You are already logged in'); $this->redirect(array('action'=>''), null, true); } else { if(!empty($this->data)) { //calling login validation validLogin() in model if($this->User->validLogin($this->data)) { if($this->Auth->login($this->User->user)) { $this->Session->setFlash('You have successfully logged in'); $this->redirect(array('action'=>''), null, true); } else { $this->set('password', null); $this->set('auth_msg', 'Please try again'); }
} } else { $this->set('auth_msg', 'Please enter your username and password'); } }
--------------------------------------------------------------------------- -------------------------- MODEL-> user.php the model has just a particular function (see below) that you must add --------------------------------------------------------------------------- -------------------------- function validLogin($data) {
I thought AuthComponent handled user login and logout on its own, validating username/password pairs and thus I saw no reason to use a validLogin function on the model as you did.
But: AuthComponent won't log me in with an invalid password for a given username, but what is freaking me out is that it logs me in with any username/password combination (even both blanks) that are not in the database... incidentally, it logs me in with a user id of '1', which means I turn into admin without even specifying a name or password.
So, I'm damn sure I'm missing some very crucial information on how AuthComponent is supposed to be used. Could anyone tell what am I doing wrong?
> var $name = 'Users'; > var $helpers = array('Html', 'Form', 'Session'); > var $components = array('Auth', 'Session');
> function beforeFilter() > { > //actions we allow without authentication, you can also put > them in the app_controller.php > $this->Auth->allow('index', 'register', 'login', 'logout'); > }
> function login() > { > //user already logged in? > //checking if session has been written > $user_id = $this->Auth->user('id'); > if (!empty($user_id) && $this->Session->valid()) > { > $this->Session->setFlash('You are already logged in'); > $this->redirect(array('action'=>''), null, true); > } > else > { > if(!empty($this->data)) > { > //calling login validation validLogin() in model > if($this->User->validLogin($this->data)) > { > if($this->Auth->login($this->User->user)) > { > $this->Session->setFlash('You have > successfully logged in'); > $this->redirect(array('action'=>''), null, > true); > } > else > { > $this->set('password', null); > $this->set('auth_msg', 'Please try again'); > }
> } > } > else > { > $this->set('auth_msg', 'Please enter your username and > password'); > } > }
> --------------------------------------------------------------------------- -------------------------- > MODEL-> user.php > the model has just a particular function (see below) that you must add > --------------------------------------------------------------------------- -------------------------- > function validLogin($data) > {
After digging quite a bit in the AuthComponent source, I think I've found the problem. There are still some things I don't understand, so please feel free to correct me where I might be wrong. For example, identify() gets called twice in a login, but I can't figure where does the second call come from and why the passed data is different in each call: first the POST data, then username/password fields as part of a User array. This second call is the one logging the user even if no username/password information was given on the login form, see code bellow. On a side note for my previous code, it is not necessary to call $this->Auth->login() passing it $this->data. It will use $_POST data if nothing is specified.
The identify() function of AuthComponent (auth.php 5437 2007-07-10 16:25:23Z gwoo) will use an empty array as a condition for a model-
>find() call if any of the login fields are empty, thus finding the
first result in the database: in my case, user with id=1: the administrator. The problematic code commented:
/* Initialize the array we are going to use as a find condition as empty */ $find = array(); /* If *both* username and password are provided as a user object */ if (isset($user[$this->fields['username']]) && !empty($user[$this-
/* If both are empty (why '='?) this should return a login failure, but the misterious (for me!) second call will ruin the login failure */ if (trim($user[$this->userModel . '.' . $this->fields['username']]) == '=' || trim($user[$this->userModel . '.' . $this-
/* At this point, if we were working with the user array and *any* but not both of the fields were empty, find = array( ) */ $model =& $this->getModel(); /* $model->find(am(array(), $this->userScope), null, null, -1) will seek: If $this->userScope == array() the first user record, unconditionally. Else, the first user record that matches filtering conditions, but ommiting the identifying information: username/password */ $data = $model->find(am($find, $this->userScope), null, null, -1);
/* If there are any users on the DB, $data won't be empty, thus login is authorized and user is acknowledged to be the first matching the prior conditions. In my case, user with id=1: administrator. */ if (empty($data) || empty($data[$this->userModel])) { return null;
}
Now the questions are:
Q1. What is this second call to identify and where does it come from? Q2. Is this a bug and should be reported to trac or am I doing something deadly wrong?
On 27 jul, 12:10, Gorka <glopezdeto...@gmail.com> wrote:
> I thought AuthComponent handled user login and logout on its own, > validating username/password pairs and thus I saw no reason to use a > validLogin function on the model as you did.
> But: AuthComponent won't log me in with an invalid password for a > given username, but what is freaking me out is that it logs me in with > any username/password combination (even both blanks) that are not in > the database... incidentally, it logs me in with a user id of '1', > which means I turn into admin without even specifying a name or > password.
> So, I'm damn sure I'm missing some very crucial information on how > AuthComponent is supposed to be used. Could anyone tell what am I > doing wrong?
> My users controller:
> <?php
> class UsuariosController extends AppController {
> > var $name = 'Users'; > > var $helpers = array('Html', 'Form', 'Session'); > > var $components = array('Auth', 'Session');
> > function beforeFilter() > > { > > //actions we allow without authentication, you can also put > > them in the app_controller.php > > $this->Auth->allow('index', 'register', 'login', 'logout'); > > }
> > --------------------------------------------------------------------------- -------------------------- > > MODEL-> user.php > > the model has just a particular function (see below) that you must add > > --------------------------------------------------------------------------- -------------------------- > > function validLogin($data) > > {
Hi Gorka - I too am having problem with this issue. I am using the excellent tutorial by Brian as a starting point, and cake 1.2.0.5146 alpha
but the second call seems to be failing a submitted & valid login for me: I get-- Undefined index: password [CORE/cake/libs/controller/ components/auth.php, line 653]
and the debug SQL output is here: SELECT `User`.`id`, `User`.`group_id`, `User`.`username`, `User`.`password`, `User`.`email`, `User`.`firstname`, `User`.`surname`, `User`.`created`, `User`.`modified` FROM `users` AS `User` WHERE `email` = 'ad...@admin.org' AND `password` = 'c54a39d2599bab5dd77e0ed90cec078e64ecf10c' LIMIT 1 0 0 1 call 1
6 SELECT `User`.`id`, `User`.`group_id`, `User`.`username`, `User`.`password`, `User`.`email`, `User`.`firstname`, `User`.`surname`, `User`.`created`, `User`.`modified` FROM `users` AS `User` WHERE `email` = 'ad...@admin.org' AND `password` IS NULL LIMIT 1
and then the password is NULL in the 2nd call as you can see. It then flashes me that no valid user was ffound.
anyone can advise on this?
regards
Luke
On Jul 27, 12:57 pm, Gorka <glopezdeto...@gmail.com> wrote:
> After digging quite a bit in the AuthComponent source, I think I've > found the problem. There are still some things I don't understand, so > please feel free to correct me where I might be wrong. For example, > identify() gets called twice in a login, but I can't figure where does > the second call come from and why the passed data is different in each > call: first the POST data, then username/password fields as part of a > User array. This second call is the one logging the user even if no > username/password information was given on the login form, see code > bellow. On a side note for my previous code, it is not necessary to > call $this->Auth->login() passing it $this->data. It will use $_POST > data if nothing is specified.
> The identify() function of AuthComponent (auth.php 5437 2007-07-10 > 16:25:23Z gwoo) will use an empty array as a condition for a model->find() call if any of the login fields are empty, thus finding the
> first result in the database: in my case, user with id=1: the > administrator. The problematic code commented:
> /* Initialize the array we are going to use as a find condition as > empty */ > $find = array(); > /* If *both* username and password are provided as a user object */ > if (isset($user[$this->fields['username']]) && !empty($user[$this-
> /* If both are empty (why '='?) this should return a > login failure, but the misterious (for me!) second call will ruin the > login failure */ > if (trim($user[$this->userModel . '.' . $this->fields['username']]) > == '=' || trim($user[$this->userModel . '.' . $this->fields['password']]) == '=') {
> /* At this point, if we were working with the user array and *any* but > not both of the fields were empty, find = array( ) */ > $model =& $this->getModel(); > /* > $model->find(am(array(), $this->userScope), null, null, -1) will > seek: > If $this->userScope == array() the first user record, > unconditionally. > Else, the first user record that matches filtering conditions, but > ommiting the identifying information: username/password > */ > $data = $model->find(am($find, $this->userScope), null, null, -1);
> /* > If there are any users on the DB, $data won't be empty, thus login > is authorized > and user is acknowledged to be the first matching the prior > conditions. In my case, user with id=1: administrator. > */ > if (empty($data) || empty($data[$this->userModel])) { > return null;
> }
> Now the questions are:
> Q1. What is this second call to identify and where does it come > from? > Q2. Is this a bug and should be reported to trac or am I doing > something deadly wrong?
> On 27 jul, 12:10, Gorka <glopezdeto...@gmail.com> wrote:
> > I thought AuthComponent handled user login and logout on its own, > > validating username/password pairs and thus I saw no reason to use a > > validLogin function on the model as you did.
> > But: AuthComponent won't log me in with an invalid password for a > > given username, but what is freaking me out is that it logs me in with > > any username/password combination (even both blanks) that are not in > > the database... incidentally, it logs me in with a user id of '1', > > which means I turn into admin without even specifying a name or > > password.
> > So, I'm damn sure I'm missing some very crucial information on how > > AuthComponent is supposed to be used. Could anyone tell what am I > > doing wrong?
> > My users controller:
> > <?php
> > class UsuariosController extends AppController {
> > > var $name = 'Users'; > > > var $helpers = array('Html', 'Form', 'Session'); > > > var $components = array('Auth', 'Session');
> > > function beforeFilter() > > > { > > > //actions we allow without authentication, you can also put > > > them in the app_controller.php > > > $this->Auth->allow('index', 'register', 'login', 'logout'); > > > }
> Hi Gorka - I too am having problem with this issue. I am using the > excellent tutorial by Brian as a starting point, and cake 1.2.0.5146 > alpha
> but the second call seems to be failing a submitted & valid login for > me: > I get-- Undefined index: password [CORE/cake/libs/controller/ > components/auth.php, line 653]
> and the debug SQL output is here: > SELECT `User`.`id`, `User`.`group_id`, `User`.`username`, > `User`.`password`, `User`.`email`, `User`.`firstname`, > `User`.`surname`, `User`.`created`, `User`.`modified` FROM `users` AS > `User` WHERE `email` = 'ad...@admin.org' AND `password` = > 'c54a39d2599bab5dd77e0ed90cec078e64ecf10c' LIMIT 1 0 0 1 call 1
> 6 SELECT `User`.`id`, `User`.`group_id`, `User`.`username`, > `User`.`password`, `User`.`email`, `User`.`firstname`, > `User`.`surname`, `User`.`created`, `User`.`modified` FROM `users` AS > `User` WHERE `email` = 'ad...@admin.org' AND `password` IS NULL LIMIT > 1
> and then the password is NULL in the 2nd call as you can see. It then > flashes me that no valid user was ffound.
> anyone can advise on this?
> regards
> Luke
> On Jul 27, 12:57 pm, Gorka <glopezdeto...@gmail.com> wrote:
> > After digging quite a bit in the AuthComponent source, I think I've > > found the problem. There are still some things I don't understand, so > > please feel free to correct me where I might be wrong. For example, > > identify() gets called twice in a login, but I can't figure where does > > the second call come from and why the passed data is different in each > > call: first the POST data, then username/password fields as part of a > > User array. This second call is the one logging the user even if no > > username/password information was given on the login form, see code > > bellow. On a side note for my previous code, it is not necessary to > > call $this->Auth->login() passing it $this->data. It will use $_POST > > data if nothing is specified.
> > The identify() function of AuthComponent (auth.php 5437 2007-07-10 > > 16:25:23Z gwoo) will use an empty array as a condition for a model->find() call if any of the login fields are empty, thus finding the
> > first result in the database: in my case, user with id=1: the > > administrator. The problematic code commented:
> > /* Initialize the array we are going to use as a find condition as > > empty */ > > $find = array(); > > /* If *both* username and password are provided as a user object */ > > if (isset($user[$this->fields['username']]) && !empty($user[$this-
> > /* If both are empty (why '='?) this should return a > > login failure, but the misterious (for me!) second call will ruin the > > login failure */ > > if (trim($user[$this->userModel . '.' . $this->fields['username']]) > > == '=' || trim($user[$this->userModel . '.' . $this->fields['password']]) == '=') {
> > /* At this point, if we were working with the user array and *any* but > > not both of the fields were empty, find = array( ) */ > > $model =& $this->getModel(); > > /* > > $model->find(am(array(), $this->userScope), null, null, -1) will > > seek: > > If $this->userScope == array() the first user record, > > unconditionally. > > Else, the first user record that matches filtering conditions, but > > ommiting the identifying information: username/password > > */ > > $data = $model->find(am($find, $this->userScope), null, null, -1);
> > /* > > If there are any users on the DB, $data won't be empty, thus login > > is authorized > > and user is acknowledged to be the first matching the prior > > conditions. In my case, user with id=1: administrator. > > */ > > if (empty($data) || empty($data[$this->userModel])) { > > return null;
> > }
> > Now the questions are:
> > Q1. What is this second call to identify and where does it come > > from? > > Q2. Is this a bug and should be reported to trac or am I doing > > something deadly wrong?
> > On 27 jul, 12:10, Gorka <glopezdeto...@gmail.com> wrote:
> > > I thought AuthComponent handled user login and logout on its own, > > > validating username/password pairs and thus I saw no reason to use a > > > validLogin function on the model as you did.
> > > But: AuthComponent won't log me in with an invalid password for a > > > given username, but what is freaking me out is that it logs me in with > > > any username/password combination (even both blanks) that are not in > > > the database... incidentally, it logs me in with a user id of '1', > > > which means I turn into admin without even specifying a name or > > > password.
> > > So, I'm damn sure I'm missing some very crucial information on how > > > AuthComponent is supposed to be used. Could anyone tell what am I > > > doing wrong?
> > > My users controller:
> > > <?php
> > > class UsuariosController extends AppController {
