Reputation: 4524
Preventing password override on user admin page
I'm working on some admin functions to my site where a user with admin privileges is able to open a form for a given user ID. From this form they can change user permissions, alter the user password or other means.
However, when the form is constructed from the model, the password field pulls the hashed password from the database and populates the password field. As a result, when the admin goes to save the form the hashed password is treated as a plaintext and therefore hashed again, overwriting the original password.
What I need is some way to allow admin users to change the form but only have passwords hashed and updated on the database in the event that it is changed.
My thoughts are to construct the form setting password to blank:
view/User/edit.ctp:
echo $this->Form->input('User.password',array(
'value' => '',
'type' => 'password',
'autocomplete' => 'off'
)
);
And have some sort of check on the save to skip the password; but this is where I'm stuck.
controller/userscontroller.php
public function edit($id = null)
{
$this->User->id = $id;
if ($this->request->is('get'))
{
$this->request->data = $this->User->read();
} else {
//Something here????
if ($this->User->save($this->data))
{
$this->Session->setFlash('Your user has been updated.');
$this->redirect(array('action' => 'index'));
} else
{
$this->Session->setFlash('Unable to update your user.');
}
}
$this->set('groups',$this->User->Group->find('list'));//, array( 'fields' => array('id', 'name'))));
$this->set('sites',$this->User->Site->find('list'));//, array( 'fields' => array('id', 'name'))));
}
How do I check this and prevent the password from updating when there is no change?
Decided Solution:
As per the answers provided I used a second form on the same page that re-uses the signup validation that users go through. When updating site/group privileges the users are sent through one form while passwords through another.
Upvotes: 0
Views: 175
Answers (2)
Reputation: 4517
I always create a new form specially for changing passwords. You should replace the password field with a link to change the password.
Alternatively, you could disable the input field and require a button to click and use javascript to remove the disabled attribute on the input element
echo $this->Form->input('User.password',array(
'value' => '',
'type' => 'password',
'autocomplete' => 'off',
'disabled' => true
)
);
Jquery because it's easy
$(function(){
$('UsersPassword').click(function(){
$(this).attr('disabled', '0');
});
});
Upvotes: 1
Reputation: 1756
I would build two admin forms, one for changing permissions and the other for updating the password only. While you are at it, the change password form should have a second field for validating the change.
There are some CakePHP plugins to help with managing users and specifically passwords.
Upvotes: 1
Related Questions
- Disable password hasing in CakePHP 4.x / Authenticator 2.x
- Authentication only for Admin prefix CakePHP 4
- CakePHP Login redirect admin/user
- Cakephp : Login Admin with AuthComponent
- CakePHP Auth only for Admin Prefix
- Auth Component not checking password automatically in cakephp 2.4
- wried cakephp auth behavior
- CakePHP user control
- CakePHP 2: Override AuthComponent's "password" method
- CakePHP password validation in edit form