更改帐户设置时检查用户当前密码

时间:2012-07-25 22:13:00

标签: php cakephp

我正在为登录用户构建表单以更改其帐户设置(电子邮件和密码)。为此,他们需要能够确认他们当前的密码。这就是我在settings.ctp中构建表单的方式:

<div id="content-complex-image">
    <div id="sidebar">
        <ul>
            <li><a href="/account/images">Your images</a></li>
            <li><a href="/account/settings">Account settings</a></li>
        </ul>
    </div>
    <div id="content-inner">
        <p>Modify your account settings</p>
        <?php echo $this->Session->flash(); ?>
        <?php
            echo $this->Form->create('User');
            echo $this->Form->input('currentPassword', array('type' => 'password'));
            echo $this->Form->input('username', array('disabled' => 'disabled', 'value' => $username));
            echo $this->Form->input('email');
            echo $this->Form->input('password', array('type' => 'password'));
            echo $this->Form->end('Update');
        ?>
    </div>
    <div class="clear"></div>
</div>

这是我的控制器动作:

public function settings() {
    $this->set('title_for_layout', 'Account Settings');

    $this->User->id = $this->Auth->user('id');
    if ($this->request->is('post')) {
        if($this->Auth->user('password') == $this->request->data['User']['currentPassword']) {
            if ($this->User->save($this->request->data)) {
                $this->Session->setFlash('Your details have been saved');
                $this->redirect(array('action' => 'settings'));
            } else {
                $this->Session->setFlash('Your details could not be updated. Try again.');
            }
        } else {
             $this->Session->setFlash('Invalid password. Try again.');
        }            
    }
}

但是,密码检查的if()始终评估为false,并始终显示“无效密码”消息。我猜我没有正确检查密码,但我不知道正确的方法。

此外,我不希望用户能够更改其用户名。我知道我已将表单字段设置为禁用,但如果用户向我的设置操作发送发布请求,则可以更改其用户名。如何使用$this->User->save()停止更新用户名?

编辑:看起来有两个问题,一个是我在比较之前没有哈希密码和两个,$this->Auth->user('password')实际上是NULL。这提出了另一个问题,如何从数据库中获取用户哈希密码以进行比较呢?

2 个答案:

答案 0 :(得分:0)

如果密码未以明文形式存储在您的数据库中,则密码检查将失败,因为您没有对从表单传递的数据进行编码/加密。检查(仅在测试机器上)的简单方法是用{/ 1>替换$this->Session->setFlash('Invalid password. Try again.'); 

$this->Session->setFlash('The password should be ' . $this->Auth->user('password') . 'but it is actually ' . $this->request->data['User']['currentPassword']);

或类似的东西。

希望有所帮助

编辑:

如果使用sha1存储密码,您可以像这样检查

if($this->Auth->user('password') == sha1($this->request->data['User']['currentPassword']))
{
     //code for successful password here
}

答案 1 :(得分:0)

Auth组件没有在其数据中保存密码,这是正确的。试试这个代码:

public function settings() {
    $this->set('title_for_layout', 'Account Settings');

    if ($this->request->is('post')) {
        $user = $this->User->findById($this->Auth->user('id'));
        if($user['User']['password'] == AuthComponent::password($this->request->data['User']['currentPassword'])) {
            if ($this->User->save($this->request->data)) {
                $this->Session->setFlash('Your details have been saved');
                $this->redirect(array('action' => 'settings'));
            } else {
                $this->Session->setFlash('Your details could not be updated. Try again.');
            }
        } else {
             $this->Session->setFlash('Invalid password. Try again.');
        }            
    }
}

我建议阻止他们更改用户名只是放弃输入?您可以简单地为他们回显用户名,而不是禁用输入框。

相关问题
最新问题