Cakephp AuthComponent:尽管密码错误,但登录成功

时间:2013-11-10 10:42:52

标签: php cakephp login passwords

我正在运行2.2.2 CakePHP应用程序,一切都按预期工作。现在我正在为它开发一个Android应用程序,因此需要在这两个应用程序之间创建接口。这就是我需要手动登录用户的原因。所以我创建了一个全新的控制器AndroidController,以便将所有内容捆绑在一个地方。首先要做的是Login-Action。所以我设置了以下控制器:

<?php
App::uses('AppController', 'Controller');

/**
 * Android Controller
 * 
 * @package       app.Controller
 */
class AndroidController extends AppController {
    public $components = array('RequestHandler','Auth');
    public $uses = array('User');

    public function beforeFilter() {
        $this->Auth->allow();
    }

    public function login() {
        //For testing purposes
        $postarray = array('_method' => 'POST','data' => array('User' => array('email' => 'user@gmail.com', 'password' => 'THISisDEFINITELYaWRONGpassword')));

        $id = $this->tryToGetUserID($postarray['data']['User']['email']);
        if($id == 0){
            //return Error json, unknown User
            $this->set('result', array(
                'tag' => 'login',
                'success' => 0,
                'error' => 1,
                'error_msg' => 'Unknown User'           
            )); 
        }else{
        //  if ($this->request->is('post')) {
            $postarray['data']['User'] = array_merge($postarray['data']['User'], array('id' => $id));
                    $this->User->id = $id;
                if ( $this->Auth->login($postarray['data']['User'])) {
                    // Login successfull
                    $this->User->saveField('lastlogin', date(DATE_ATOM));
                    $user = $this->User->find('all', array(
                        'recursive' => 0, //int
                        'conditions' => array('User.id' => $id)
                    ));
                    $loggedInUser = array(
                        'tag' => 'login',
                        'success' => 1,
                        'error' => 0,
                        'uid' => '??',
                        'user' => array(
                            'name' => $user['0']['User']['forename'].' '.$user['0']['User']['surname'],
                            'email' => $user['0']['User']['email'],
                            'created_at' => $user['0']['User']['created'],
                            'updated_at' => $user['0']['User']['lastlogin']                 
                        )
                    );
                    $this->set('result', $loggedInUser);                
                } else {
                    // Login failed
                    $this->set('result', array(
                        'tag' => 'login',
                        'success' => 0,
                        'error' => 2,
                        'error_msg' => 'Incorrect password!'            
                    ));
                }
        //  }
        }

    }

    public function tryToGetUserID($email = null) { 
        $user = $this->User->find('list', array(
            'conditions' => array('User.email' => $email)
        ));
        if(!empty($user)){
            return array_keys($user)['0'];
        }else{
            return 0;
        }

    }
}

您需要知道此方法将被调用为POST请求,但出于测试目的,我手动创建了一个post-array。将来我将使用$ _POST数组。 那么,会发生什么:使用注册用户登录有效,但每次都有效!即使密码错误或丢失!该程序永远不会在代码中出现“登录失败”评论。

我在这里错过了什么......?

谢谢!

1 个答案:

答案 0 :(得分:0)

如果你仔细看看documentation,你会注意到AuthComponent :: login()将......

  

在2.x $ this-&gt; Auth-&gt;登录($ this-&gt; request-&gt; data)将使用所发布的数据记录用户