0

我正在为登录用户构建一个表单,以更改他们的帐户设置(电子邮件和密码)。为此,他们需要能够确认他们当前的密码。这就是我构建表单的方式settings.ctp

<div id="content-complex-image">
    <div id="sidebar">
        <ul>
            <li><a href="/account/images">Your images</a></li>
            <li><a href="/account/settings">Account settings</a></li>
        </ul>
    </div>
    <div id="content-inner">
        <p>Modify your account settings</p>
        <?php echo $this->Session->flash(); ?>
        <?php
            echo $this->Form->create('User');
            echo $this->Form->input('currentPassword', array('type' => 'password'));
            echo $this->Form->input('username', array('disabled' => 'disabled', 'value' => $username));
            echo $this->Form->input('email');
            echo $this->Form->input('password', array('type' => 'password'));
            echo $this->Form->end('Update');
        ?>
    </div>
    <div class="clear"></div>
</div>

这是我的控制器动作:

public function settings() {
    $this->set('title_for_layout', 'Account Settings');

    $this->User->id = $this->Auth->user('id');
    if ($this->request->is('post')) {
        if($this->Auth->user('password') == $this->request->data['User']['currentPassword']) {
            if ($this->User->save($this->request->data)) {
                $this->Session->setFlash('Your details have been saved');
                $this->redirect(array('action' => 'settings'));
            } else {
                $this->Session->setFlash('Your details could not be updated. Try again.');
            }
        } else {
             $this->Session->setFlash('Invalid password. Try again.');
        }            
    }
}

但是,if()密码检查始终评估为 false 并始终显示“无效密码”消息。我猜我没有正确检查密码,但我不知道正确的方法。

另外,我不希望用户能够更改他们的用户名。我知道我已将表单字段设置为禁用,但如果用户向我的设置操作发送发布请求,他们可以更改他们的用户名。如何阻止用户名被更新$this->User->save()

编辑:看起来像两个问题,一个,我没有在比较之前散列密码,两个,$this->Auth->user('password')实际上是 NULL。这就提出了另一个问题,我如何从数据库中获取用户散列密码以便进行比较?

4

2 回答 2

0

如果密码没有以明文形式存储在数据库中,则密码检查将失败,因为您没有对从表单传递的数据进行编码/加密。一种简单的检查方法(请仅在测试机器上)将替换$this->Session->setFlash('Invalid password. Try again.');

$this->Session->setFlash('The password should be ' . $this->Auth->user('password') . 'but it is actually ' . $this->request->data['User']['currentPassword']);

或类似的东西。

希望能帮助到你

编辑:

如果密码是使用sha1存储的,可以这样检查

if($this->Auth->user('password') == sha1($this->request->data['User']['currentPassword']))
{
     //code for successful password here
}
于 2012-07-25T22:30:36.457 回答
0

您对 Auth 组件没有在其数据中保存密码是正确的。试试这个代码:

public function settings() {
    $this->set('title_for_layout', 'Account Settings');

    if ($this->request->is('post')) {
        $user = $this->User->findById($this->Auth->user('id'));
        if($user['User']['password'] == AuthComponent::password($this->request->data['User']['currentPassword'])) {
            if ($this->User->save($this->request->data)) {
                $this->Session->setFlash('Your details have been saved');
                $this->redirect(array('action' => 'settings'));
            } else {
                $this->Session->setFlash('Your details could not be updated. Try again.');
            }
        } else {
             $this->Session->setFlash('Invalid password. Try again.');
        }            
    }
}

我阻止他们更改用户名的建议是完全放弃该输入?您可以简单地为他们回显他们的用户名,而不是禁用输入框。

于 2012-07-25T22:59:17.590 回答