Best way to handle a form with password field in CakePHP 1.3?

1
votes

I have a User controller and User model. This model and associated database table is used for authentication and naturally there's a password field.

In my edit action when I call $this->data is puts the hashed password in my password field in my edit view. Naturally, I don't want a password field with a 40-character value, which will then get re-hashed upon save.

My action looks like this:

function edit($id) {
    $this->User->id = $id;
    if (empty($this->data)) {
        $this->data = $this->User->read();
    }
    else {
        if ($this->User->save($this->data)) {
            $this->Session->setFlash('User has been updated.');
            $this->redirect(array('action' => 'view', $this->User->id));
        }
    }
}

And my view looks like this:

<h2>Edit User</h2>
<?php
    echo $this->Form->create('User', array('action' => 'edit'));
    echo $this->Form->input('username');
    echo $this->Form->input('password');
    echo $this->Form->input('first_name');
    echo $this->Form->input('last_name');
    echo $this->Form->input('email');
    echo $this->Form->end('Save User');
?>

How can I have a form for users to edit their account (username etc) that doesn't update the password if left blank, but does update it if the user enters a new password into the password field?

2
cakephpcakephp-1.3cakephp-model

2 Answers

2
votes

The common & most secure method is to have a separate form for changing the password where you ask the user to confirm the change by asking the old password. This is because if you forget the site open on a public computer, the next person who comes in can't just hijack the account by just giving a new password.

If you still want to go with the original plan, you can unset the variable if it's empty before saving the data:

if( $this->data[ 'User' ][ 'password' ] == '' ) {
    unset( $this->data[ 'User' ][ 'password' ] );
}

The other option is to list allowed fields as a parameter to save() and leave out password if the field is empty.

In the view you can use

echo $this->Form->input('password', array( 'value' => '' ) );

to keep the hash from showing up in the field.

0
votes

Most places only allow editing passwords when they enter their original passwords. It helps protect against password changes with unauthorized access.

But if you want to do it, try

echo $this->Form->input('password', array('default'=>false));