I have a sit developed in cakephp, and I have a page to edit user.
My user table has many field and one of this is password in md5.
The user can modify all its fields and password but if he leave blank this field I have t take from the database the old password and save it.
But return me error on save on the password field.
This is my action into the controller:
if ($this->request->is ('post')){
$this->User->id = $this->request->data['User']['id'];
if($this->request->data['User']['password'] == ''){
$user = $this->User->find('first',array('conditions'=>array('User.id' => $this->request->data['User']['id'])));
$this->request->data['User']['password'] = md5($user['User']['password']);
$this->request->data['User']['password_confirm'] = md5($user['User']['password']);
}
if ($this->User->save($this->request->data)) {
$this->redirect (array ('action'=>'index'));
}
else{
debug($this->User->validationErrors);
$this->Session->write('flash_element','error');
$this->Session->setFlash ('Errore di salvataggio dello user.');
}
}
And this is the method beforeSave into the UserModel:
public function beforeSave(){
if (isset($this->data['User']['password'])){
$this->data['User']['password'] = AuthComponent::password($this->data['User']['password']);
}
}
The problem is when I try to save return me error on the field password lie is inappropriate type. If I print the field password before save I see something like: ***** but if I print the variable md5($user['User']['password']) return me the right value of password crypted.
Thanks
IMO, don't have the "password" field where the user edits his profile information.
You can have 2 forms on the page, where the second one is a change password form. This way, if the user changes their "first name" (which is in the first form) for example, your code does not have to check or do anything with their password.
After seeing many different frameworks, and creating systems myself, I can't say I recall anything where I have seen in the "wild" something handled like your doing. You are doing an extra step by getting their old password and "putting it back" just so you don't lose their password in the database when they want to change their profile details.
If its for security, you can make them "confirm" their password so it must match before changing the profile details.
Having the "password" box on the "edit profile" form is just bad code logic.
First comment, there is nothing wrong using md5 but I would use sha1.
Second, you can use only one form, not 2. Then, in your controller you just need to check if user entered a new password, which you are already doing, if the field is empty then you unset that field, so cake won't update that field.
if ($this->request->is ('post')){
$this->User->id = $this->request->data['User']['id'];
if ($this->request->data['User']['password'] == '') {
unset($this->request->data['User']['password'], $this->request->data['User']['password_confirm']);
}
if ($this->User->save($this->request->data)) {
$this->redirect (array ('action'=>'index'));
}
else{
debug($this->User->validationErrors);
$this->Session->write('flash_element','error');
$this->Session->setFlash ('Errore di salvataggio dello user.');
}
}
By the way, I would change this
$this->User->id = $this->request->data['User']['id'];
For something like
$this->request->data['User']['id'] = $this->Session->read('Auth.id');
in order to prevent data tampering, but due I don't know if you are keeping the user id in a session I didn't write it in the example code