system
(system)
March 13, 2009, 3:02pm
1
Hi, this is my code:
public function actionUpdate()
{
$user_id = $userpersons->USER_ID;
if(Yii::app()->user->getState("EMAIL") != Yii::app()->params['AdminEmail']){
$user_id = Yii::app()->user->getState("USER_ID");
}
else{
$user_id = Yii::app()->user->getState("USER_ID");
if(isset($_GET['id'])){
$user_id = (int)$_GET['id'];
}
}
$userpersons = $this->loaduserPersons($user_id);
$users = users::model()->findByPk($user_id);
$StringFunctions = new StringFunctions();
if(isset($_POST['users']) && isset($_POST['userPersons'])){
//$users->attributes = $_POST['users'];
$users->EMAIL = $_POST['users']['EMAIL'];
$userpersons->attributes = $_POST['userPersons'];
$result1 = $users->validate("update");
$result2 = $userpersons->validate();
if($result1 && $result2)
{
$users->save(false);
$userpersons->save(false);
$this->redirect(array('show','id'=>$user_id));
}
}
$this->render('update',array('userpersons'=>$userpersons, 'users'=>$users));
}
As you see, I don't have an explicit update of the password and actually I don't have a password field in my update view either.
What's the reason to have user's password changed causing impossibility to further login?
jonah
(Poppitypop)
March 13, 2009, 5:42pm
2
This is redundant:
<?php
if(Yii::app()->user->getState("EMAIL") != Yii::app()->params['AdminEmail']){
$user_id = Yii::app()->user->getState("USER_ID");
}
else{
$user_id = Yii::app()->user->getState("USER_ID");
//...
Do you have any processes in your model's events that do anything to the password field (such as hash it in beforeSave?)
system
(system)
March 13, 2009, 6:23pm
3
Jonah, you got it right about the processes. I actually have beforeSave event. But, to be honest, you didn't get about the first line. Where your dots begin is the actual part. I confess that I have doubled the code, but it's not important. Actually, my implementation checks whether the current user is the admin and if so, it accepts GET arguments. Otherwise, despite transfered GET params, the application just doesn't care about them and uses only the ID from the session. Thus, the admin can edit everybody's profile and users can update only their own profiles.
Actually, what can you say about the problematic code, in beforeSave?
system
(system)
March 13, 2009, 7:06pm
4
Thanks,
I resolved it myself after getting your basic idea. The final code is like this:
public function beforeSave(){
if($this->isNewRecord || $this->UPDATE_PASS == true){
$pass = $this->PASSWORD;
$pass = md5(md5($this->PASSWORD).Yii::app()->params["salt"]);
$this->PASSWORD = $pass;
}
return true;
}
system
(system)
March 13, 2009, 8:33pm
5
md5'ing twice is of no use and people more knowledgable on hashing than me actually say it makes the hash easier to crack.
jonah
(Poppitypop)
March 13, 2009, 8:52pm
6
Glad you figured that out, but i'm 90% sure that
<?php
<?php
if(Yii::app()->user->getState("EMAIL") != Yii::app()->params['AdminEmail']){
$user_id = Yii::app()->user->getState("USER_ID");
}
else{
$user_id = Yii::app()->user->getState("USER_ID");
if(isset($_GET['id'])){
$user_id = (int)$_GET['id'];
}
}
Would be better as
<?php
<?php
$user_id = Yii::app()->user->getState("USER_ID");
if(Yii::app()->user->getState("EMAIL") == Yii::app()->params['AdminEmail']){
if(isset($_GET['id'])){
$user_id = (int)$_GET['id'];
}
}.
No matter though.