system
March 13, 2009, 3:02pm
1
Hi, this is my code:
public function actionUpdate()
{
$user_id = $userpersons->USER_ID;
if(Yii::app()->user->getState("EMAIL") != Yii::app()->params['AdminEmail']){
$user_id = Yii::app()->user->getState("USER_ID");
}
else{
$user_id = Yii::app()->user->getState("USER_ID");
if(isset($_GET['id'])){
$user_id = (int)$_GET['id'];
}
}
$userpersons = $this->loaduserPersons($user_id);
$users = users::model()->findByPk($user_id);
$StringFunctions = new StringFunctions();
if(isset($_POST['users']) && isset($_POST['userPersons'])){
//$users->attributes = $_POST['users'];
$users->EMAIL = $_POST['users']['EMAIL'];
$userpersons->attributes = $_POST['userPersons'];
$result1 = $users->validate("update");
$result2 = $userpersons->validate();
if($result1 && $result2)
{
$users->save(false);
$userpersons->save(false);
$this->redirect(array('show','id'=>$user_id));
}
}
$this->render('update',array('userpersons'=>$userpersons, 'users'=>$users));
}
As you see, I don't have an explicit update of the password and actually I don't have a password field in my update view either.
What's the reason to have user's password changed causing impossibility to further login?
jonah
March 13, 2009, 5:42pm
2
This is redundant:
<?php
if(Yii::app()->user->getState("EMAIL") != Yii::app()->params['AdminEmail']){
$user_id = Yii::app()->user->getState("USER_ID");
}
else{
$user_id = Yii::app()->user->getState("USER_ID");
//...
Do you have any processes in your model's events that do anything to the password field (such as hash it in beforeSave?)
system
March 13, 2009, 6:23pm
3
Jonah, you got it right about the processes. I actually have beforeSave event. But, to be honest, you didn't get about the first line. Where your dots begin is the actual part. I confess that I have doubled the code, but it's not important. Actually, my implementation checks whether the current user is the admin and if so, it accepts GET arguments. Otherwise, despite transfered GET params, the application just doesn't care about them and uses only the ID from the session. Thus, the admin can edit everybody's profile and users can update only their own profiles.
Actually, what can you say about the problematic code, in beforeSave?
system
March 13, 2009, 7:06pm
4
Thanks,
I resolved it myself after getting your basic idea. The final code is like this:
public function beforeSave(){
if($this->isNewRecord || $this->UPDATE_PASS == true){
$pass = $this->PASSWORD;
$pass = md5(md5($this->PASSWORD).Yii::app()->params["salt"]);
$this->PASSWORD = $pass;
}
return true;
}
system
March 13, 2009, 8:33pm
5
md5'ing twice is of no use and people more knowledgable on hashing than me actually say it makes the hash easier to crack.
jonah
March 13, 2009, 8:52pm
6
Glad you figured that out, but i'm 90% sure that
<?php
<?php
if(Yii::app()->user->getState("EMAIL") != Yii::app()->params['AdminEmail']){
$user_id = Yii::app()->user->getState("USER_ID");
}
else{
$user_id = Yii::app()->user->getState("USER_ID");
if(isset($_GET['id'])){
$user_id = (int)$_GET['id'];
}
}
Would be better as
<?php
<?php
$user_id = Yii::app()->user->getState("USER_ID");
if(Yii::app()->user->getState("EMAIL") == Yii::app()->params['AdminEmail']){
if(isset($_GET['id'])){
$user_id = (int)$_GET['id'];
}
}.
No matter though.
