Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Improved 'Hashing passwords' example. #1142

Merged
merged 1 commit into from Mar 10, 2014

Conversation

Projects
None yet
3 participants
Contributor

ojtibi commented Mar 10, 2014

The previous example checked if an id was set in the model, and therefore may save passwords in plaintext if an id was set and a password field was submitted with form data. My change simply checks if there's a password field from the form data and hashes it.

@ojtibi ojtibi Improved 'Hashing passwords' example.
The previous example checked if an id was set in the model, and therefore may save passwords in plaintext if an id was set and a password field was submitted with form data. My change simply checks if there's a password field from the form data and hashes it.
bd1f6e1

@dereuromark dereuromark commented on the diff Mar 10, 2014

en/core-libraries/components/authentication.rst
@@ -373,7 +373,7 @@ callback of your model using appropriate password hasher class::
class User extends AppModel {
public function beforeSave($options = array()) {
- if (!$this->id) {
+ if (!empty($this->data['User']['password'])) {
@dereuromark

dereuromark Mar 10, 2014

Member

Usually we try to use $this->alias instead of the hardcoded model alias.
Maybe you also want to correct the other occurrences.

Member

dereuromark commented Mar 10, 2014

if (!empty($this->data[$this->alias]['password'])) {} can get you in trouble, as well - when using the outdated read() method for example.

That is why I always preach to use an alias for password fields.. :)
One day we might want to just add that to the docs.

Anyway, if one knows not to provide the password on edit forms (to avoid accidental rehashing) again the changes make sense 👍

@lorenzo lorenzo added a commit that referenced this pull request Mar 10, 2014

@lorenzo lorenzo Merge pull request #1142 from ojtibi/patch-1
Improved 'Hashing passwords' example.
4aa5f8f

@lorenzo lorenzo merged commit 4aa5f8f into cakephp:master Mar 10, 2014

@ojtibi ojtibi deleted the ojtibi:patch-1 branch Mar 11, 2014

@cake17 cake17 added a commit that referenced this pull request Mar 11, 2014

@cake17 cake17 [fr] Follow #1142 & more
Improved 'Hashing passwords' example.
fcb1e80
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment