Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

[User Module] Check the email exists? #430

Closed
ghost opened this Issue · 18 comments

3 participants

@ghost

$user = $this->user_model->find_by('email', $_POST['email']);
if (count($user) == 1) {}

I think it should be :

if($user !== false) {}

@seandowney
Owner

@ylfighter Thanks for that I will push that now.

@ghost

@seandowney
And another one, in the login page, if i give the wrong email/username, it won't refill the value back.

I check the function set_value(), and find out, it only works when you execute "set_rules" and "run" functions of class "form_validation".

So, I give the email/username some rules, make it take the value back.

@seandowney
Owner

@ylfighter Thanks but a lot of sites do this for security reasons to make sure that the person attempting to login is using the correct information. I don't think we should add the rule for that.

//cc @lonnieezell //cc @svizion What do ye think on this one?

@ghost

@seandowney Actually, I just wanna take "username/email" back. You know, sometimes, I just enter the wrong password, and I don't want to reenter the email again.

Oh, maybe you should put it in cookie, ~~ just a thought..

@lonnieezell
Owner

I don't have a problem filling in the email/username, but definitely not the password.

@ghost

@lonnieezell Really?
file: core_modules / users / views / users / login.php
line 42:

 <input class="span6" type="text" name="login" id="login_value" value="<?php echo set_value('login'); ?>" tabindex="1" placeholder="<?php echo $this->settings_lib->item('auth.login_type') == 'both' ? lang('bf_username') .'/'. lang('bf_email') : ucwords($this->settings_lib->item('auth.login_type')) ?>" />

code :

<?php echo set_value('login'); ?>

You sure ?

@lonnieezell
Owner

I'm open to discussion on this one, anyway. It seems to me that the only time that's going to come into play is at the moment someone is trying to login. The form will refresh and fill their info back in. The two primary security concerns that I can think of at the moment are:

  • A user gets up and walks away from their computer in the middle of doing this because of a phone call, doorbell, screaming kid, etc. In this case their login information is there for anyone else in the office/house to see... but if it's asking for email, the other people probably already know that. They still have to get their password, which I think we do a pretty good job of masking/securing. Plus, many people have their browsers set to remember that info for them, anyway. :)
  • Someone is trying to capture their data as it is submitted to the server... in which case, they already have it. The only way to secure against this is to run your site on HTTPS as far as I'm aware.

I would still like to hear @svizion and @seandowney opinion on this, so we can come to a general vote.

@seandowney
Owner

I don't mind but my vote would be to leave the email field blank as it is now just as a deterrent. If someone is just trying email addresses and passwords then they have more work to do.

I agree with you that if it's a workplace or home then they would know the email address already but those people "should" be less likely to try to hack in. But if someone finds the login page for a public site then we don't know who they are but they might try to guess the login addresses (info@madeuphost.com etc) and not saving the email address in the login field will give them more work to do.

If people want to allow the remember me etc then that is their call.

That is my thinking on it.

@svizion

Personally I don't want my username auto-filling when I'm away from a CPU, if they want to auto-login they can click the box or get a password manager that auto-fills the form fields. That's just my personal thoughts on the matter. Plus you have the option of your browse saving the information, you can even transfer it around with chrome mobile.

@ghost

I just thought a lot of websites will refill the fields, like Google.
Guess, it depends on what kind of websites you are building..
Of course, security is very important, but I also care about the "user experience".
Just my opinion.

@lonnieezell
Owner

Absolutely. They are both critical elements that have to be balanced. @svizion I didn't mean autofill based on the user, but only when you're actually filling out the form itself and have an error. Then using the form helper's set_value() for the login (NOT password!) seems viable and fairly safe.

@seandowney
Owner

I'm still of the opinion that we don't use set_value.

If someone knows their login details they won't have a problem if they get it wrong or forgot them then they will have to enter it again a couple of times before heading to the forgot password functionality. No biggy to do that imo.

If someone is trying to hack in then it won't stop them but it will make it a bit more awkward for them.

@lonnieezell
Owner

Sounds like I'm out-voted. :) And in this case, it's a very simple thing for someone to customize for their own website. All it needs is a single tiny chunk of code inserted in the template.

@ghost

Right.. It's not a big deal, actually. People who use bonfire can make their decision, you guys don't need to worry about it. Thanks. :)

@lonnieezell
Owner

@ylfighter Thanks for your understanding on this one.

@ghost

@lonnieezell I have learned a lot of things from this project. Thank you, guys! I'll keep following.

@svizion

@lonnieezell I mis-understood the issue apparently. It's a minor thing, like @ylfighter says, so I'm not that worried about it either way, my pass manager auto-fills in my values auto after I enter the master password for that session so I never worried about it but for a UX point of view I could see it as useful.

@seandowney
Owner
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.