security concern

[challet]

are you sure setting a default password value is a good idea ? https://github.com/webtechnick/CakePHP-Facebook-Plugin/blob/master/controllers/components/connect.php#L108

Let study the following case :

• i log-in with facebook. my account password has now the "disabled" value (actually it is not disabled, just having this value)
• sometimes on the web site, i can change/add my email address
• this website has kept the CakePHP Auth login system enabled (because not everyone wants to log with facebook)
• someone (for instance a facebook "friend") knows my email address and that i logged on the website
• he just have to go to the website and enters my email address as the login and "disabled" as the password
• he got my identity on the website

I haven't tested it now, i'll keep you in touch when this is done.

[webtechnick]

Indeed you are correct. The idea originally behind it was if you're letting the user login as a facebook user you shouldn't allow the user to login as a normal user. This wasn't made clear in the documentation, I've made the appropriate changes. A randomly generated password is now used instead.