Issues

ZF-1680: Zend_Auth_Adapter_DbTable authenticate active users only

Description

In most cases, when a user signs-up to a website, he becomes active only after confirmation (for example after providing a code that has been sent via email). Before confirmation, there is a field "status" in the users table set to "off" or "inactive". As soon as the user confirms his account, the "status" field is set to "on" or "active".

The problem with the authenticate() method is that it only checks the identity, credential and applies an optional treatment. So in the case described above, an unactive user would be authenticated successfully.

I think there should be a 5th optional parameter, some kind of "where" statement. Example:


$authAdapter->setTableName('doby')
    ->setIdentityColumn('username')
    ->setCredentialColumn('password')
    ->setCondition('status = ?', $statusValue); // $statusValue = 'on'

As the framework works actually, to have the authenticate method work as expected, I need to have 2 tables: one with the unconfirmed users, and one with the confirmed, and then searching the confirmed table for authentication. This is not very practical.

I hope you find this proposal interesting and useful.

Loris Candylaftis

Comments

Assigning to [~ralph].

My first impression leads me to suggest to simply extend the existing functionality with the custom functionality described above. Is this not workable for some reason?

Another possible solution would be to use the DbSelect adapter, currently available in the incubator:

http://framework.zend.com/svn/framework/…

Finally, there is another possible solution: if you consider whether or not an authenticated user account is "active" as access control, and not part of authentication, then you can move this logic to where other access control rules may be implemented (e.g., within a controller or controller plugin). That is, change the one-step process of authentication into two steps:

authenticate as normal

upon authentication success, apply additional access control logic (e.g., whether or not the account is "active")

Changing the priority to minor, since easy workarounds seem to be viable at this point.

what about this:



// create an adapter that will work on a database table
$adapter = new Zend_Auth_Adapter_DbTable($db, 'users', 'username', 'password', 'MD5(?) AND active = 1');

Yes Ralph! your suggestion works perfect!


// Set the input credential values (from the login form)
$authAdapter->setIdentity($this->_request->getPost('username'))
        ->setCredential($this->_request->getPost('password'))
        ->setCredentialTreatment('md5(?) AND active = 1');

Thank you very much.

Resolving as not an issue.

Updating Fix Version to follow issue tracker conventions.