ZF-1680: Zend_Auth_Adapter_DbTable authenticate active users only

Issue Type:

Improvement

Created:

2007-07-04T17:50:15.000+0000

Last Updated:

2008-01-23T18:32:36.000+0000

Status:

Resolved

Fix version(s):

1.0.1 (30/Jul/07)

Reporter:

Loris Candylaftis (loloziberlo)

Assignee:

Ralph Schindler (ralph)

Tags:

Zend_Auth

Related issues:

Attachments:

Description

In most cases, when a user signs-up to a website, he becomes active only after confirmation (for example after providing a code that has been sent via email). Before confirmation, there is a field "status" in the users table set to "off" or "inactive". As soon as the user confirms his account, the "status" field is set to "on" or "active".

The problem with the authenticate() method is that it only checks the identity, credential and applies an optional treatment. So in the case described above, an unactive user would be authenticated successfully.

I think there should be a 5th optional parameter, some kind of "where" statement. Example:


$authAdapter->setTableName('doby')
    ->setIdentityColumn('username')
    ->setCredentialColumn('password')
    ->setCondition('status = ?', $statusValue); // $statusValue = 'on'

As the framework works actually, to have the authenticate method work as expected, I need to have 2 tables: one with the unconfirmed users, and one with the confirmed, and then searching the confirmed table for authentication. This is not very practical.

I hope you find this proposal interesting and useful.

Loris Candylaftis

Comments

Posted by Darby Felton (darby) on 2007-07-05T14:37:24.000+0000

Assigning to [~ralph].

Posted by Darby Felton (darby) on 2007-07-05T14:44:28.000+0000

My first impression leads me to suggest to simply extend the existing functionality with the custom functionality described above. Is this not workable for some reason?

Another possible solution would be to use the DbSelect adapter, currently available in the incubator:

http://framework.zend.com/svn/framework/…

Finally, there is another possible solution: if you consider whether or not an authenticated user account is "active" as access control, and not part of authentication, then you can move this logic to where other access control rules may be implemented (e.g., within a controller or controller plugin). That is, change the one-step process of authentication into two steps:

authenticate as normal

upon authentication success, apply additional access control logic (e.g., whether or not the account is "active")

Changing the priority to minor, since easy workarounds seem to be viable at this point.

Posted by Ralph Schindler (ralph) on 2007-07-18T14:58:44.000+0000

what about this:



// create an adapter that will work on a database table
$adapter = new Zend_Auth_Adapter_DbTable($db, 'users', 'username', 'password', 'MD5(?) AND active = 1');

Posted by Loris Candylaftis (loloziberlo) on 2007-07-18T17:47:05.000+0000

Yes Ralph! your suggestion works perfect!


// Set the input credential values (from the login form)
$authAdapter->setIdentity($this->_request->getPost('username'))
        ->setCredential($this->_request->getPost('password'))
        ->setCredentialTreatment('md5(?) AND active = 1');

Thank you very much.

Posted by Darby Felton (darby) on 2007-07-19T07:49:07.000+0000

Resolving as not an issue.

Posted by Wil Sinclair (wil) on 2008-01-23T18:32:36.000+0000

Updating Fix Version to follow issue tracker conventions.