Issue Type: Improvement Created: 2007-07-04T17:50:15.000+0000 Last Updated: 2008-01-23T18:32:36.000+0000 Status: Resolved Fix version(s): - 1.0.1 (30/Jul/07)
Reporter: Loris Candylaftis (loloziberlo) Assignee: Ralph Schindler (ralph) Tags: - Zend_Auth
Related issues: - ZF-2405
In most cases, when a user signs-up to a website, he becomes active only after confirmation (for example after providing a code that has been sent via email). Before confirmation, there is a field "status" in the users table set to "off" or "inactive". As soon as the user confirms his account, the "status" field is set to "on" or "active".
The problem with the authenticate() method is that it only checks the identity, credential and applies an optional treatment. So in the case described above, an unactive user would be authenticated successfully.
I think there should be a 5th optional parameter, some kind of "where" statement. Example:
<pre class="highlight"> $authAdapter->setTableName('doby') ->setIdentityColumn('username') ->setCredentialColumn('password') ->setCondition('status = ?', $statusValue); // $statusValue = 'on'
As the framework works actually, to have the authenticate method work as expected, I need to have 2 tables: one with the unconfirmed users, and one with the confirmed, and then searching the confirmed table for authentication. This is not very practical.
I hope you find this proposal interesting and useful.
Posted by Darby Felton (darby) on 2007-07-05T14:37:24.000+0000
Assigning to [~ralph].
Posted by Darby Felton (darby) on 2007-07-05T14:44:28.000+0000
My first impression leads me to suggest to simply extend the existing functionality with the custom functionality described above. Is this not workable for some reason?
Another possible solution would be to use the DbSelect adapter, currently available in the incubator:
Finally, there is another possible solution: if you consider whether or not an authenticated user account is "active" as access control, and not part of authentication, then you can move this logic to where other access control rules may be implemented (e.g., within a controller or controller plugin). That is, change the one-step process of authentication into two steps:
Changing the priority to minor, since easy workarounds seem to be viable at this point.
Posted by Ralph Schindler (ralph) on 2007-07-18T14:58:44.000+0000
what about this:
<pre class="highlight"> // create an adapter that will work on a database table $adapter = new Zend_Auth_Adapter_DbTable($db, 'users', 'username', 'password', 'MD5(?) AND active = 1');
Posted by Loris Candylaftis (loloziberlo) on 2007-07-18T17:47:05.000+0000
Yes Ralph! your suggestion works perfect!
<pre class="highlight"> // Set the input credential values (from the login form) $authAdapter->setIdentity($this->_request->getPost('username')) ->setCredential($this->_request->getPost('password')) ->setCredentialTreatment('md5(?) AND active = 1');
Thank you very much.
Posted by Darby Felton (darby) on 2007-07-19T07:49:07.000+0000
Resolving as not an issue.
Posted by Wil Sinclair (wil) on 2008-01-23T18:32:36.000+0000
Updating Fix Version to follow issue tracker conventions.
Have you found an issue?
See the Overview section for more details.