ChangePassword to Passwordable

Model/Behavior/PasswordableBehavior.php

@@ -0,0 +1,296 @@
+<?php
+App::uses('ModelBehavior', 'Model');
+App::uses('CakeResponse', 'Network');
+App::uses('Security', 'Utility');
+
+if (!defined('PWD_MIN_LENGTH')) {
+	define('PWD_MIN_LENGTH', 3);
+}
+if (!defined('PWD_MAX_LENGTH')) {
+	define('PWD_MAX_LENGTH', 20);
+}
+
+/**
+ * A cakephp2 behavior to work with passwords the easy way
+ * - complete validation
+ * - hashing of password
+ * - requires fields (no tempering even without security component)
+ * - usable for edit forms (allowEmpty=>true for optional password update)
+ *
+ * usage: do NOT add it via $actAs = array()
+ * attach it dynamically in only those actions where you actually change the password like so:
+ * $this->User->Behaviors->attach('Tools.Passwordable', array(SETTINGSARRAY));
+ * as first line in any action where you want to allow the user to change his password
+ * also add the two form fields in the form (pwd, pwd_confirm)
+ * the rest is cake automagic :)
+ *
+ * now also is capable of:
+ * - require current password prior to altering it (current=>true)
+ * - don't allow the same password it was before (allowSame=>false)
+ *
+ * TODO: allowEmpty and nonEmptyToEmpty - maybe with checkbox "set_new_pwd"
+ * feel free to help me out
+ *
+ * @version 1.6 (renamed from ChangePassword to Passwordable)
+ * @author Mark Scherer
+ * @link http://www.dereuromark.de/2011/08/25/working-with-passwords-in-cakephp
+ * @license MIT
+ * 2011-08-24 ms
+ */
+class PasswordableBehavior extends ModelBehavior {
+
+	public $settings = array();
+
+	/**
+	 * @access protected
+	 */
+	public $_defaultSettings = array(
+		'field' => 'password',
+		'confirm' => true, # set to false if in admin view and no confirmation (pwd_repeat) is required
+		'allowEmpty' => false, # if password must be provided or be changed (set to true for update sites)
+		'current' => false, # expect the current password for security purposes
+		'formField' => 'pwd',
+		'formFieldRepeat' => 'pwd_repeat',
+		'formFieldCurrent' => 'pwd_current',
+		'hashType' => null,
+		'hashSalt' => true,
+		'auth' => 'Auth', # which component,
+		'allowSame' => true, # dont allow the old password on change
+	);
+
+	public $_validationRules = array(
+		'formField' => array(
+			'between' => array(
+				'rule' => array('between', PWD_MIN_LENGTH, PWD_MAX_LENGTH),
+				'message' => array('valErrBetweenCharacters %s %s', PWD_MIN_LENGTH, PWD_MAX_LENGTH),
+				'allowEmpty' => null,
+				'last' => true,
+			)
+		),
+		'formFieldRepeat' => array(
+			'between' => array(
+				'rule' => array('between', PWD_MIN_LENGTH, PWD_MAX_LENGTH),
+				'message' => array('valErrBetweenCharacters %s %s', PWD_MIN_LENGTH, PWD_MAX_LENGTH),
+				'allowEmpty' => null,
+				'last' => true,
+			),
+			'validateIdentical' => array(
+				'rule' => array('validateIdentical', 'formField'),
+				'message' => 'valErrPwdNotMatch',
+				'allowEmpty' => null,
+				'last' => true,
+			),
+		),
+		'formFieldCurrent' => array(
+			'notEmpty' => array(
+				'rule' => array('notEmpty'),
+				'message' => 'valErrProvideCurrentPwd',
+				'allowEmpty' => null,
+				'last' => true,
+			),
+			'validateCurrentPwd' => array(
+				'rule' => 'validateCurrentPwd',
+				'message' => 'valErrCurrentPwdIncorrect',
+				'allowEmpty' => null,
+				'last' => true,
+			)
+		),
+	);
+
+	/**
+	 * if not implemented in AppModel
+	 * @throws CakeException
+	 * @return bool $success
+	 * 2011-07-22 ms
+	 */
+	public function validateCurrentPwd(Model $Model, $data) {
+		if (is_array($data)) {
+			$pwd = array_shift($data);
+		} else {
+			$pwd = $data;
+		}
+
+		$uid = null;
+		if ($Model->id) {
+			$uid = $Model->id;
+		} elseif (!empty($Model->data[$Model->alias]['id'])) {
+			$uid = $Model->data[$Model->alias]['id'];
+		} else {
+			trigger_error('No user id given');
+			return false;
+		}
+		if (class_exists('AuthExtComponent')) {
+			$this->Auth = new AuthExtComponent(new ComponentCollection());
+		} elseif (class_exists($this->settings[$Model->alias]['auth'].'Component')) {
+			$auth = $this->settings[$Model->alias]['auth'].'Component';
+			$this->Auth = new $auth(new ComponentCollection());
+		} else {
+			throw new CakeException('No validation class found');
+		}
+		# easiest authenticate method via form and (id + pwd)
+		$this->Auth->authenticate = array('Form'=>array('fields'=>array('username' => 'id', 'password'=>$this->settings[$Model->alias]['field'])));
+
+		$request = new CakeRequest(null, false);
+		$request->data['User'] = array('id'=>$uid, 'password'=>$pwd);
+		$response = new CakeResponse();
+		return $this->Auth->identify($request, $response);
+	}
+
+	/**
+	 * if not implemented in AppModel
+	 * @return bool $success
+	 * 2011-07-22 ms
+	 */
+	public function validateIdentical(Model $Model, $data, $compareWith = null) {
+		if (is_array($data)) {
+			$value = array_shift($data);
+		} else {
+			$value = $data;
+		}
+		$compareValue = $Model->data[$Model->alias][$compareWith];
+		return ($compareValue == $value);
+	}
+
+	/**
+	 * if not implemented in AppModel
+	 * @return bool $success
+	 * 2011-11-10 ms
+	 */
+	public function validateNotSame(Model $Model, $data, $field1, $field2) {
+		$value1 = $Model->data[$Model->alias][$field1];
+		$value2 = $Model->data[$Model->alias][$field2];
+		return ($value1 != $value2);
+	}
+
+	/**
+	 * adding validation rules
+	 * also adds and merges config settings (direct + configure)
+	 * 2011-08-24 ms
+	 */
+	public function setup(Model $Model, $config = array()) {
+		$defaults = $this->_defaultSettings;
+		if ($configureDefaults = Configure::read('ChangePassword')) {
+			$defaults = Set::merge($defaults, $configureDefaults);
+		}
+		$this->settings[$Model->alias] = Set::merge($defaults, $config);
+
+		$formField = $this->settings[$Model->alias]['formField'];
+		$formFieldRepeat = $this->settings[$Model->alias]['formFieldRepeat'];
+		$formFieldCurrent = $this->settings[$Model->alias]['formFieldCurrent'];
+
+		$rules = $this->_validationRules;
+
+		# add the validation rules if not already attached
+		if (!isset($Model->validate[$formField])) {
+			$Model->validate[$formField] = $rules['formField'];
+		}
+		if (!isset($Model->validate[$formFieldRepeat])) {
+			$Model->validate[$formFieldRepeat] = $rules['formFieldRepeat'];
+			$Model->validate[$formFieldRepeat]['validateIdentical']['rule'][1] = $formField;
+		}
+		
+
+		if ($this->settings[$Model->alias]['current'] && !isset($Model->validate[$formFieldCurrent])) {
+			$Model->validate[$formFieldCurrent] = $rules['formFieldCurrent'];
+
+			if (!$this->settings[$Model->alias]['allowSame']) {
+				$Model->validate[$formField]['validateNotSame'] = array(
+					'rule' => array('validateNotSame', $formField, $formFieldCurrent),
+					'message' => 'valErrPwdSameAsBefore',
+					'allowEmpty' => $this->settings[$Model->alias]['allowEmpty'],
+					'last' => true,
+				);
+			}
+		}
+	}
+
+	/**
+	 * whitelisting
+	 * 
+	 * @todo currently there is a cake core bug that can break functionality here
+	 * (see http://cakephp.lighthouseapp.com/projects/42648/tickets/3071-behavior-validation-methods-broken for details)
+	 * 2011-07-22 ms
+	 */
+	public function beforeValidate(Model $Model) {
+		$formField = $this->settings[$Model->alias]['formField'];
+		$formFieldRepeat = $this->settings[$Model->alias]['formFieldRepeat'];
+		$formFieldCurrent = $this->settings[$Model->alias]['formFieldCurrent'];
+
+		# make sure fields are set and validation rules are triggered - prevents tempering of form data
+		if (!isset($Model->data[$Model->alias][$formField])) {
+			$Model->data[$Model->alias][$formField] = '';
+		}
+		if ($this->settings[$Model->alias]['confirm'] && !isset($Model->data[$Model->alias][$formFieldRepeat])) {
+			$Model->data[$Model->alias][$formFieldRepeat] = '';
+		}
+		if ($this->settings[$Model->alias]['current'] && !isset($Model->data[$Model->alias][$formFieldCurrent])) {
+			$Model->data[$Model->alias][$formFieldCurrent] = '';
+		}
+		
+		# check if we need to trigger any validation rules
+		if ($this->settings[$Model->alias]['allowEmpty']) {
+			$current = !empty($Model->data[$Model->alias][$formFieldCurrent]);
+			$new = !empty($Model->data[$Model->alias][$formField]) || !empty($Model->data[$Model->alias][$formFieldRepeat]);
+			if (!$new && !$current) {
+				//$Model->validator()->remove($formField); // tmp only!
+				//unset($Model->validate[$formField]);
+				unset($Model->data[$Model->alias][$formField]);
+				if ($this->settings[$Model->alias]['confirm']) {
+					//$Model->validator()->remove($formFieldRepeat); // tmp only!
+					//unset($Model->validate[$formFieldRepeat]);
+					unset($Model->data[$Model->alias][$formFieldRepeat]);
+				}
+				if ($this->settings[$Model->alias]['current']) {
+					//$Model->validator()->remove($formFieldCurrent); // tmp only!
+					//unset($Model->validate[$formFieldCurrent]);
+					unset($Model->data[$Model->alias][$formFieldCurrent]);
+				}
+				return true;
+			}
+		}
+		
+		# add fields to whitelist!
+		$whitelist = array($this->settings[$Model->alias]['formField'], $this->settings[$Model->alias]['formFieldRepeat']);
+		if ($this->settings[$Model->alias]['current']) {
+			$whitelist[] = $this->settings[$Model->alias]['formFieldCurrent'];
+		}
+		if (!empty($Model->whitelist)) {
+			$Model->whitelist = array_merge($Model->whitelist, $whitelist);
+		}
+
+		return true;
+	}
+
+
+	/**
+	 * hashing the password now
+	 * 2011-07-22 ms
+	 */
+	public function beforeSave(Model $Model) {
+		//debug($Model->data);
+		$formField = $this->settings[$Model->alias]['formField'];
+		$field = $this->settings[$Model->alias]['field'];
+		$type = $this->settings[$Model->alias]['hashType'];
+		$salt = $this->settings[$Model->alias]['hashSalt'];
+
+		if (isset($Model->data[$Model->alias][$formField])) {
+			$Model->data[$Model->alias][$field] = Security::hash($Model->data[$Model->alias][$formField], $type, $salt);
+			unset($Model->data[$Model->alias][$formField]);
+			if ($this->settings[$Model->alias]['confirm']) {
+				$formFieldRepeat = $this->settings[$Model->alias]['formFieldRepeat'];
+				unset($Model->data[$Model->alias][$formFieldRepeat]);
+			}
+			if ($this->settings[$Model->alias]['current']) {
+				$formFieldCurrent = $this->settings[$Model->alias]['formFieldCurrent'];
+				unset($Model->data[$Model->alias][$formFieldCurrent]);
+			}
+			# update whitelist
+			if (!empty($Model->whitelist)) {
+				$Model->whitelist = array_merge($Model->whitelist, array($field));
+			}
+		}
+
+		return true;
+	}
+
+}

Test/Case/Model/Behavior/PasswordableBehaviorTest.php

@@ -0,0 +1,281 @@
+<?php
+
+App::uses('Model', 'Model');
+App::uses('AppModel', 'Model');
+
+App::uses('ComponentCollection', 'Controller');
+
+class PasswordableBehaviorTest extends CakeTestCase {
+
+	public $fixtures = array(
+		'core.user',
+	);
+
+	/**
+	 * setUp method
+	 */
+	public function setUp() {
+		parent::setUp();
+		
+		$this->User = ClassRegistry::init('User');
+	}
+
+	/**
+	 * Tear-down method.  Resets environment state.
+	 */
+	public function tearDown() {
+		unset($this->User);
+		parent::tearDown();
+		
+		ClassRegistry::flush();
+	}
+
+
+	public function testObject() {
+		$this->User->Behaviors->attach('Tools.Passwordable', array());
+		$this->assertIsA($this->User->Behaviors->Passwordable, 'PasswordableBehavior');
+		$res = $this->User->Behaviors->attached('Passwordable');
+		$this->assertTrue($res);
+	}
+
+	/**
+	 * make sure validation is triggered correctly
+	 */
+	public function testValidate() {
+		$this->User->Behaviors->attach('Tools.Passwordable', array());
+
+		$this->User->create();
+		$data = array(
+			'pwd' => '1234',
+		);
+		$this->User->set($data);
+		$is = $this->User->save();
+		//debug($this->User->validationErrors); ob_flush();
+		$this->assertFalse($is);
+		$this->assertEquals(array('pwd_repeat'), array_keys($this->User->validationErrors));
+
+
+		$this->User->create();
+		$data = array(
+			'pwd' => '1234',
+			'pwd_repeat' => '123456'
+		);
+		$this->User->set($data);
+		$is = $this->User->save();
+		//debug($this->User->validationErrors); ob_flush();
+		$this->assertFalse($is);
+		$this->assertEquals(array(__('valErrPwdNotMatch')), $this->User->validationErrors['pwd_repeat']);
+
+		$this->User->create();
+		$data = array(
+			'pwd' => '123456',
+			'pwd_repeat' => '123456'
+		);
+		$this->User->set($data);
+		//debug($this->User->validate);
+		$is = $this->User->validates();
+		$this->assertTrue(!empty($is));
+
+	}
+
+	/**
+	 * test that confirm false does not require confirmation
+	 */
+	public function testValidateNoConfirm() {
+		$this->User->Behaviors->attach('Tools.Passwordable', array('confirm'=>false));
+		$this->User->create();
+		$data = array(
+			'pwd' => '123456',
+		);
+		$this->User->set($data);
+		$is = $this->User->save();
+		debug($is); ob_flush();
+		$this->assertTrue(!empty($is));
+	}
+
+	/**
+	 * validation and update process gets skipped if no values are entered
+	 */
+	public function testValidateEmpty() {
+		$this->User->Behaviors->attach('Tools.Passwordable');
+		$this->User->create();
+		$data = array(
+			'pwd' => '',
+			'pwd_repeat' => ''
+		);
+		$this->User->set($data);
+		$is = $this->User->save();
+		debug($this->User->validationErrors); ob_flush();
+		$this->assertFalse($is);
+		$this->assertEquals(array('pwd', 'pwd_repeat'), array_keys($this->User->validationErrors));
+
+
+		$this->User->Behaviors->detach('Passwordable');
+		$this->User->validate = array();
+		
+		$this->User->Behaviors->attach('Tools.Passwordable', array('current'=>true));
+		$this->User->create();
+		$data = array(
+			'id' => 123,
+			'pwd' => '',
+			'pwd_repeat' => '',
+			'pwd_current' => '123',
+		);
+		$this->User->set($data);
+		$is = $this->User->save();
+		//debug($this->User->validationErrors); ob_flush();
+		$this->assertFalse($is);
+		$this->assertEquals(array('pwd', 'pwd_repeat', 'pwd_current'), array_keys($this->User->validationErrors));
+
+		$this->tearDown();
+		$this->setUp();
+		
+		$this->User->Behaviors->attach('Tools.Passwordable', array('allowEmpty'=>true, 'current'=>true));
+		$this->User->create();
+		$data = array(
+			'user' => 'foo',
+			'pwd' => '',
+			'pwd_repeat' => '',
+			'pwd_current' => '',
+		);
+		$is = $this->User->save($data);
+		
+		debug($this->User->data);
+		debug($this->User->validate);
+		debug($this->User->validationErrors); ob_flush();
+		
+		$this->assertTrue(!empty($is));
+	}
+
+	/**
+	 * test aliases for field names
+	 */
+	public function testDifferentFieldNames() {
+		$this->User->Behaviors->attach('Tools.Passwordable', array(
+			'formField' => 'passw',
+			'formFieldRepeat' => 'passw_repeat',
+			'formFieldCurrent' => 'passw_current',
+		));
+		$this->User->create();
+		$data = array(
+			'passw' => '123456',
+			'passw_repeat' => '123456'
+		);
+		$this->User->set($data);
+		//debug($this->User->data);
+		$is = $this->User->save();
+		$this->assertTrue(!empty($is));
+
+	}
+
+	/**
+	 * assert that allowSame false does not allow storing the same password as previously entered
+	 */
+	public function testNotSame() {
+		$this->User->Behaviors->attach('Tools.Passwordable', array(
+			'formField' => 'passw',
+			'formFieldRepeat' => 'passw_repeat',
+			'formFieldCurrent' => 'passw_current',
+			'allowSame' => false,
+			'current' => true
+		));
+		$this->User->create();
+		$data = array(
+			'id' => 5,
+			'passw_current' => 'some',
+			'passw' => 'some',
+			'passw_repeat' => 'some'
+		);
+		$this->User->set($data);
+		$is = $this->User->save();
+		debug($this->User->validationErrors);
+		$this->assertFalse($is);
+
+		$this->User->create();
+		$data = array(
+			'id' => 5,
+			'passw_current' => 'some',
+			'passw' => 'new',
+			'passw_repeat' => 'new'
+		);
+		$this->User->set($data);
+		debug($this->User->data);
+		$is = $this->User->save();
+		$this->assertTrue(!empty($is));
+	}
+
+	/**
+	 * needs faking of pwd check...
+	 */
+	public function testValidateCurrent() {
+		$this->assertFalse($this->User->Behaviors->attached('Passwordable'));
+		$this->User->create();
+		$data = array('user'=>'xyz', 'password'=>Security::hash('some', null, true));
+		$res = $this->User->save($data);
+		$this->assertTrue(!empty($res));
+		$uid = $this->User->id;
+		
+		# cake bug => attached behavior validation rules cannot be triggered
+		//$this->tearDown();
+		//$this->setUp();
+
+		$this->User->Behaviors->attach('Tools.Passwordable', array('current'=>true));
+		$this->User->create();
+		$data = array(
+			'id' => $uid,
+			'pwd' => '1234',
+			'pwd_repeat' => '123456',
+			//'pwd_current' => '',
+		);
+		$this->User->set($data);
+		$this->assertTrue($this->User->Behaviors->attached('Passwordable'));
+		debug($this->User->validate); ob_flush();
+		$is = $this->User->save();
+		//debug($this->User->validationErrors); ob_flush();
+		$this->assertFalse($is);
+
+		$this->User->create();
+		$data = array(
+			'id' => $uid,
+			'pwd_current' => 'somex',
+			'pwd' => '123456',
+			'pwd_repeat' => '123456'
+		);
+		$this->User->set($data);
+		//debug($this->User->validationErrors); ob_flush();
+		$is = $this->User->save();
+		$this->assertFalse($is);
+
+		$this->User->create();
+		$data = array(
+			'id' => $uid,
+			'pwd_current' => 'some',
+			'pwd' => '123456',
+			'pwd_repeat' => '123456'
+		);
+		$this->User->set($data);
+		//debug($this->User->validationErrors); ob_flush();
+		$is = $this->User->save();
+		$this->assertTrue(!empty($is));
+	}
+
+}
+
+
+/**
+ * FAKER!
+ * 2011-11-03 ms
+ */
+class AuthComponent {
+
+	public function identify($request, $response) {
+		$user = $request->data['User'];
+		if ($user['id'] == '5' && $user['password'] == 'some') {
+			return true;
+		}
+		return false;
+	}
+
+}
+
+