I am trying to build a user-module that can be used in most of the web applications I am using zend-framework to build it and so far I have done following work:
User and Access Control Related Tables
user
user_id (int 11 auto increment PK)
username (varchar 50 unique)
password (varchar 25)
email (varchar 50)
created_on (datetime)
updated-on (datetime)
lastvisit (datetime)
status (boolean default 1)
role
role_id (int 11 auto increment PK)
role_name (varchar 25 unique)
description (varchar 100)
user_role
user_id (int 11 foreign key to user table)
role_id (int 11 foreign key to role table)
user_reset
reset_id (int 11 auto increment PK)
user_email (varchar 50)
uniqid(varchar 20)
reset_flag (tinyint 1)
Controllers and Actions
UserControllers
- registerAction
user_status is set to zero
- enableUserAction
enable user uri will be sent via email, user_status to one
-
forgotPasswordAction
-
loginAction
-
resetPasswordAction
-
editInfoAction
-
changePasswordAction
-
accountInfoAction
-
disableAccountAction
-
logoutAction
Models, Logic and DbInteraction Layers
Class UserTable()
Methods
- save ($data)
- update ($data, $condition, $value)
- fetch ($fields, $condition, $value)
- delete ($condition, $value)
- getUserById($uid)
- getUserByEmail($email)
Class User()
- validation (most of the validation are done using zend library)
- email validation
- username validation (duplication, no. of characters)
- password validation etc…
Methods:
- user_emailNotification
@params toEmail String
{email settings, email templates, send mail}
- user_authentication
@params username | emalilAddress String, String
returns Boolean
- user_checkUniqueEmail
@params email String
returns Boolean
- user_checkResetFlag
@params email String
returns Boolean
I am trying to make this module as reusable as possible so I would love to recieve any of ur suggestions regarding the class structure, database/table structure or anything regarding the module to make it more modular. So If you have any suggestions do post it.
I think your model is fine, the only thing I would change is your USerTable Class and split it into 2 separate classes :
With this system, your UserTable doe not need to be rewritten if you change the way you store users data, and each class has only a single responsability.
But as far as I can guess, you store your passwords in plain text (25 chars are not enough for md5 nor sha*). You should really not do that : in your db, edit your password column to be at least 64 chars long.
Then use a strong hash with salt for storing passwords (like sha256, here is a sample) :
This is the very minimum. You can perform multiple hash loops on the password to make them stronger, or use some frameworks for managing password security, like phpass.
that’s a bit off-topic, but there are too many hacked websites’dumps with plaintext passwords out there
Hope that helps !
Benjamin
Edit : Here are some precisions for UserTable separation :
The main objective is to have a business class that contains the business model and operations, not matter what system is used for storing and fetching the data. This class will use a specific “storage” adapter for each data persistence service.
This class could look like this :
This class performs all necessary operations for managing an user, but it needs an adapter that will be responsible for the real data manipulation, and will depend on the underlying data storage service. Let’s create an interface first, for being able to manage multiple data storage services :
This interface allows us to ensure that the adapter will contain the required methods for working with our UserManager, whenever we use a RDBMS, a NoSQL or a webservice for data storage.
Then, we can implement a specific class for our current RDBMS :
We can now implement another class for a Soap webservice :
This architecture adds a small level of complexity, but gives you several benefices :
IS that more clear for you ? If not, tell me 🙂