I have a User controller and User model. This model and associated database table is used for authentication and naturally there’s a password field.
In my edit action when I call $this->data is puts the hashed password in my password field in my edit view. Naturally, I don’t want a password field with a 40-character value, which will then get re-hashed upon save.
My action looks like this:
function edit($id) {
$this->User->id = $id;
if (empty($this->data)) {
$this->data = $this->User->read();
}
else {
if ($this->User->save($this->data)) {
$this->Session->setFlash('User has been updated.');
$this->redirect(array('action' => 'view', $this->User->id));
}
}
}
And my view looks like this:
<h2>Edit User</h2>
<?php
echo $this->Form->create('User', array('action' => 'edit'));
echo $this->Form->input('username');
echo $this->Form->input('password');
echo $this->Form->input('first_name');
echo $this->Form->input('last_name');
echo $this->Form->input('email');
echo $this->Form->end('Save User');
?>
How can I have a form for users to edit their account (username etc) that doesn’t update the password if left blank, but does update it if the user enters a new password into the password field?
The common & most secure method is to have a separate form for changing the password where you ask the user to confirm the change by asking the old password. This is because if you forget the site open on a public computer, the next person who comes in can’t just hijack the account by just giving a new password.
If you still want to go with the original plan, you can unset the variable if it’s empty before saving the data:
The other option is to list allowed fields as a parameter to
save()and leave outpasswordif the field is empty.In the view you can use
to keep the hash from showing up in the field.