So I’ve been working on an application that has woeful access control up till now, and needs a proper solution ASAP. I’ve added in the CakePHP Auth and Acl components as per the tutorial in the Cookbook, and it all works pretty well, insofar as if I add a user manually, it creates an entry in the aros table appropriately, SHA1-hashes the password appropriately, all the good stuff.

Now for the bit that’s proving a little beyond my skill level. We have 1000+ names in a database that need to become Users under the new system. I tried dumping them into the Users table with a MySQL query, but there are two issues:

(1) Doing things this way is not creating entries in the aros table. I’m pretty sure I can rig this up to work given time, but are there any shortcuts I might want to know about?

(2) This is the one that’s causing me to scratch my head. When I add a user manually, their password is automagically SHA1-hashed. When I log in from the users/login page, the password I enter is correctly matched to the hashed password in the db, and I get access. However, no matter what I do to the passwords I dumped directly into the database, I can’t get the log in page to grant access to them. Initially I hashed them with the MySQL SHA1 function; I understand this may not be a good idea, because Cake sprinkles in extra salt. I tried hashing them through Cake’s Security::hash function. I tried letting Cake save each password into the Users table itself, letting it do whatever hashing it wanted behind the scenes without interference from me.

In none of these cases am I able to log in using one of these username/password combos. The passwords look good and hashed, and they match the passwords I’m entering after I apply Security::hash to them. What am missing that will enable me to get this working?