Tickets :: Comment on [#4685] missing credentials passed to backend on user update

* Your Email Address
* Spam protection	Enter the letters below: ._.. ..__ . ,. . \| \|_/ \| \ \./ \| \| _\|_\| \\|__/ \| \|__\|
Comment	>> Your addition of the do/while block obscures what else is changing > >> here, and I don't see the point of it. Right now, the code _does_ > >> update name/email fields if either the password update succeeds, or > >> if a new password isn't entered. So I don't see the bug. Can you > >> please elaborate, and perhaps post a smaller diff? Thanks. > > > > Ok let me explain more clearly. > > I'm speaking about information passed to the auth backend which is an > ldap backend in my case. I also use the _horde_hook_authldap() hook > to format my ldap entry properly. > > > > The problem I had is my hook was never called on an update if I only > change the user name or user email for example. The clue is in the > user.php code. > > > > If you look at the present code : > > > > if ($auth->hasCapability('update')) { > > $user_pass_1 = Util::getPost('user_pass_1'); > > $user_pass_2 = Util::getPost('user_pass_2'); > > > > if (empty($user_name_1)) { > > $notification->push(_("You must specify the username to > update."), 'horde.error'); > > } elseif (empty($user_pass_1) \|\| empty($user_pass_2)) { > > // Don't update, but don't complain. > > } elseif ($user_pass_1 != $user_pass_2) { > > $notification->push(_("Passwords must match."), 'horde.error'); > > } else { > > $result = $auth->updateUser($user_name_1, > > $user_name_2, > > array('password' => $user_pass_1)); > > } > > } > > > > you see : > > > > 1. the only passed information to the auth backend is : > > - $user_name1 > > - $user_name2 > > - an array with only the password > > > > 2. $auth->updateUser() will be called ONLY if these is a valid > password change in the UI. Look at the serie of if/elseif/elseif/else > to check. > > > > So I changed that to > > 1. keep the password fields validation check > > 2. allow people to change other fields but not the password > > 3. insert new fields to the $creds array passed to the auth backend : > user_fullname and user_email that were missing previously > > > > The do ... while(false) is only a container that allows code to > escape this block in case of error with a simple break without > having to deal with multiple if/then/else (see this block as a try > catch block) > > > > I did that because there are code to execute unconditionnaly before > leaving the 'update' case : > > > > $vars->remove('user_name'); presently. > > > > I hope I have been better understood.
Attachment
Watch this ticket

Saved Queries