Cakephp’s Auth Component – add new users, drop down menu for ENUM

In the Football Stars application, every unauthenticated visitor can register and create account. The non-logged users have access to add users view:
add view

During registration, the non-logged user must fill in the ‘Name’, ‘Username’, ‘Password’ and ‘Password Confirmation’ inputs but cannot choose role. The default role for each new user created by unauthenticated visitors is ‘user’.
Non-logged user’s add view:
add view2

The admin can also create new users, but admin can set up new user’s role (‘user’ or ‘admin’ role):
add view3

The public function that checks if logged user’s role is ‘admin’:
add view4

Admin add (register new users) view:
add view5

Cakephp’s Auth Component – user’s navigation panel

To create user’s navigation panel at the top of each page, default.ctp layout file has been changed. Inside ‘user-nav’ div, conditional statement has been added.
If user is logged in the ‘Welcome’ message, the user’s username and ‘Logout’ link are displayed. If user is logout, the two links are displayed: ‘Register’ and ‘Login’.
default_codes

The function _loggedIn() checks if user is logged in. If user is logged in, the function returns true, otherwise returns false.
loggedin_codes

If user is logged in not only the ‘Welcome’ message is displayed, but also the user’s username is displayed. The function _usersUsername() checks if user is logged in. If user is logged in, the function returns the user’s username.
usersusername_codes

The logged in user’s navigation panel at the top of the page with the ‘Welcome’ message, the user’s username and ‘Logout’ link:
loggedin

The non-logged in user’s navigation panel at the top of the page with the ‘Register’ and ‘Login’ links:
nonloggedin

Cakephp’s Auth Component – edit/delete user’s profile

Users can edit or delete only his/her own profile. Admin can edit/delete others users profiles. Public function isAuthorized compares logged-in user’s id with user’s id from the URL. If the ids match, edit and delete buttons work, otherwise do not work. It also checks if user’s role is ‘admin’.
user_edit_code1

Moreover the edit/delete buttons associated with others users in users view are hidden:
user_edit_code2

The users view with hidden edit/delete buttons:
user_edit1

If the user wants to bypass the isAuthorized function and hidden edit/delete buttons by typing edit user URL with someone’s else id e.g.:
http://pict.uws.ac.uk/~sss04/cakephp/users/edit/13 (user fred id=14 is typing wilma’s id=13)
the error message ‘You can’t access that page’ appears:
user_edit2

Cakephp’s Auth Component – edit/delete user’s comments

Users can edit or delete only his/her own comments. Admin can edit/delete others users comments. If the user wants to edit/delete someone’s else comment by clicking edit/delete button or by typing edit/delete comment URL with someone’s else comment’s id e.g.:
http://pict.uws.ac.uk/~sss04/cakephp/comments/edit/12 (fred is typing admin’s comment id=12)
the error message ‘You are not authorized’ appears:
comments1

There is no point to display edit/delete buttons associated with others users comments in comments view. To hide those buttons, comments index.ctp file should be updated. It compares logged-in user’s id with comment’s user id. If the ids match, edit and delete buttons are displayed, otherwise do not. It also checks if user’s role is ‘admin’. If so, the others users edit/delete comment buttons are displayed.
comments2

User ‘fred’ can only use edit/delete buttons associated with his own comments:
comments3

Cakephp’s Auth Component – edit/delete user’s posts

Logged-in users can edit/delete only his/her own posts. Admin can edit/delete others users posts. If the user wants to edit/delete someone’s else post by clicking edit/delete button or by typing edit/delete post URL with someone’s else post’s id e.g.:
http://pict.uws.ac.uk/~sss04/cakephp/posts/edit/43 (fred is typing admin’s post id=43)
the error message ‘You are not authorized’ appears:
post3

Hiding an option from a view does not add authentication restriction to controller functionality. The authentication restriction is added to PostsController.
The edit posts function in PostsController.php compares user’s id who made the post with the user’s id who wants to edit that post. If those ids match or the user role is ‘admin’ then the post is updated. If those ids do not matched, the error message ‘You are not authorized’ appears.
post4

The delete posts function in PostsController.php works similar to the edit posts function. It compares user’s id who made the post with the user’s id who wants to delete that post. If those ids match or the user role is ‘admin’ then the post is deleted. If those ids do not matched, the error message ‘You are not authorized’ appears.
post5

The edit/delete buttons associated with others users posts in posts view are hidden. To hide those buttons, posts index.ctp file should be updated. It compares logged-in user’s id with post’s user id. If the ids match, edit and delete buttons are displayed, otherwise do not. It also checks if user’s role is ‘admin’. If so, the others users edit/delete comment buttons are displayed.
post6

User ‘fred’ can only use edit/delete buttons associated with his own posts:
post7

Remove Visible Hashed Password

The application was set up so that all users could see other users hashed passwords. This isn’t safe solution since hashed passwords allow offer clues to password cracking. If somebody has the same password hash as other user then he/she knows their password is the same. There is no point to show hashed passwords. Right now user index shows user’s passwords:
hash1

To remove password column from the users view, two lines of code from index.ctp were commented out:
hash2

The user index with no user’s passwords:
hash3

User’s view also display user’s hashed password:
hash4

To hide user’s password from users view two lilnes of code from view.ctp were commented out:
hash5

The user view with no user’s passwords:
hash6

Edit user’s view also display user’s hashed password:
hash7

To remove hashed password from password field from edit user’s view array('value' => '') has been added to password field:
hash8

Right now password field display correct password length:
hash9

Commenting out these lines or removing them completely will remove the password hashing from the users page and will allow the application to be much safer from any kind of password guessing or hacking.

Found Bug – Cakephp’s Auth Component – edit/delete user’s comments

When browsing application pages, I found bug. Logged-in users can see edit/delete buttons associated with other users comments in posts view. Clicking on those buttons returns error message, so there is no point to display those buttons:
bug1

To hide edit/delete buttons associated with others users comments, posts index.ctp file should be updated. It compares logged-in user’s id with comment’s user id. If the ids match, edit and delete buttons are displayed, otherwise do not. It also checks if user’s role is ‘admin’. If so, the others users edit/delete comment buttons are displayed:
bug2

Right now user fred can see only his own edit/delete buttons:
bug3