Validation should always happen in the model so I created a new function that would check for the current password for the logged in user. The Auth component automatically hashes the password with SHA1 and uses the Security Salt as part of the password string to create the hash, so I needed to hash the “current_password” field from the form to check for a match. This is where I ran into the problem. I tried using the following:

function checkCurrentPassword($data) {
    $id = $this->data[$this->alias]['id']; // passed the user ID from the form as a hidden field
    $pwd = $this->field('password', array('id' => $id)); // get the current password from the database
    if(Security::hash($data['current_password']) != $pwd) {
        return false;
    }
    return true;
}

You can see that $id is passed from the form and $pwd is a variable for the current password in the database. Auth will automatically hash an input with the name “password”, but my form is using “current_password”, so it is sent in cleartext. This needs to be hashed first. I attempted to use the Security::hash function but my validated kept failing.

As it turns out the Security::hash function is only using SHA1 without the Security Salt added. What I was able to do is use the AuthComponent::password function instead which does use the Security Salt configured in core.php. New code looks like:

function checkCurrentPassword($data) {
    $id = $this->data[$this->alias]['id'];
    $pwd = $this->field('password', array('id' => $id));
    if(AuthComponent::password($data['current_password']) != $pwd) {
        return false;
    }
    return true;
}

The validate array would look like this:

var $validate = array(
'current_password' => array(
    'rule' => 'checkCurrentPassword',
    'message' => 'Current password was not entered correctly'
    )
);

Update: Security::hash actually takes a third parameter documented in the API to use the Security.salt value

Create a hash from string using given method. Fallback on next available method.

Parameters:

string $string required

String to hash
string $type optional NULL

Method to use (sha1/sha256/md5)
boolean $salt optional false

If true, automatically appends the application’s salt value to $string (Security.salt)

I recently had to build a list on distinct dates, but prefer to user $this->Form->input, rather than $this->Form->select. I first built an indexed array containing my date fields.

array(
[xxxx-xx-xx] => xxxx-xx-xx
[yyyy-yy-yy] => yyyy-yy-yy
)

We’ll call this array $options. You can then build the input using something like

$this->form->input('Input Name', array(
  'type' => 'select',
  'options' => 'options',
  'label' => 'label',
  'empty' => 'No data selected'
);

My example uses an Employee model.

class Employee extends AppModel {
	var $name = 'Employee';
        var $virtualFields = array('full_name' => 'CONCAT(Employee.firstname, " ", Employee.lastname)');
        var $displayField = 'full_name';
}

I’ve been using CakePHP for my last few projects and recently ran into a problem that was driving me nuts. I have a few pages that don’t require any authentication. You can allow pages to be viewed by calling $this->Auth->allow(‘function_name’) in your beforeFilter() method. So, I set up my app_controller class with a before filter that looks something like this.

<?php

class AppController extends Controller {

    var $helpers = array('Html', 'Form', 'Javascript');
    var $components = array('Auth');

    function beforeFilter() {
        $this->Auth->autoRedirect = false;
        $this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
        $this->Auth->allow('display');
    }

}

?>

‘Display’ is a method in the pages controller, so all static pages can be shown without authentication. This works fine, on to my contact controller which is also allowed to be accessed without authentication. I set up my contact controller and wanted to allow the index method to be displayed. In the contact controller you call the parent beforeFilter() and then allow any additional methods like so:

function beforeFilter() {
        parent::beforeFilter();
        $this->Auth->allow('index');
}

But for some reason, this kept sending me to the login form to authenticate. After banging my head on the wall I soon remembered my view was calling an element that used a method from another controller. Long story short, Auth was not allowing this method without authentication. Unfortunately, even with debug mode turned on, there was no clue to lead me in the right direction.

So, if you run into a similar problem, make sure you allow any related controller functions to run without authentication if you are using elements and requestActions.