Creating NewUser Page
The NewUser page is provided to the administrator user to create new a new user account. It needs to display a form that collects the information about the new user account. According to our database definition, we will need to collect the following information:
- username - string, required and unique
- email - string, required and unique
- password - string, required
- role - integer, required (either 0 or 1)
- first_name - string, optional
- last_name - string, optional
We create two files protected/pages/users/NewUser.page and protected/pages/users/NewUser.php to save the page template and page class, respectively.
Creating Page Template
Based on the above analysis, we write the page template as follows:
<%@ Title="My Blog - New User" %>
<h1>Create New User</h1>
ErrorMessage="Please provide a username."
ErrorMessage="Sorry, your username is taken by someone else. Please choose another username."
<com:TTextBox ID="Username" />
ErrorMessage="Please provide a password."
<com:TTextBox ID="Password" TextMode="Password" />
ErrorMessage="Your password entries did not match."
<com:TTextBox ID="Password2" TextMode="Password" />
ErrorMessage="Please provide your email address."
ErrorMessage="You entered an invalid email address."
<com:TTextBox ID="Email" />
<com:TListItem Text="Normal User" Value="0" />
<com:TListItem Text="Administrator" Value="1" />
<com:TTextBox ID="FirstName" />
<com:TTextBox ID="LastName" />
<com:TButton Text="Create" OnClick="createButtonClicked" />
The template is not much different from the Contact template and the LoginUser page. It mainly consists of text boxes and validators. Some text boxes, such as username, are associated with two validators because of the multiple validation rules involved.
Creating Page Class
From the above page template, we see that we need to write a page class that implements the two event handlers: checkUsername() (attached to the first custom validator's OnServerValidate event) and createButtonClicked() (attached to the "create" button's OnClick event). Therefore, we write the page class as follows:
class NewUser extends TPage
public function checkUsername($sender,$param)
public function createButtonClicked($sender,$param)
In the above, calling save() will insert a new row in the users table. This intuitive feature is enabled by Active Record.
For simplicity, usernames in our blog system are case-sensitive! In many practical systems, usernames may be required to be case-sensitive. So special handling needs to be made when creating a new user account as well as performing authentication
. Also, the surrounding blanks in a username may need to be trimmed when creating a new account with it.
To test the NewUser page, visit the URL http://hostname/blog/index.php?page=users.NewUser. We shall see the following page output. Try enter different information into the form and see how the inputs are being validated. If all validation rules are satisfied, we shall expect the user account being created and the browser being redirected to the homepage.
Adding Permission Check
During testing, you may have asked: shouldn't the NewUser page be only accessible by the administrator user? Yes, this is called authorization. We now describe how we add this permission check to the NewUser page.
A straightforward way of performing permission check is in the page class where we check whether $this->User->IsAdmin is true, and if not we redirect the browser to the LoginUser page.
PRADO offers a more systematic way of checking page access permissions. To do so, we need to use page configuration. Create a file protected/pages/users/config.xml with the content as follows:
<?xml version="1.0" encoding="utf-8"?>
The page configuration contains authorization rules that apply to the pages under the directory protected/pages/users. The above configuration reads that users in the role admin can access all pages (see BlogUser.createUser() for why the word "admin"). For now all other users (users="*") are denied acess to pages in this directory - except for the LoginUser page which by convention can always be accessed.
Now if we visit the NewUser page as a guest, we will be redirected to the LoginUser page first. If our login as admin is successful, we will be redirected back to the NewUser page.
Page configuration can contain more than authorization rules. For example, it can include modules
like we did in the application configuration
. For a PRADO application, each page directory can have a page configuration which applies to the pages in the same directory and all its subdirectories.