Simplified Database Authentication Tutorial
From PRADO Wiki
This tutorial is a simplified version of the "Database authentication tutorial" by Arturas Šlajus. We utilize the default implementation provided by the framework as much as possible, and only make minimal customization where absolutely necessary. While Arturas' original tutorial is much more advanced and provides more flexibility, this tutorial might be useful for beginners to get started.
Contents |
Intro
Three classes are related to user authentication, i.e. TUserManager, TUser and TAuthManager, and all of them can be modified for customized behavior. In this tutorial, we are only going to modify TUserManager class, and use the default behaviour of TUser and TAuthManager. And we are using the config.xml to specify the authorization rules, instead of permissions table in database.
SQL
For simplicity purpose, we use only one Users table, which contains roles information, stored as comma-delimited strings. In a real application, it makes sense to have another Roles table and establish a many-to-many relationship between Users and Roles.
CREATE TABLE `users` ( `id` smallint(5) UNSIGNED NOT NULL AUTO_INCREMENT, `username` varchar(32) collate utf8_unicode_ci NOT NULL, `password` varchar(64) collate utf8_unicode_ci DEFAULT NULL, `roles` varchar(100) collate utf8_unicode_ci DEFAULT NULL, KEY `id` (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=3 ;
MyUserManager
To emphasize the main purpose, we use PHP build-in mysql functions here to access database. Again, in a real application, some database abstraction package, such as PRADO DAO, should be used instead.
<?php Prado::using('System.Security.TUserManager'); Prado::using('System.Security.TUser'); class MyUserManager extends TUserManager { public function validateUser($name, $password) { $dbh = mysql_connect("localhost", "mysql_user", "mysql_password"); mysql_select_db('foo', $dbh); $sql = "select 'x' from users where username = '{$name}' and password=sha1('{$password}')"; $res = mysql_query($sql, $dbh); if (mysql_fetch_row($res)) { return true; } else { return false; } } public function getUser($name = null) { $user = new TUser($this); if (is_null($name)) { $user->IsGuest = true; } else { $dbh = mysql_connect("localhost", "mysql_user", "mysql_password"); mysql_select_db('foo', $dbh); $sql = "select username, roles from users where username = '{$name}'"; $res = mysql_query($sql, $dbh); if ($row = mysql_fetch_row($res)) { $user->IsGuest = false; $user->Name = $row[0]; $user->Roles = split(",", $row[1]); } else { $user->IsGuest = true; } } return $user; } } ?>
Application Configuration
In application.xml:
<application> <modules> <module id="auth" class="System.Security.TAuthManager" UserManager="users" LoginPage="Login" /> <module id="users" class="Application.common.MyUserManager" /> </modules> </application>
In config.xml:
<authorization> <allow pages="PageID1,PageID2" roles="user,admin,poweruser" /> <allow pages="PageID3" roles="admin,poweruser" /> <allow pages="PageID4" roles="admin" /> <deny pages="*" users="?" /> </authorization>
Credits
Written by Hongliang Qiang. Based on the original work by Arturas Šlajus.
