Simple database authentication tutorial with Prado 3.1.1
From PRADO Wiki
Contents |
Overview
This a simple tutorial how to create authentication system in Prado 3.1.1 and later. As we know that Prado 3.1.1 have been packaged TDBUserManager and TDBUser so it's not neccesery to create you another class. All that we need is extends TDBUser to work with our users database table. I will use Active Record in this tutoria. You can use all database abstraction layer that you want just modify your TDBUser class to make it work with your database abstraction layer.
We will make 4 files only:
- Application.xml, our application configuration file to put all our configuration parameters
- RTUser.php, extended from TDBUser class. This file will handle how to validate user and what information we want to save in authenticated user.
- login.page, template file for our default login page that will configure on our application configuration as default page for login that will redirect user automatically to this page when not authorized user want to access on restricted page.
- login.php, our template control file that will handle event on login page. We will write our login process in this file.
That's all. Ready to code? Let's go start.
Application Configuration
In you application configuration file which called Application.xml put the configuration below in modules sections
<modules> <module id="db" class="System.Data.TDataSourceConfig"> <database ConnectionString="mysql:host=localhost;dbname=yourdb" Username="root" Password="dbpass" /> </module> <module class="System.Data.ActiveRecord.TActiveRecordConfig" ConnectionID="db" /> <module id="users" class="System.Security.TDbUserManager" UserClass="Application.modules.RTUser" ConnectionID="db" /> <module id="auth" class="System.Security.TAuthManager" UserManager="users" LoginPage="login" /> </modules>
Create RTUser class as our TDBUser extended
The only file to be created is RTUser.php that will be extends from TDBUser. There 2 functions here that must be exist in our class because in TDBUser they are abstracts class. That functions are:
- validateUser that will return boolean to verified that user is exist or not in our user database table.This function need 2 parameters, they are username and password parameters.
- createUser that will create our user instance after we validate user. In this function we will create a user to put any information we need in to our user instance for example user role that will give us information about it's rights. This function need username parameter, that is a username that have been authorized in validateUser function.
Here is the RTUser class below
<?php Prado::Using('System.Security.TDbUserManager'); class RTUser extends TDBUser { public function validateUser($username, $password) { if (is_null($password) || $password === '') return FALSE; $password=sha1($password); $finder=userRecord::finder()->find('username = ? AND password = ?', array($username,$password)); if($finder!==null)//login success return ($finder->username === $username && $finder->password === $password); } public function createUser($username) { // If no username was given then it must be guest. if ($username===NULL) { $user = new RTUser($this->getManager()); $user->IsGuest = TRUE; return $user; } else { $finder=userRecord::finder()->find('username = ?', $username); // If we have such user in DB then create new User and // return it. if ($finder!==NULL) { $user = new RTUser($this->getManager()); $user->IsGuest = FALSE; $user->Name = $username; $user->Roles =array($finder->role); return $user; } else return NULL; } } } ?>
Put RTUser class in protected/modules directory like we have write it's location in configuration file. If you want to put in other dir, please change also in configuration file.
Create authorization rules
The simplest way is put all your file in same directory can be access in spesific role only. For example in you page directory create admin directory and put all page in admin directory that can be access with admin role only. So you page directory will looks like this
-
/admin
- /adduser
- /edituser
- /news
- /blog
in admin directory create a file called config.xml and put the codes below
<authorization> <allow pages="*" users="@" roles="admin" /> <deny pages="*" users="?"/> </authorization>
That's mean that in admin directory only authenticated users with admin role that can access all page(@ character means authenticated user). And deny all page to access by unauthenticated users(? character means guest user).
Create login page
Last work to do is create login page to handle user login. All user that want to access restricted page and not authorize will redirect to this login page. Default login page is a page that we have set on application.xml file. Here our login page:
<com:TContent ID="content"> <h2>Login</h2> <p><com:TLiteral ID="txtLog"/></p> Username <com:TTextBox ID="txtUserName"> Password <com:TTextBox ID="txtPassword" TextMode="Password"/> <com:TButton ID="btnLogin" Text="Login" OnCommand="loginUser"/> </com:TContent>
Save code above in login.page filename and put on page directory. Our template page above use MasterClass template that contain TContentPlaceHolder with id content. So ensure your master class have a component tag like
<com:TContentPlaceHolder ID="content"/>
Last file is php file that will handle our login method. Here's the file.
<?php class login extends TPage { function loginUser($sender,$param) { $auth=$this->Application->getModule('auth'); if($auth->login($this->txtUserName->Text,$this->txtPassword->Text,3600)) //last parameter means that login will be expire in 3600 seconds { //login success if($auth->ReturnUrl!==NULL) $this->Response->redirect($auth->ReturnUrl); else $this->Response->redirect($this->Page->DefaultPage); } else//login failed $this->loginStatus->Text='login failed,verify your username or password'; } } ?>
Write the codes above in to login.php file and your application ready to run.
This login tutorial only work with Prado 3.1.1 and later. This tutorial copied from my application with a litte modification to make it more simple. I haven't try this modified version but I think all will be working if nothing misstype. Please contact me if this modification not working with you. Or you can help me to edit this tutorial to make it working if something wrong.
