Dealing with FOSUserBundle PlainPassword field - symfony

I've created a User custom class in my Bundle. It inherits from the BaseUser class of FOSUserBundle.
In my class, I've defined several attributes which are entities of my Bundle, like Adress, Avis etc.
I have defined the formType of all my forms with data_class User.
It allows me to retrieve interesting user information like username (!) and displaying it in my forms.
BUT when I validate my forms it asks me to fill the plainPassword field of User class as it is a mandatory attribute.
First I wanted to retrieve the password from database to fill it in the form before displaying it but it seems impossible as a security measure.
So I've tried to stock it in the session (ugly I know) after registration but it seems not possible to force the form data with a value (surely because it is a password type field)...
So question is : what would you do ?

But what is the purpose of retrieving it?
You want to modify any of user's data like username or email?
Remember you can have /profile 'module' in FOSUser Bundle, which is used for modifing for example username and email.
For changing password you have separate 'module' change password (I don't remember path). Maybe that's what you are looking for? Of course that way user can edit only his own data. These modules are ready to use by deafault (you have to provide routing for them).
If you want for example, that admin modifies the other user's data that can be interesting for you:
In case of password, take a look at column in db called 'salt', which is used for encoding password in db. If you try to save password in db without salting it won't work - so I think if you want to change the password in db by some custom action - you have to set plain password and the it will be automatically encoded.
If you want to fill some form's fields by default read something about forms in Symfony, Fields types and something about their additional features and remember that password field require individuall approach.

I would not store the users plain password anywhere, let alone display it in the browser.
Playing with plain text passwords like you are doing is major security threat to your application, and any and all users using it.
The default User class in FOSUserBundle has two fields for the password, password and plainPassword. That plain password is filled in by the form, then, in the controller, the password field is generated by whatever encryption method you have configured for the firewall. The new user is then added to the database and the plain password field is cleared and never used again.
If you are trying to set up a forgot password solution, I would recommend emailing the user with some kind of unique key (as a URL parameter), ask them to confirm then give them the opportunity to update their password.

Related

Password required when editing

I'm trying to create/edit users and I'm having a slight problem with the password field.
When creating a user, it is fair to assume that the password field is required, however, I don't want it required when editing a user
Is there an easy way to do this?
I'm using the SonataAdminBundle to manage the User Form (NOT SonataUserBundle)
I think you can do it in two ways:
Use inheritance. Create a base FormType and then inherit it to create CreateUserType and EditUserType that add custom password settings
Use same form and leave password as not required, then in the "create user" controller check if password field has been filled and throw an exception if it is empty
Maybe there are more approaches to your problem. I usually use the second one but choose the one fits best to you.

FOSUserBundle: Update entity after registration

In order to register, users have to select a their account name created by my moderators. That means that a moderators have to create an account name before the user registers.
To do so, I made a first entity, let's call it "Member", that has a field "account". Then I added to this entity the boolean field "bound" that is set to false by default.
What I want to do is to set this field "bound" to true when someone registers after he selected his account name and fill the FOSUserBundle required fields (username, passwords, email...).
I tried to follow the documentation of "overriding controllers", but I'm getting an error (You have requested a non-existent service "fos_user.registration.form".) and this is where I'm stucked.
Using controller events can maybe help me, but I do not know which is the best solution.
If anyone has a solution to my problem, I'll be really grateful.
You should used the controller event to hook after the registration process, and more specifically the
REGISTRATION_COMPLETED event (if I remember correctly).

avoid sql inject by query string in asp.net

I programed an application with asp.net and use "respons.redirect" in some pages, like this:
Response.Redirect(string.Format("~/*****/****.aspx?ID={0}", ID));
as user execute this cod he will redirect to correct page and every thing is fine .he can see this redirect link in his browser address :
http://localhost:1852/Jornal/Editor/ReviewerEmail.aspx?ID=1030
Now if he changes the ID manually and the ID is correct he can access the other data without any permission. how can i avoid this problem?(I wont use session)
please help me
If the ID needs to be public and no access control can solve the problem.
then i would suggest that you add a second parameter that is a hash of that Id.
Tampering with the ID parameter will cause a missmatch between ID and hash
http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha256.aspx
you cold also change your ID parameter to a less 'guessable' id, like a GUID
You need to use access control.
Whenever you display any data, you need to check whether the currently-logged-in user has access to that data.
Obviously, you also need to track the currently-logged-in user, in a way that will prevent attackers from being able to claim they are someone else..
To do that, use ASP.Net's built-in membership system.

asp.net mvc 3 reset password by admin and force user to change it

I'm using asp.net Membership, I develop an admin page who can regenerate a temp password to send to the user, then when the user log on for first time, the password must be changed, but I cant figure out who to know if the password was reseted.
I tried something like in a base controller:
if (user.LastPasswordChangedDate >= user.LastLoginDate)
{
filterContext.Result = RedirectToAction("ChangePassword", "Account");
}
But, I already have updated the LastLoginDate because the ChangePassword Action need to be with a autenticated user.
I was thinking when reseting the password to lock/unlock the user to get updated the "LastLockoutDate" and do:
if (user.LastPasswordChangedDate >= user.LastLockoutDate)
{
filterContext.Result = RedirectToAction("ChangePassword", "Account");
}
But, I can't find a method to do manual lockout
Thanks!!!
There's a lot of things you could do, some would depend on how your system works. For instance, you could store a specific piece of data in the Comment field, if you're not using comments.
Or, if you don't use the "Approved" bit (that is, when you create new users you do not require them to validate an email or something, but instead create them with IsApproved set to true) then you can set IsApproved to False and force a password change if it's false.
There is no method to access much of this data in the Membership API, you just have to access it from you database.
You could also store this in the Personalization provider.
Another option is to simply avoid storing this in the Membership database, and instead just add a table or a field in your apps data to deal with this.

Pass additional parameter to Custom Membership provider's ValidateUser()

I have a class "User" that is inherited by two other classes(LocalUser and Donor). I have created a custom membership provider for ASP.net forms authentication and overridden the ValidateUser() method. In the ValidateUser() method of my custom membership provider, I need to pass in a parameter to know whether the "User" to validate is "LocalUser" or "Donor" and accordingly validate the user against the database. The problem is that ValidateUser() takes only two parameters (username and password). So there is no scope for me to push in another one. One thing that came to my mind was to set a session variable but then I was looking for a cleaner approach. Any suggestions?
Just create an overridden version of your Validate method, taking 3 parameters and call it directly like:
((MyCustomMembershipProvider)Membership.Provider).Validate( username, pass, anything );
The only drawback of such approach is that you can no longer rely on the automatic invocation of the two-parameter version of the Validate method, if and only if it is automatically called from somewhere (for example from the asp:Login control)
You could send both username and usertype in username field and then parse it in ValidateUser method? Like this: username|userType. Of course, you should forbid entering delimiter in username field.

Resources