I am using FOSUserBundle and I am trying to create a page that allows a user to update their user profile. The problem I am facing is that my form does not require that the user reenter their password if they don't want to change/update their password. So when a user submits the form with an empty password the database will be updated with an empty string, and the user will not be able to log in.
How can I get my form to ignore updating the password field if it is not set? Below is the code I am using.
$user = $this->get('security.context')->getToken()->getUser();
//user form has email and repeating password fields
$userForm = $this->createForm(new UserFormType(), $user);
if ($request->getMethod() == 'POST') {
$userForm->bindRequest($request);
if($userForm->isValid()){
//this will be be empty string in the database if the user does not enter a password
$user->setPlainPassword($userForm->getData()->getPassword());
$em->flush();
}
}
I have tried a few things such as the following, but this is still empty because the bindRequest sets the empty password to the user
if($userForm->getData()->getPassword())
$user->setPlainPassword($userForm->getData()->getPassword());
I have also tried, but this results in a similar situation and causes an unneeded query
if($userForm->getData()->getPassword())
$user->setPlainPassword($userForm->getData()->getPassword());
else
$user->setPlainPassword($user->getPlainPassword());
Are there any elegant ways to handle this use case?
The problem is that you bind a form to a User Object before controls upon password.
Let's analyze your snippet of code.
Do the following
$user = $this->get('security.context')->getToken()->getUser();
will load an existing user into a User Object. Now you "build" a form with that data and if receive a post, you'll take the posted data into the previous object
$userForm = $this->createForm(new UserFormType(), $user);
if ($request->getMethod() == 'POST') {
$userForm->bindRequest($request);
So, onto bindRequest you have alredy lost previous password into the object (obviously not into database yet) if that was leave empty. Every control from now on is useless.
A solution in that case is to manually verify value of form's field directly into $request object before binding it to the underlying object.
You can do this with this simple snippet of code
$postedValues = $request->request->get('formName');
Now you have to verify that password value is filled
if($postedValues['plainPassword']) { ... }
where plainPassword I suppose to be the name of the field we're interesting in.
If you find that this field contain a value (else branch) you haven't to do anything.
Otherwise you have to retrieve original password from User Object and set it into $request corrisponding value.
(update) Otherwise you may retrieve password from User Object but since that password is stored with an hased valued, you can't put it into the $request object because it will suffer from hashing again.
What you could do - i suppose - is an array_pop directly into $request object and put away the field that messes all the things up (plainPassword)
Now that you had done those things, you can bind posted data to underlying object.
Another solution (maybe better because you move some business logic away from controller) is to use prePersist hook, but is more conceptually advanced. If you want to explore that solution, you can read this about form events
I think you should reconsider if this is in fact a good use case. Should users be able to edit other users passwords? At our institution we do not allow even the highest level admin to perform this task.
If a user needs their password changed we let them handle that themselves. If they have forgotten their password we allow them to retrieve it via email. If they need assistance with adjusting their email we allow our admins to assist users then. But all password updating and creation is done soley by the user.
I think it is great that FOSUserBundle makes it so difficult to do otherwise but if you must DonCallisto seems to have a good solution.
<?php
class User
{
public function setPassword($password)
{
if (false == empty($password)) {
$this->password = $password;
}
}
}
This will only update the password on the user if it isn't empty.
I have found a simple hack to get rid of the "Enter a password" form error.
Manualy set a dummy plainPassword in the user entity. After form validation just reset it before you flush the entity.
<?php
public function updateAction(Request $request, $id)
{
$em = $this->getDoctrine()->getManager();
$entity = $em->getRepository('AppBundle:User')->find($id);
if (!$entity) {
throw $this->createNotFoundException('Unable to find Customer entity.');
}
$deleteForm = $this->createDeleteForm($id);
$editForm = $this->createEditForm($entity);
$postedValues = $request->request->get('appbundle_user');
/* HERE */ $entity->setPlainPassword('dummy'); // hack to avoid the "enter password" error
$editForm->handleRequest($request);
if ($editForm->isValid()) {
/* AND HERE */ $entity->setPlainPassword(''); // hack to avoid the "enter password" error
$em->flush();
return $this->redirect($this->generateUrl('customer_edit', array('id' => $id)));
}
return array(
'entity' => $entity,
'edit_form' => $editForm->createView(),
'delete_form' => $deleteForm->createView(),
);
}
Related
On my platform, the administrator create a user where the password is randomly generated and this automatically sends an email to this new user. The email contains a link that leads to the reset-password page (which will be a password creation page for the user because he does not know that he already has a password generated).
The problem is that when the user clicks on the email link and arrives on the change password page, he is logged in as admin and therefore has permissions that he should not have.
In fact, I want the email link to connect the new user to his account, I don't want him to be logged in as admin. I'm not sure how to do this.
I don't know much about tokens. I believe the Token is generated based on the session used (?).
Thank you in advance for your help.
Here is the code for creating a user :
/**
* #Route("/new", name="user_new", methods={"GET", "POST"})
* #throws TransportExceptionInterface
*/
public function new(Request $request, MailSender $mailSender,UserPasswordHasherInterface $passwordHasher): Response
{
// TODO CHECK IF USER ALREADY EXISTS BY EMAIL
$user = new User();
$form = $this
->createForm(UserType::class, $user)
->handleRequest($request);
if ($form->isSubmitted() && $form->isValid()) {
// TODO GENERATE RANDOM PASSWORD
//$passwordHasher->hashPassword($user, $user->getPassword()));
$user->setPassword($passwordHasher->hashPassword($user, "password"));
$this->entityManager->persist($user);
$this->entityManager->flush();
try {
$resetToken = $mailSender->makeToken($user);
} catch (ResetPasswordExceptionInterface $e) {
return $this->redirectToRoute('user_new');
}
$mailInfos = array('template'=>"reset_password/email_activate.html.twig", 'subject'=>"Activer votre compte", 'email'=>$user->getEmail());
$mailSender->sendMail($resetToken, $mailInfos);
$mailSender->storeToken($resetToken);
return $this->redirectToRoute('user_index', [], Response::HTTP_SEE_OTHER);
}
return $this->renderForm('user/new.html.twig', [
'user' => $user,
'form' => $form,
]);
}
This is expected behaviour because:
multiple tabs/instances of the same browser will usually share the
same server-side session when interacting with the same domain.
means that you can´t be logged in with different users in different tabs per default.
And I don´t think that you would want this, just think of the downsides, do you really want to login again for every tab? This is very uncommon practice. Imagine you would open a stack-overflow question in a new tab and you would not be logged in there.
There are ways to achieve this though, but really re-think if thats your actual usecase, i don´t think so, you are just developing your feature and testing it, and in production a new user will not be already logged in as admin is my assumption.
So for testing your feature just use a private tab (that does usually not share the same server-side session )
if you want to learn more i found this pretty cool so-thread where users try to explain as best as possible
What are sessions? How do they work?
I have a form that I use both for registration and edition of the user informations. This form contains a profile picture property on which I put #Assert\Image.
I succeed in creating a new user through my registration form but when I try to edit the user informations (with a PATCH method, just to update what need to be updated) I encounter an error with a 'File could not be found' message.
I suppose it's because the path stored in the database is a string and my #Assert\Image want an image.
I'm not sure about how I should manage this kind of update.
When I dd() the $user right after the submission, I see that the profilePicture property still contains the path saved in the database.
Here is my function regarding the form handling:
public function myProfile(Request $request)
{
$user = $this->getUser();
$form = $this->createForm(UserFormType::class, $user, ['method' => 'PATCH']);
if ($request->isMethod('PATCH')){
$form->submit($request->request->get($form->getName()), false);
if ($form->isSubmitted() && $form->isValid()) {
//...
}
}
//if no request just display the page
return $this->render('connected/myProfile.html.twig', [
'user' => $user,
'userProfileForm' => $form->createView()
]);
}
The Validator will check if your object contains a image and that seems not the case when you’re updating your object.
A workaround is to use group validation you define a specific group to the property that have the assert Image and in the method getGroupSequence you return the group if you’re in creation (id == null) or if the property is setted.
I am implementing a logical erase for my Symfony 3 entities.
On my entities, I added a $deleted field, and I created some delete-controllers with this code:
$entity->setDeleted(true);
$em->persist($entity);
$em->flush();
Then, I modified also my queries to avoid select 'deleted' entities. And works great.
The problem:
I have some entities with Unique Constraint (for example, email field on user table), so when I delete an user, and then try to add the same user with the same email, symfony shows a validation form error due to 'duplicated email'.
I tried to control this on controller in the following way:
$user = new User();
$em = $this->getDoctrine()->getManager();
if ($request->getMethod() == 'POST') {
$form->handleRequest($request);
//Check for deleted duplication:
$duplicatedUser = $em->getRepository('AppBundle:User')
->getDuplicatedAndDeletedUser($user);
if($duplicatedUser != null){
$em->remove($duplicatedUser);
$em->flush();
}
if ($form->isValid()) {
$em->persist($user);
$em->flush();
}
}
But this code doesn't avoid the form validation error. First time when I try to create, Stymfony shows an error, and then, if I resubmit the form, it works because of the duplicated entity was removed from db.
How can I solve this issue?
Note: I know this: http://atlantic18.github.io/DoctrineExtensions/doc/softdeleteable.html but, I have already developed all the logic described, so I prefer go in my way with this.
Finally I find the sollution.
As you can see here http://symfony.com/doc/current/forms.html#handling-form-submissions handleRequest() method validate the form, so delete the entity after that don't solve the problem at all.
I do that to get form data:
$userName = $request->request->get('user')['email'];
And then check if this $userName is already used. If so, I delete the user before handleRequest() call.
Hope this help others.
Something strange in your code, I can see a user getting created but it doesn't get injected in the form so it can be used to store data in it and I also don't see the form anywhere, was it created in the controller or is it pure html, if so, you would need to fill in the user with the data from the form with $formName->getData() function or if you so wish, fill in only individual fields with the $formName['fieldname']->getData(). Try this code:
$user = new User();
$form = $this->createForm(UserType::class, $user);
$form->handleRequest($request);
if ($form->isSubmitted() && $form->isValid())
{
$em = $this->getDoctrine()->getManager();
//Check for deleted duplication:
$duplicatedUser = $em->getRepository('AppBundle:User')
->getDuplicatedAndDeletedUser($user);
if($duplicatedUser != null){
$em->remove($duplicatedUser);
$em->flush();
}
$em->persist($user);
$em->flush();
}
I use the FOS User bundle and LdapBundle for my users to connect to the website.
I created a form, and I want to keep a track on who added an entry. So I want to save to the database the user that added/modified that thing.
What is the best way to do this ? Since it's going to be a form, my first thought was to create an hidden field on my FormType with the current user id, but I think it's safe.
Any suggestion would be appreciated.
Thanks !
I dont know ldapBundle but when i want to save for example a photo i do in my controller
$user=$this->security_context->getToken()->getUser();
$form = $this->createForm(new PhotoType(), $photo )
$request = $this->get('request');
if ($request->getMethod() == 'POST') {
$form->handleRequest($request);
if ($form->isValid()) {
$photo->setUser($user);
$em = $this->getDoctrine()->getManager();
$em->persist($photo);
$em->flush();
....
Its a basic code, you also have to check if the user exist beofre doing the persistance : if($user) ...
I would suggest against the hidden field as it could be easily manipulated.
The better way would be to inject SecurityContext into your form and bind the logged in user to that object via POST_SUBMIT event.
I'm working on a form that enabled the user to change his username. However, I want the user to enter his current password in order to change the username.
The modification works well and when the current password is wrong, it gives an error. However, the username of the user given to the template is the wrong one and so my text saying "Logged as XXX" in the header bar is wrong.
I mean that if the user enters "YYY" for the username, and the current username is "XXX", the message in the header bar will be "Logged as YYY" instead of "Logged as XXX".
I'm using app.user.username to display the name in my TWIG template.
Here is my controller code:
public function profileAction()
{
$request = $this->getRequest();
$user = $this->get('security.context')->getToken()->getUser();
$form = $this->createForm(new UserType(), $user);
$form->handleRequest($request);
if ($form->isValid())
{
if($user->getPlainPassword() != "")
{
$encoder = $this->get('security.encoder_factory')->getEncoder($user);
$password = $encoder->encodePassword($user->getPlainPassword(), $user->getSalt());
$user->setPassword($password);
$user->setPlainPassword("");
}
$user->setPlainPassword("");
$em = $this->getDoctrine()->getManager();
$em->persist($user);
$em->flush();
return $this->redirect($this->generateUrl('user_profile'));
}
return $this->render('CafauSecurityBundle:Security:profile.html.twig', array(
'form' => $form->createView(),
));
}
Basically, in my form, the user can change his username and/or his password. Every time, he needs to provide the current password.
The problem is that when the form is not valid, the username given to the template is the one edited in the form and not the original one.
There are two ways to solve the problem:
Using a separate field for the new username, and
Using a form model.
Separate Field
You could create a separate field in your User class to hold the new username and copy it to the actual username after validation and before persisting — the same way you're currently doing with passwords.
Form Model
Basically, a form model is an object that embeds the actual model and those extra fields like newUsername or plainPassword. You would go this route if you don't want to clutter the actual model class with these extra fields.