5

I am using the latest Ion Auth files along with the latest version of CodeIgniter 2.

There is a function called edit_user within the auth.php Controller file. This function is restricted to use only by members within the "Admin" group, and any Admin member can edit any other member using the function via this URL...

/auth/edit_user/id

The problem is that I don't see any Controller function or View that allows a regular (non-Admin) user to edit their own account details.

Would this be a new Controller function I'd need to write (modify edit_user function?) or is this something that Ion Auth should already do? If so, how?

Here is the stock Ion Auth edit_user function contained within the auth.php Controller...

function edit_user($id)
{
    $this->data['title'] = "Edit User";

    if (!$this->ion_auth->logged_in() || !$this->ion_auth->is_admin())
    {
        redirect('auth', 'refresh');
    }

    $user = $this->ion_auth->user($id)->row();

    //process the phone number
    if (isset($user->phone) && !empty($user->phone))
    {
        $user->phone = explode('-', $user->phone);
    }

    //validate form input
    $this->form_validation->set_rules('first_name', 'First Name', 'required|xss_clean');
    $this->form_validation->set_rules('last_name', 'Last Name', 'required|xss_clean');
    $this->form_validation->set_rules('phone1', 'First Part of Phone', 'required|xss_clean|min_length[3]|max_length[3]');
    $this->form_validation->set_rules('phone2', 'Second Part of Phone', 'required|xss_clean|min_length[3]|max_length[3]');
    $this->form_validation->set_rules('phone3', 'Third Part of Phone', 'required|xss_clean|min_length[4]|max_length[4]');
    $this->form_validation->set_rules('company', 'Company Name', 'required|xss_clean');

    if (isset($_POST) && !empty($_POST))
    {
        // do we have a valid request?
        if ($this->_valid_csrf_nonce() === FALSE || $id != $this->input->post('id'))
        {
            show_error('This form post did not pass our security checks.');
        }

        $data = array(
            'first_name' => $this->input->post('first_name'),
            'last_name'  => $this->input->post('last_name'),
            'company'    => $this->input->post('company'),
            'phone'      => $this->input->post('phone1') . '-' . $this->input->post('phone2') . '-' . $this->input->post('phone3'),
        );

        //update the password if it was posted
        if ($this->input->post('password'))
        {
            $this->form_validation->set_rules('password', 'Password', 'required|min_length[' . $this->config->item('min_password_length', 'ion_auth') . ']|max_length[' . $this->config->item('max_password_length', 'ion_auth') . ']|matches[password_confirm]');
            $this->form_validation->set_rules('password_confirm', 'Password Confirmation', 'required');

            $data['password'] = $this->input->post('password');
        }

        if ($this->form_validation->run() === TRUE)
        {
            $this->ion_auth->update($user->id, $data);

            //check to see if we are creating the user
            //redirect them back to the admin page
            $this->session->set_flashdata('message', "User Saved");
            redirect("auth", 'refresh');
        }
    }

    //display the edit user form
    $this->data['csrf'] = $this->_get_csrf_nonce();

    //set the flash data error message if there is one
    $this->data['message'] = (validation_errors() ? validation_errors() : ($this->ion_auth->errors() ? $this->ion_auth->errors() : $this->session->flashdata('message')));

    //pass the user to the view
    $this->data['user'] = $user;

    $this->data['first_name'] = array(
        'name'  => 'first_name',
        'id'    => 'first_name',
        'type'  => 'text',
        'value' => $this->form_validation->set_value('first_name', $user->first_name),
    );
    $this->data['last_name'] = array(
        'name'  => 'last_name',
        'id'    => 'last_name',
        'type'  => 'text',
        'value' => $this->form_validation->set_value('last_name', $user->last_name),
    );
    $this->data['company'] = array(
        'name'  => 'company',
        'id'    => 'company',
        'type'  => 'text',
        'value' => $this->form_validation->set_value('company', $user->company),
    );
    $this->data['phone1'] = array(
        'name'  => 'phone1',
        'id'    => 'phone1',
        'type'  => 'text',
        'value' => $this->form_validation->set_value('phone1', $user->phone[0]),
    );
    $this->data['phone2'] = array(
        'name'  => 'phone2',
        'id'    => 'phone2',
        'type'  => 'text',
        'value' => $this->form_validation->set_value('phone2', $user->phone[1]),
    );
    $this->data['phone3'] = array(
        'name'  => 'phone3',
        'id'    => 'phone3',
        'type'  => 'text',
        'value' => $this->form_validation->set_value('phone3', $user->phone[2]),
    );
    $this->data['password'] = array(
        'name' => 'password',
        'id'   => 'password',
        'type' => 'password'
    );
    $this->data['password_confirm'] = array(
        'name' => 'password_confirm',
        'id'   => 'password_confirm',
        'type' => 'password'
    );

    $this->load->view('auth/edit_user', $this->data);       
}
Sparky
  • 98,165
  • 25
  • 199
  • 285

2 Answers2

5

Unless I'm missing something, I ended up modifying the edit_user function within the auth.php Controller as follows.

I changed this line which checks to see that the user is "not logged in" OR "not an admin" before dumping them out...

if (!$this->ion_auth->logged_in() || !$this->ion_auth->is_admin())
{
    redirect('auth', 'refresh');
}

...into this, which check to see that the user is "not logged in" OR ("not an admin" AND "not the user") before dumping them out...

if (!$this->ion_auth->logged_in() || (!$this->ion_auth->is_admin() && !($this->ion_auth->user()->row()->id == $id)))

This seems to be working...

  • Admin can edit all accounts
  • User can only edit his own account
  • and somebody not logged in, can't edit any account.

Edit: However, the user also has access to the "groups" setting and could simply put themself into the "admin" group. Not good.

Ion Auth's developer refers to the files he provides as working "examples". Therefore, it's up to the end-developer to edit Ion Auth to suit the needs of the project.

To prevent the user from being able to make himself an "admin" requires a simple change to the edit_user.php view file.

Verifies the user is already an "admin" before creating the checkboxes...

<?php if ($this->ion_auth->is_admin()): ?>

    // code that generates Groups checkboxes

<?php endif ?>

Then you'll also need to thoroughly test and adjust as needed. For example, after editing a user profile, you're redirected to the auth view. Since the user doesn't have permission to see the auth view, there is a "must be an admin" error. In the controller file, you'll have to add the appropriate logic to properly redirect the user when they're not an "admin".

Sparky
  • 98,165
  • 25
  • 199
  • 285
  • 1
    Thanks for answering this yourself and posting the code. I posted it as a pull request and it's now been merged into the Ion Auth repository. – tagawa Feb 16 '14 at 13:29
1

No Ion Auth doesn't do this as is - it's pretty light weight. But it's not hard to do and your on the right track, just grab that edit_user method and take out the admin checks and make it so the user can only edit their own account, just alter it so that it only updates user details for the currently logged in user.

Check the ion auth docs, have a crack at it and come back with some code if you have any problems.

SwiftD
  • 5,769
  • 6
  • 43
  • 67
  • No problems... just looking for a conclusive answer. I successfully modified it and posted my answer. Thank-you. – Sparky Dec 11 '12 at 00:28