I am still very enthousiastic about the lib and we surely are going to use ot for our website. There are nevertheless a couple of new issues:
1.
When testing some custom dummy data with a bunch of users and custom tables, I encountered that the first user was not able to log in, the login screen just returned with an error message ('Your submitted login details are incorrect.') and empty fields.
The other users, with the same password, however could log in without any problem.
This first user had a userid of 0, which is legal in terms of a DB primary key. But indeed it was the culprit!
The call to flexi_auth_model->login(...) finally delegates to the function insert_database_login_session().
And this function starts with a test which fails:
Code:
if (!$user_id)
{
return FALSE;
}
When a value of 0 is passed in, a legal primary key value so a legal $user_id value, it is interpreted as FALSE and therefore the function exits with FALSE and the login fails.
I think the test is not right, if tou just want to test whether a valid int value is passed in, a better test would be:
Code:
if (! is_int($user_id)) {
return FALSE;
}
For now I choose to work with PK values starting with 1, but I think you get my point
2.
We noticed some strange behaviour when changing the login credential (in our case the email address). Is is not necessarily a bug but I just want to share it.
We are testing on different machines which makes the session management a bit unclear. Though it should be possible, especially in this time of mobile internet, to be logged in from different sources.
This appeared not to be a problem unless we changed the email address and clicked on the confirmation mail on the new address. The activation went fine but some data was lost.
The culprit was the call of the following function, which we copied from the demo application:
Where this function normally returns the user data, it now returns am empty array
I have not dug very far in the code yet, but I think it just tries to lookup the user data by the old email address. It appears that after changing the call to
the right use data is returned, even after changing the email address and acces from still-alive session from some other machine.
I am just thinking about this, maybe I post more insights later.
I probably still miss something here but for now I wonder when the function get_user_by_identity() should be used, I think that this should merely be called by an administrator to access a given account.
