[html-formfu] Constraint for salted hash password

Carl Franks fireartist at gmail.com
Fri Feb 27 14:07:13 GMT 2009 

2009/2/27 Christian Lackas <christian at lackas.net>:
> * Carl Franks <fireartist at gmail.com> [090227 13:25]:
>
> Hi Carl,
>
>> You're adding a 2nd validator, so it doesn't have the message set on the 1st.
>> That should really be:
>>    $field->get_validator({ type => 'Callback' })->callback( sub {
>>        return Crypt::SaltedHash->validate($user->password, shift);
>>    });
>
> makes perfectly sense, did not see that when I copy and pasted my code
> from your example in the docs.
>
> One last (loosely related) question: Besides the field with the current
> password (used to verify the commit), I also have two fields to set a
> new password:
>
>    - type: Password
>      name: password
>      label: Password
>      constraint:
>        - type: MinLength
>          min: 6
>        - type: Regex
>          regex: '\W'
>          message: Must contain one non-letter/digit
>      transformers:
>        - type: Callback
>          callback: MyApp::Utils::hashpassword
>    - type: Password
>      name: password_confirm
>      label: Password (confirm)
>      constraint:
>        - type: Equal
>          others: password
>
> Everything works great (e.g. both have to be the same, length and at
> least one \W character), however, if I don't type in anything (for both)
> I get a valid empty $form->param('password') (before transformers). Why
> is that (since I set MinLength to 6)?

Generally in all constraints, etc, you first need to check if the
value is empty.
In constraints it's:
    return 1 if !defined $value || $value eq '';
In transformers, this would probably make more sense:
    return if !defined $value || $value eq '';

> It is actually half-way what I want: If no password is given, the
> password should not be changed. However, currently it sets the password
> to '' rather than preserving the old value.
> As a workaround, I check for empty string in password and then re-add
> the value from the database:
>
>    $form->add_valid(password => $user->password);
>
> I assume the password get's lost in the process since it is never used
> as a default value (due to the 'Password' type), right?

Is this from using $form->model->update() ?
Because the field doesn't have a Required constraint, an empty string
is a valid value.

Model-DBIC's update() isn't smart enough to know you don't want the
column updated, so you need some logic somewhere, either so you don't
call update() if the password isn't being changed
    if ( $form->param_value('password') ) {
        $form->model->update( $user );
    }
or by adding an option to Model-DBIC along the lines of 'no_update_if_empty'.

Carl

More information about the HTML-FormFu mailing list