Question about Salted Hash Login Generator

Hi,

I am using salted hash login generator to create my login page. In the
user_environment.rb file, I saw that there is a comment saying should
NOT include the email field in the changeable user fields array. Does
anyone know why?

Add all changeable user fields to this array.

They will then be able to be edited from the edit action. You

should NOT include the email field in this array.

I would like to make the email field to be updateable and use email to
logon.
Thanks.

Arnold.

Arnold Ng wrote:

Hi,

I am using salted hash login generator to create my login page. In the
user_environment.rb file, I saw that there is a comment saying should
NOT include the email field in the changeable user fields array. Does
anyone know why?

Add all changeable user fields to this array.

They will then be able to be edited from the edit action. You

should NOT include the email field in this array.

I would like to make the email field to be updateable and use email to
logon.
Thanks.

Arnold.

I would strongly advise you not to use salted hash login generator.
It’s a real pain, with all it’s excessive syntactic sugar and
localisation stuff. Acts_as authenticated is much cleaner, and there
are several big acl/rbac things you can run on top of it - check out the
rails wiki. I’m in the middle of cleaning all the s-h-l-g stuff out of
my application.

To answer your question, I think that allowing a use to change their
email address would mean that they could put something invalid in it.
If they then forget their password, they’re stuffed!

Robert J.

Robert J. wrote:

If they then forget their password, they’re stuffed!

Robert J.

Hi Robert,

The Agile Web D. book explains how to set up a salted hash
password scheme for user access. It seemed like a simple and elegant
enough solution for basic access control management. The main
restriction (imho) was that a user cannot request his/ her password to
be mailed to him/ her - the password must always be reset to a new
password.

Other than that, what would be your reason to move away from it? To be
honest, I haven’t used the s-h-l-g itself, so I don’t know what else it
brings to the party. Also, I haven’t had the time to look at
acts_as_authenticated, but plan to do so soon…

Cheers
Mohit.

Mohit S. wrote:

Robert J. wrote:

If they then forget their password, they’re stuffed!

Robert J.

Hi Robert,

The Agile Web D. book explains how to set up a salted hash
password scheme for user access. It seemed like a simple and elegant
enough solution for basic access control management. The main
restriction (imho) was that a user cannot request his/ her password to
be mailed to him/ her - the password must always be reset to a new
password.

Other than that, what would be your reason to move away from it? To be
honest, I haven’t used the s-h-l-g itself, so I don’t know what else it
brings to the party. Also, I haven’t had the time to look at
acts_as_authenticated, but plan to do so soon…

Cheers
Mohi

What else it brings to the party is a load of (IMHO) pretty pointless
helper functions that make the .rhtml files hard to read and
localisation stuff that most people aren’t going to use. Don’t get me
wrong - I’m very grateful that shlg existed, but I think acts_as
authenticated is a nicer solution which builds on the great work that
Tobias L. did initially. Essentially acts_as authenticated is a
stripped down version of shlg [no doubt someone will put me right
otherwise!].

Cheers,

Robert

On Tue, Jul 04, 2006, Robert J. wrote:

What else it brings to the party is a load of (IMHO) pretty pointless
helper functions that make the .rhtml files hard to read and
localisation stuff that most people aren’t going to use. Don’t get me
wrong - I’m very grateful that shlg existed, but I think acts_as
authenticated is a nicer solution which builds on the great work that
Tobias L. did initially. Essentially acts_as authenticated is a
stripped down version of shlg [no doubt someone will put me right
otherwise!].

You’re exactly right. The Login Generator came first and was pretty
decent, then the SHLG, which was a good idea but the execution was
lacking. Aside from the localization stuff that you mentioned (who
knows who thought it would be a good idea to make that mandatory!)
there were problems with the tests and other things.

Then came acts_as_authenticated, and for the most part everyone
converted and never looked back.

The SHLG has some merits and is worth a look for learning purposes, but
it’s also pretty old (I believe I used it in 0.12 days?) and I don’t
think it’s being updated anymore.

Ben