-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve Password EAV Attribute Backend model #1455
Conversation
1. In method beforeSave $object->getPassword() can return not a string, so would be great to convert value to string to prevent converting value to string in all places and as result we may have not unexpected behavior behavior in future, when code will be changed. Also == operator would be great replace with === because there we will have two strings, to type converting needed. 2. In method validate $object->getPassword() and $object->getPasswordConfirm() may be not a string. As example password is string 'myPasswordConfirm', password confirm is true. 'myPasswordConfirm' == true Result will be true. So those params were converted to string and and compared with ===. 3. Would be great to define which object type will be received in beforeSave and validate methods to be sure that we got \Magento\Framework\Object and this method contains getPassword and getPasswordConfirm (or __call method, which will process them correct). I didn't changed those methods because they defined in parent class wo type declaration.
=== operator is an improvement but string conversion looks like an adaptation for poor API. We should make sure getPassword() and getPasswordConfirm() always return string |
@antonkril so you mean that we should add checking that getPassword() and getPasswordConfirm are strings? Which behavior should be it it's not string? |
I mean that signature (and PHPDoc) of getPassword and getPasswordConfirm should be recieved as a contract. Such checks are not required. Otherwise we will have to do checks for every method call. And the fact that these methods break the contract is the problem that should be fixed. They should always return strings. |
@antonkril feel free to improve retrieving password and password confirmation 👍 |
We have automated a Magento Contributor License Agreement verifier for contributions sent to our GitHub projects. |
@magento-cicd I have signed CLA agreement, but it isn't looks like signed. |
@ihor-sviziev, thank you for contributing to Magento 2. Please ensure that all changed code is coverd with unit tests and Travis build is passing (https://travis-ci.org/magento/magento2/builds/91828729) |
Hello @ihor-sviziev, are you still interested in this pull request? If yes, could you update the code and cover it by automated tests? |
Closing since author didn't cover the code by tests and similar PR is merged #4355 |
@slavvka @nevvermind thank you for finishing my request. I hope Magento 2 will be more secure with this fix. |
'myPassword' == true
Result will be true.So those params were converted to string and and compared with ===.