Rails - Jul 2006 - Question about Salted Hash Login Generator

Hi,

  I am using salted hash login generator to create my login page. In the 
user_environment.rb file, I saw that there is a comment saying should 
NOT include the email field in the changeable user fields array.  Does 
anyone know why?
>    # Add all changeable user fields to this array.
>    # They will then be able to be edited from the edit action. You
>    # should NOT include the email field in this array.
  I would like to make the email field to be updateable and use email to 
logon.
  Thanks.

Arnold.

-- 
Posted via http://www.ruby-forum.com/.

Arnold Ng wrote:
> Hi,
> 
>   I am using salted hash login generator to create my login page. In the 
> user_environment.rb file, I saw that there is a comment saying should 
> NOT include the email field in the changeable user fields array.  Does 
> anyone know why?
> 
>>    # Add all changeable user fields to this array.
>>    # They will then be able to be edited from the edit action. You
>>    # should NOT include the email field in this array.
> 
>   I would like to make the email field to be updateable and use email to 
> logon.
>   Thanks.
> 
> Arnold.
I would strongly advise you not to use salted hash login generator. 
It''s a real pain, with all it''s excessive syntactic sugar and 
localisation stuff.  Acts_as authenticated is much cleaner, and there 
are several big acl/rbac things you can run on top of it - check out the 
rails wiki.  I''m in the middle of cleaning all the s-h-l-g stuff out of
my application.

To answer your question, I think that allowing a use to change their 
email address would mean that they could put something invalid in it. 
If they then forget their password, they''re stuffed!

Robert Jones

-- 
Posted via http://www.ruby-forum.com/.

Robert Jones wrote:
> *snip*
> I would strongly advise you not to use salted hash login generator. 
> It''s a real pain, with all it''s excessive syntactic sugar
and
> localisation stuff.  Acts_as authenticated is much cleaner, and there 
> are several big acl/rbac things you can run on top of it - check out the 
> rails wiki.  I''m in the middle of cleaning all the s-h-l-g stuff
out of
> my application.
>
> To answer your question, I think that allowing a use to change their 
> email address would mean that they could put something invalid in it. 
> If they then forget their password, they''re stuffed!
>
> Robert Jones
>   
Hi Robert,

The Agile Web Development book explains how to set up a salted hash 
password scheme for user access.  It seemed like a simple and elegant 
enough solution for basic access control management.  The main 
restriction (imho) was that a user cannot request his/ her password to 
be mailed to him/ her - the password must always be reset to a new password.

Other than that, what would be your reason to move away from it?  To be 
honest, I haven''t used the s-h-l-g itself, so I don''t know
what else it
brings to the party.  Also, I haven''t had the time to look at 
acts_as_authenticated, but plan to do so soon..

Cheers
Mohit.

Mohit Sindhwani wrote:
> Robert Jones wrote:
>> If they then forget their password, they''re stuffed!
>>
>> Robert Jones
>>   
> Hi Robert,
> 
> The Agile Web Development book explains how to set up a salted hash
> password scheme for user access.  It seemed like a simple and elegant
> enough solution for basic access control management.  The main
> restriction (imho) was that a user cannot request his/ her password to
> be mailed to him/ her - the password must always be reset to a new 
> password.
> 
> Other than that, what would be your reason to move away from it?  To be
> honest, I haven''t used the s-h-l-g itself, so I don''t
know what else it
> brings to the party.  Also, I haven''t had the time to look at
> acts_as_authenticated, but plan to do so soon..
> 
> Cheers
> Mohi
What else it brings to the party is a load of (IMHO) pretty pointless 
helper functions that make the .rhtml files hard to read and 
localisation stuff that most people aren''t going to use. 
Don''t get me
wrong - I''m very grateful that shlg existed, but I think acts_as 
authenticated is a nicer solution which builds on the great work that 
Tobias Luetke did initially.  Essentially acts_as authenticated is a 
stripped down version of shlg [no doubt someone will put me right 
otherwise!].

Cheers,

Robert

-- 
Posted via http://www.ruby-forum.com/.

On Tue, Jul 04, 2006, Robert Jones wrote:
> What else it brings to the party is a load of (IMHO) pretty pointless 
> helper functions that make the .rhtml files hard to read and 
> localisation stuff that most people aren''t going to use. 
Don''t get me
> wrong - I''m very grateful that shlg existed, but I think acts_as 
> authenticated is a nicer solution which builds on the great work that 
> Tobias Luetke did initially.  Essentially acts_as authenticated is a 
> stripped down version of shlg [no doubt someone will put me right 
> otherwise!].
You''re exactly right.  The Login Generator came first and was pretty
decent, then the SHLG, which was a good idea but the execution was
lacking.  Aside from the localization stuff that you mentioned (who
knows who thought it would be a good idea to make *that* mandatory!)
there were problems with the tests and other things.

Then came acts_as_authenticated, and for the most part everyone
converted and never looked back.

The SHLG has some merits and is worth a look for learning purposes, but
it''s also pretty old (I believe I used it in 0.12 days?) and I
don''t
think it''s being updated anymore.

Ben