[SOLVED] how to $_POST back to an object created by an object?

[xtopolis]

I am new to OOP:

 

Subject info:

I have 1 class that extends another (Client extends User), which handles user login/authentication  ( I will also have another class, Admin extends User).  Upon trying to login, Client checks a database to see if their username exists, from there if found, it checks if there is a column set requiring the user to change their password(before being allowed in).  If this is set ,they will be presented with a form requiring their current password, new password, and confirm new password input(s).  [This form can only be accessed from trying to login, (checks a session var being set)]

Anyway, I can create this separately, but I want to make this "change password process" a class (so that I can use it for Client or Admin, which use different database tables).

 

Question:

My first inclination is to create a class called RCPW, and call it from inside Client, at the step where it determines the user needs to change their password.  And I would want to pass it a instance of User(either Client or Admin)  Such as:

<?php
$client = new Client();
...
//inside class User
if ($row['rcpw'] == 1){
$rcpw = new RCPW($client);
}
?>

 

And so from there, RCPW would take the User object's $this->username and hardset the form for trying to change the password, then output the form for the user to fill in...  But where/how would I post it back, so that RCPW could validate it (such as, curpass is correct, new pws match, not too many failed attempts have been tried on the form)?

 

Or am I going about this in the wrong way?  Please let me know if I need to clarify/post code/be clearer.

[aschk]

Probably need a little bit more code to go on than what has been provided.

[xtopolis]

Here is some code:

a form is posted from index.php -> login.php

(config.php holds a database object, $db)

 

login.php

<?php
  require 'engine/config.php';

  //if logout is set, set logout parameter
  if(isset($_GET['do']) && $_GET['do'] == 'logout'){
    $client = new Client($db,'USERS',SECRET,DOCROOT,true);
  }

    $client = new Client($db,'USERS',SECRET,DOCROOT);
?>

 

client.php

<?php
//Client class
class Client extends User {
  protected $table;
  protected $secret;
  public $redirect;
  public $db;

  function __construct($db,$table,$secret,$redirect,$logout=false)
  {
    parent::__construct($db,$secret);
      
      if($logout) { parent::logout(); die('Logging out.');}

    $this->table = $table;
    $this->redirect = $redirect;
    
    $this->login();
  }//__construct
}
?>

 

shortened user.php (relevant functions)

<?php
class User {
  protected $ip;//users ip
  protected $useragent;//browser info (for session integrity)
  public $session;//session instance
  protected $fails;//attempts on this page
  private $un;
  private $pw;
  public $db;
  private $secret;
  
  function __construct($db=false,$secret=false)
  {
    if($db) { $this->db = $db;}
    if($secret) { $this->secret = $secret;}
    $this->ip = $_SERVER['REMOTE_ADDR'];
    $this->useragent = $_SERVER['HTTP_USER_AGENT'];
    $this->session = &new Session();
  }

  //login() pulls user information from a database and eventually gets to
  // the change password? section ,if it is set that the user must change their pw

  //check if account needs to change password
  private function checkRCPW($row)
  {
    switch($row['RCPW'])
    {
      case '1'://Require password change
          $rcpw = new RCPW($this);
        break;

      case '0'://password does not need to be changed, process login
          $this->validate();
        break;

      default://default, process login
        $this->validate();
        break;
    }
  }//checkRCPW

 

I have not written the RCPW object yet because I'm not sure that this is going to work how I want it to:

From the case '1', the next step must be a form with fields similar to this... (locked to a username, current password check, new password, confirm new password)

<p>username: <?php echo $client->username; ?></p>
<form action="??" method="post">
  Current pass<input type="password" name="curpw" /><br />
  New pw<input type="password" name="newpw1" /><br />
  confirm new pw<input type="password" name="newpw2" /><br />
</form>

 

So if I follow through and RCPW class outputs a form just like that on instantiation... what is my next step?  Do i PHP_SELF with the form (which would = login.php), and if so, how do I get back into the RCPW object for validation (cur pw is correct, new pws match, not too many failed attempts, etc)?  Or should I go about this in a different manner?  Hope that makes it a little clearer..

[corbin]

<?php

class RCPW {
    
    private $user;

    public function __construct($user) {
        $this->user = $user;
        if($_POST) {
            //check input and what not, then either do or don't do your magic
        }
        if(need to show form) {
            //show form
        }
    }


}

 

 

 

By the way, I wouldn't have stored each group in different tables.  Also, the RCPW constructor could very well be static if you wanted it to be.

[xtopolis]

Regarding my RCPW class, I think I see what you mean, and I think you're right, it'd be best to use it statically.  .. header to a different page or same page (login.php) with a $_GET set to run the RCPW object, etc.

---

 

Why would you not have stored them in different tables?

 

My logic was to keep the administrators separate from the users, but they will still share similar attributes (hence each being derived from the User class).  Are you suggesting rather I have a column set for 'admin' status, and proceed from there?  The way it was being run now, I could use the Client/Admin classes to authenticate similarly but use different hashes(SECRET constant is different) to keep the clients out of the admin section, and vice versa.  ..

 

My app in a nutshell:

->Client logs in, taken to domain.com/theirfolder/ where 'theirfolder' is unique, but accessible by different usernames [any users in the 'theirfolder' group].

->Admin logs in, taken to maybe /admin/ and is shown file/user management options.

 

Using one class previously (User), allowed users to be authenticated on admin pages... obviously not what I intended... so I extended User to two classes (Client,Admin), and they have their own login.php page instantiate either a Client or Admin, so they no longer share the same hash, nor object...

 

So, if I login through the same front end, with the admins and users in the same table, should I add a secondary permissions object that checks where they should be taken to/what they can be shown?

 

I'm now kinda confused.. Was I not seeing a big enough picture..., or is there a better way of doing things?

[corbin]

You could do it as basic as a binary yes or no switch as to whether the user is an admin or not.  Or you could get complex with it and make an ACL-style system.

 

 

In the end, isn't an admin [in this context] just a user with different privs?  Just the way I would do it though.  I guess your way works just as well ;p.

[xtopolis]

lol.

me: am I doing right?

you: yes, but..

 

I love answers like that, they make my head explode

 

I'll figure it out...  thanks.

[corbin]

Well, the way I see it, there is no right in programming.  Just better ways than others.

[aschk]

I concur with corbin, from my experience there is no "golden egg" of systems architecture... nevertheless i will still continue searching for it!