fix: UserModel::save() can't update User's email/password

[kenjis]

Fixes #254
Fixes #253

• UserModel::save(), update() and insert() save Email Identity with Model Events
• fix UserModel::findByCredentials()
• fix RegisterController::registerAction()
• fix User::saveEmailIdentity()
• add ValidationException
• update docs/quickstart.md

[MGatner]

If this works then let's go with it but I still have plans to add the original method parameters to the event data in the framework, which would make this much easier.

[MGatner]

Sorry, I didn't mean to hit "approve" - I'm good with the approach but obviously will need to pass tests 😂

[datamweb]

Sorry, I didn't mean to hit "approve" - I'm good with the approach but obviously will need to pass tests 😂

@MGatner this PR is in position Draft. But you are in a hurry to improve Shield. This is great.

[kenjis]

I removed the approval.

[kenjis]

If this works then let's go with it but I still have plans to add the original method parameters to the event data in the framework, which would make this much easier.

The enhancement is good, but we need to wait for v4.3. So I think this PR is needed.

[kenjis]

Okay, I think this is ready for reviews.

[kenjis]

I think UserModel::save() should be renamed.

1. It is confusing only save() is overridden and can save email/password. insert()/update() does not work.
2. Can't change the method signature.

[MGatner]

@kenjis I agree. I think the ultimate solution is to modify CodeIgniter\BaseModel::update() (and probably insert()) to preserve the original $data parameter and pass that as an additional key into the beforeInsert and afterInsert methods. That would give Shield access to the User Entity without needing a separate database query and it wouldn't need to override any model methods.
Since that will require a new framework release I like your solution for the meantime... something like UserModel::saveWithIdentities(User $user) right?

[kenjis]

something like UserModel::saveWithIdentities(User $user) right?

Yes. I added a commit: 39aaf14

[lonnieezell]

Did we need to rename this for a specific reason? If so, or the team majority says we should then ok, but I'm in favor of keeping it as an override of Model::save.

I understand this is a more specific naming, but the whole purpose of the override was to make it as seamless as possible for the developer so they didn't have to think too much about it. This forces them to remember a new method for that single model, which is inconvenient and, as far as I can tell, unnecessary.

[lonnieezell]

Reading back through I see the discussion between you two so I'm overruled here. Just going on the record to say I disagree :)

[MGatner]

👹 Contention noted!

I think this does two good things for us:

1. It lets us still use save() without messing with identities.
2. It allows us to force the User type parameter which makes this method much easier to handle.

Also just to say it again: this should just be a temporary measure until we get better Model event parameters in place.

[kenjis]

I overrode save() again.

After all, if save() is going to be used in the future, it is better for users to use save() now.

It is confusing only save() can save Email Identity, but users do not need to use insert() or update().

[MGatner]

Alternative idea...

The whole reason we override this method is that afterInsert and afterUpdate receive the data as an array, not the original User entity, and that array is filtered by $allowedFields so the credentials are stripped. What if we override insert() and update() to store credentials in a new private property before calling parent::method() and then still use the after____ methods to handle the identities, just using the stored versions instead?

[kenjis]

Added UserModel::saveEmailIdentity() and the Model Events call it when afterInsert and afterUpdate.

[MGatner]

LGTM!

[manukieli]

I try de update the password to existent user and it not working, when the user try to login with new password he get this error message: "Please check your password."
I can update the username, the email, but the password not working to update.

[datamweb]

hi @manukieli,
Please see #280.

[kenjis]

I rewrote UserModel::save() (and update(), insert()) with the Model Events.
Review please.

[MGatner]

Thanks for taking a pass at this @kenjis! It didn't end up being quite as clean as I hoped but I still think it is a big improvement. I wish we had the allowEmpty() method, but what can you do 🤷‍♂️

One of the strengths to this approach is that we can support "normal" model operations instead of relying on special use cases with save(). To that end I think that we should still support array parameters, and just have the callback events skip identity updates whenever there is no $tempUser. I'm happy to hear an alternate opinion but I think that improves the transparency of these methods, which I believe was @lonnieezell's original intent.

[MGatner]

I think we should still support arrays, and the callback events would just ignore them.

[kenjis]

Frankly, I am not sure why it is necessary to accept arrays, but I implemented it that way to try it out.

[MGatner]

I know $tempUser is reset on each call but I would feel better if it were also reset after the identity update, unless there is some logical reason to keep it around.

Suggested change

	$user->saveEmailIdentity();
	return $data;
	}
	// Update
	$this->tempUser->saveEmailIdentity();
	$this->tempUser = $user;
	}
	// Update and reset
	$this->tempUser->saveEmailIdentity();
	$this->tempUser = null;

[kenjis]

Added $this->tempUser = null.

[MGatner]

This one has been a long road! Thanks for all your work on it @kenjis. I believe it's ready!

[kenjis]

@MGatner Thank you for the review!