I'm using Cartalyst Sentinel for the user authentication within Laravel.
I've created my form to add a new user.
For some strange reason the password does not come through Sentinel::register() unless I put the password field into the $fillable array in the User class model.
This is a potential security issue.
How can I get around this? There must be something I am missing when creating a new user with Sentinel (and the Sentinel documents are very light on useful info).
Just a quick rundown of what I'm doing code wise. I have my array filled with the fields that are required to create a user. This array is passed into Sentinel::register(). It all seems to go through fine, but when I go to look in the database, the password field is blank.
$newUser = array(
'_token' => Input::get('_token'),
'email' => Input::get('email'),
'password' => Input::get('password'),
'first_name' => Input::get('first_name'),
'middle_name' => Input::get('middle_name'),
'last_name' => Input::get('last_name'));
$user = Sentinel::register($newUser);
Just a side note: unfortunately I cannot switch the authentication system. I need to use Sentinel.
Just another way of doing almost same as Jeff's answer. This should work based on Sentinel code, tho i have not used Sentinel. Test before deploying.
$newUser = array(
'_token' => Input::get('_token'),
'email' => Input::get('email'),
'password' => Input::get('password'),
'first_name' => Input::get('first_name'),
'middle_name' => Input::get('middle_name'),
'last_name' => Input::get('last_name')
);
Sentinel::register($newUser, function($user) use ($newUser) {
try {
return $user->password = \Hash::make($newUser['password']);
} catch(RuntimeException $e) {
return false;
}
});
Callback runs after fill method, so it should bypass $fillable restriction and you can remove password from fillable if your design requires that.
If false returned in callback then user will not be created.