Application Security: Model Object

The AppUserFactory model object plays a simple but crucial role in application security: the ApplicationSecurityDelegate passes credentials from the Login form to the AppUserFactory to retrieve the associated user record. If such retrieval is impossible, then the AppUserFactory returns nothing. If successful, an AppUser object is returned.

Listing: rsrc/model/application/AppUserFactory.php

class AppUserFactory extends DefaultAppUserFactory
   static function authenticatedUser($data = null)
      // If no credentials provided, authentication fails
      if (! $data) return false;

      // If no password provided, authentication fails
      if (! isset($data['password']) or ! $data['password']) return false;

      // Retrieve an AppUser object using the credentials
      $email = strtolower($data['email']);
      $login = AppUserFactory::retrieveAppUser($email, 'lower(email)');

      // If no AppUser object could be created, authentication fails
      if (! $login) return false;

      // If the password does not match, authentication fails
      if ($login->password != md5($data['password'])) return false;

      // Return the authenticated user
      return $login;