protected method

After an authentication query against the configured model class has occurred, this method iterates over the configured validators and checks each one by passing the submitted form value as the first parameter, and the corresponding database value as the second. The validator then returns a boolean to indicate success. If the validator fails, it will cause the entire authentication operation to fail. Note that any filters applied to a form field will affect the data passed to the validator.


  • object $user

    The user object returned from the database. This object must support a data() method, which returns the object's array representation, and also returns individual field values by name.

  • array $data

    The form data submitted in the request and passed to Form::check().



Returns an array of authenticated user data on success, otherwise false if any of the configured validators fails. See 'validators' in the $config parameter of __construct().


	protected function _validate($user, array $data) {
		foreach ($this->_validators as $field => $validator) {
			if (!isset($this->_fields[$field]) || $field === 0) {

			if (!is_callable($validator)) {
				$message = "Authentication validator for `{$field}` is not callable.";
				throw new UnexpectedValueException($message);

			$field = $this->_fields[$field];
			$value = isset($data[$field]) ? $data[$field] : null;

			if (!call_user_func($validator, $value, $user->data($field))) {
				return false;
		$user = $user->data();

		if (!isset($this->_validators[0])) {
			return $user;
		if (!is_callable($this->_validators[0])) {
			throw new UnexpectedValueException("Authentication validator is not callable.");
		return call_user_func($this->_validators[0], $data, $user) ? $user : false;