Page 2 of 4

Re: [DEV] Failed logins

Posted: Sun Jan 04, 2015 10:02 pm
by Webwatcher_eu
tas2580 wrote:Yes as admin you can login as a user, but you can't see his password. Maybe some users use the same password on different websites and then it would be not good if you see there password in the log.
Yes, your are right this is a securtiy issue - i did not think about this because i never use same password for different sites :shock:

Re: [DEV] Failed logins

Posted: Sun Jan 04, 2015 10:05 pm
by Webwatcher_eu
david63 wrote:How can an admin log in as a user?
Select User and click on [ Test out user’s permissions ]

Re: [DEV] Failed logins

Posted: Sun Jan 04, 2015 10:08 pm
by david63
Webwatcher_eu wrote:
david63 wrote:How can an admin log in as a user?
Select User and click on [ Test out user’s permissions ]
That is not the same as logging in as a user as you do not have access to things such as the user's PMs

Re: [DEV] Failed logins

Posted: Mon Jan 05, 2015 7:41 am
by draky
Admin can change user's password in user admin in ACP I think.

Re: [DEV] Failed logins

Posted: Mon Jan 05, 2015 7:47 am
by david63
draky wrote:Admin can change user's password in user admin in ACP I think.
Yes they can, but unless you knew the old one you would not be able to change it back and if you did know the old one then there would be no need to change it.

The point I am making is that an Admin cannot just sin in as a another user and behave as that user - by assigning permissions all you are doing is being able to see what the user can/cannot do/see, but with some limitations.

Re: [DEV] Failed logins

Posted: Mon Jan 05, 2015 10:47 am
by Holger
Great extension! Thank you!

Swedish translation

Re: [DEV] Failed logins

Posted: Tue Jan 06, 2015 4:48 am
by tas2580
As Admin you can do nearly everything with a user. You can change his settings, you can write posts and change the author to any user and you can read his PM in the database. That's all no problem, ok maybe the think with the PM is a little problem. But you can never see his password in clean form because phpBB never store the password in clean form.
And that is the important point, you can do what you want with your users in your forum. But if you would know the password of an user, you could use it in other websites. So I think its a bad idea to store the passwords in this extension. Even if you will get wrong passwords because you will only get passwords from failed logins you can guess or try what is the right password.

@Holger
Thanks, I will add it with the next update.

Re: [DEV] Failed logins

Posted: Thu Jan 15, 2015 10:42 pm
by kasimi
Thanks for the ext, nice idea! Can I suggest to slightly improve the logging?

I changed the language constant to 'TRY_TO_LOGIN_FAIL' => '<strong>Failed login</strong><br />» Username: %s',

This is how a log message is added:

Code: Select all

$phpbb_log->add('user', ANONYMOUS, $user_ip, 'TRY_TO_LOGIN_FAIL', time(), array(
	'reportee_id'	=> ANONYMOUS,
	'username'		=> $username,
));
This also has the advantage that the username is searchable.

Another idea would be to link the log message to the actual user instead of ANONYMOUS, provided an existing username was entered.

Re: [DEV] Failed logins

Posted: Thu Jan 15, 2015 11:29 pm
by tas2580
Thanks kasimi,
I think I will add this in the next version :D

Re: [DEV] Failed logins

Posted: Mon Jan 19, 2015 6:45 am
by 2600
Will wait for the next version to try this ext out.

Re: [DEV] Failed logins

Posted: Wed Jan 21, 2015 6:53 pm
by tas2580
Updated to 0.1.2

Re: [DEV] Failed logins

Posted: Wed Feb 04, 2015 6:06 pm
by tas2580
Adaptation to phpBB 3.1.3

Re: [DEV] Failed logins

Posted: Sun Jun 07, 2015 4:08 pm
by 2600
How do you only allow an administrator to see the red message on the index saying there has been a failed login?

Re: [DEV] Failed logins

Posted: Tue Jun 09, 2015 1:18 am
by tas2580
In styles/all/template/event/overall_header_content_before.html replace with

Code: Select all

<!-- IF U_ACP -->
<!-- IF FAILED_LOGINS -->
<div id="information" class="rules">
	<div class="inner">{FAILED_LOGINS}</div>
</div>
<!-- ENDIF -->
<!-- ENDIF -->

Re: [DEV] Failed logins

Posted: Tue Jun 09, 2015 6:47 am
by 2600
Will try this thanks!