BUG: Changing Auth type breaks UCP change email or username

Discussion forum for MOD Writers regarding MOD Development.
Locked
Magimedia
Registered User
Posts: 52
Joined: Tue Jul 19, 2005 8:46 pm

BUG: Changing Auth type breaks UCP change email or username

Post by Magimedia » Wed May 02, 2012 9:47 pm

I've written my own AUTH plugin to connect to our bespoke database system - all seems fine logging in etc.

In the UCP there's an option to change email address, and the username, which users may want to do. In order to do this, they have to enter their current password, however this does not call anything in the Auth plugin selected, and instead acts on the phpBB database, regardless of whether the auth is set to use an external system. As a result, always fails, saying the current password was incorrect. If the auth type is set to use an external database, this check should surely require a function in the auth plugin to calidate the password?

How chould I proceed to ensure any changes I make will not revoke my ability to update to 3.0.11 etc. when released.


I've identified this section which I believe to be the cause within the file includes\ucp\ucp_profile.php

Code: Select all

					if (!phpbb_check_hash($data['cur_password'], $user->data['user_password']))
					{
						$error[] = ($data['cur_password']) ? 'CUR_PASSWORD_ERROR' : 'CUR_PASSWORD_EMPTY';
					}
I am of the opinion it should be more along the lines of (please excuse psuedocode)...

Code: Select all

					if (AUTHORISATION TYPE == PHP DATABASE) {
						if (!phpbb_check_hash($data['cur_password'], $user->data['user_password']))
						{
							$error[] = ($data['cur_password']) ? 'CUR_PASSWORD_ERROR' : 'CUR_PASSWORD_EMPTY';
						}
					} else {
						if (! EXTERNAL AUTH auth_checkpassword($cur_password)
						{
							$error[] = ($data['cur_password']) ? 'CUR_PASSWORD_ERROR' : 'CUR_PASSWORD_EMPTY';
						}
					}
I'm unsure what variables I need to pop into my psuedocode in order to make the required change.

Can anybody offer some guidance? Thanks

User avatar
AmigoJack
Registered User
Posts: 5616
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: BUG: Changing Auth type breaks UCP change email or usern

Post by AmigoJack » Fri May 04, 2012 5:12 pm

The auth files were never meant to cover password changes (wiki). I created an improvement suggestion ticket.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

Magimedia
Registered User
Posts: 52
Joined: Tue Jul 19, 2005 8:46 pm

Re: BUG: Changing Auth type breaks UCP change email or usern

Post by Magimedia » Fri May 04, 2012 7:12 pm

Thanks, but it's not a password change that is the issue. The issue is if you use an external auth plugin, you can't change your email or username, because to do that you have to enter your current password, and that ignores the fact you're using an auth plugin.

User avatar
AmigoJack
Registered User
Posts: 5616
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: BUG: Changing Auth type breaks UCP change email or usern

Post by AmigoJack » Fri May 04, 2012 7:41 pm

As far as I know, you can only use one authentication method (not multiple ones in parallel). What keeps you from updating the user password table's value with the result of phpbb_hash( 'password' ) so no problem arises anywhere?
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

Magimedia
Registered User
Posts: 52
Joined: Tue Jul 19, 2005 8:46 pm

Re: BUG: Changing Auth type breaks UCP change email or usern

Post by Magimedia » Sat May 05, 2012 5:08 pm

A lot of things do.

Firstly, the originating application is not a PHP script, but an executable, run natively on the server. That deals with the web application to which the phpBB board sits alongside.

I've written a PHP script that interfaces between phpBB's AUTH plugin methods, and the executable, to verify passwords, but there is no facility within the executable to call outside functions when passwords are changed. The passwords in the executable's database are also one-way hash values themselves, and there are over 200 users who currently have passwords. Surely the point of the AUTH plugin is that you don't need to then run two authorisation systems side-by-side.

The executable does not use email addresses in its own database, and phpBB does not seem to have any facility to tie in two databases in that way, so the email address have to stay within phpBB's users table.

Users of the phpBB system need to be able to change their email address. When they go into the UCP to do this, they must enter their password, but phpBB does not then use the AUTH plugin. If you are using a seperate AUTH plugin, your authentication should always be referred to that AUTH plugin from any point in the system, not sometimes by reverting back to phpBB's own internal DB method, which by it's very nature, will be out of date and not used when you log in.

What the current version of phpBB is doing is claiming you can use a separate AUTH plugin, but only using is during login and not when AUTH is required in other parts of the system, effectively disabling them.

You end up with this:
LOGIN ---> Referred to the AUTH plugin you selected
LOGOUT ---> Referred to the AUTH plugin you selected
CHANGE USERNAME ---> Fixed to phpBB DB method
CHANGE EMAIL ---> Fixed to phpBB DB method
CHANGE PASSWORD ---> Fixed to phpBB DB method

If you're using an AUTH plugin, then this is what SHOULD happen:
LOGIN ---> Referred to the AUTH plugin you selected
LOGOUT ---> Referred to the AUTH plugin you selected
CHANGE USERNAME ---> Referred to the AUTH plugin you selected for password verification, change username in phpBB and also notify auth plugin
CHANGE EMAIL ---> Referred to the AUTH plugin you selected for password verification, change email in phpBB and also notify auth plugin
CHANGE PASSWORD ---> Referred to the AUTH plugin you selected for password verification, change password also sent to auth plugin


AmigoJack wrote:As far as I know, you can only use one authentication method (not multiple ones in parallel).
Unforunately you can't use just one authentication method, because when you select anything other than phpDB, you're actually forced to use two, and of course that then ceases to work properly.

User avatar
AmigoJack
Registered User
Posts: 5616
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: BUG: Changing Auth type breaks UCP change email or usern

Post by AmigoJack » Sat May 05, 2012 6:17 pm

Very detailed. Unfortunately I never had those problem, otherwise I could help you more here. However, I highly encourage you to comment on the ticket I've created - your account credentials for the tracker are the same as for this board. The more details (and solutions) you provide the higher are chances others see the problems aswell and extend phpBB's functionality.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

Locked

Return to “[3.0.x] MOD Writers Discussion”