[CDB] Failed logins

A place for Extension Authors to post and receive feedback on Extensions still in development. No Extensions within this forum should be used within a live environment!
Ideas Centre
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: Extensions Development rules

IMPORTANT FOR NEEDED EVENTS!!!
If you need an event for your extension please read this for the steps to follow to request the event(s)
User avatar
Webwatcher_eu
Registered User
Posts: 102
Joined: Tue Nov 25, 2014 10:59 am
Contact:

Re: [DEV] Failed logins

Post by Webwatcher_eu »

tas2580 wrote:Yes as admin you can login as a user, but you can't see his password. Maybe some users use the same password on different websites and then it would be not good if you see there password in the log.
Yes, your are right this is a securtiy issue - i did not think about this because i never use same password for different sites :shock:
User avatar
Webwatcher_eu
Registered User
Posts: 102
Joined: Tue Nov 25, 2014 10:59 am
Contact:

Re: [DEV] Failed logins

Post by Webwatcher_eu »

david63 wrote:How can an admin log in as a user?
Select User and click on [ Test out user’s permissions ]
User avatar
david63
Registered User
Posts: 18437
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: [DEV] Failed logins

Post by david63 »

Webwatcher_eu wrote:
david63 wrote:How can an admin log in as a user?
Select User and click on [ Test out user’s permissions ]
That is not the same as logging in as a user as you do not have access to things such as the user's PMs
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
User avatar
draky
Registered User
Posts: 250
Joined: Tue Dec 10, 2002 2:04 pm
Location: France
Name: Gilles W.
Contact:

Re: [DEV] Failed logins

Post by draky »

Admin can change user's password in user admin in ACP I think.
User avatar
david63
Registered User
Posts: 18437
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: [DEV] Failed logins

Post by david63 »

draky wrote:Admin can change user's password in user admin in ACP I think.
Yes they can, but unless you knew the old one you would not be able to change it back and if you did know the old one then there would be no need to change it.

The point I am making is that an Admin cannot just sin in as a another user and behave as that user - by assigning permissions all you are doing is being able to see what the user can/cannot do/see, but with some limitations.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
Holger
Registered User
Posts: 1838
Joined: Tue Mar 12, 2002 3:54 pm
Location: Hannover

Re: [DEV] Failed logins

Post by Holger »

Great extension! Thank you!

Swedish translation
User avatar
tas2580
Registered User
Posts: 295
Joined: Wed May 30, 2007 1:56 am
Location: Stuttgart, Germany
Contact:

Re: [DEV] Failed logins

Post by tas2580 »

As Admin you can do nearly everything with a user. You can change his settings, you can write posts and change the author to any user and you can read his PM in the database. That's all no problem, ok maybe the think with the PM is a little problem. But you can never see his password in clean form because phpBB never store the password in clean form.
And that is the important point, you can do what you want with your users in your forum. But if you would know the password of an user, you could use it in other websites. So I think its a bad idea to store the passwords in this extension. Even if you will get wrong passwords because you will only get passwords from failed logins you can guess or try what is the right password.

@Holger
Thanks, I will add it with the next update.
User avatar
kasimi
Extension Customisations
Extension Customisations
Posts: 4577
Joined: Sat Sep 10, 2011 7:12 pm
Location: Germany
Contact:

Re: [DEV] Failed logins

Post by kasimi »

Thanks for the ext, nice idea! Can I suggest to slightly improve the logging?

I changed the language constant to 'TRY_TO_LOGIN_FAIL' => '<strong>Failed login</strong><br />» Username: %s',

This is how a log message is added:

Code: Select all

$phpbb_log->add('user', ANONYMOUS, $user_ip, 'TRY_TO_LOGIN_FAIL', time(), array(
	'reportee_id'	=> ANONYMOUS,
	'username'		=> $username,
));
This also has the advantage that the username is searchable.

Another idea would be to link the log message to the actual user instead of ANONYMOUS, provided an existing username was entered.
User avatar
tas2580
Registered User
Posts: 295
Joined: Wed May 30, 2007 1:56 am
Location: Stuttgart, Germany
Contact:

Re: [DEV] Failed logins

Post by tas2580 »

Thanks kasimi,
I think I will add this in the next version :D
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: [DEV] Failed logins

Post by 2600 »

Will wait for the next version to try this ext out.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
tas2580
Registered User
Posts: 295
Joined: Wed May 30, 2007 1:56 am
Location: Stuttgart, Germany
Contact:

Re: [DEV] Failed logins

Post by tas2580 »

Updated to 0.1.2
User avatar
tas2580
Registered User
Posts: 295
Joined: Wed May 30, 2007 1:56 am
Location: Stuttgart, Germany
Contact:

Re: [DEV] Failed logins

Post by tas2580 »

Adaptation to phpBB 3.1.3
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: [DEV] Failed logins

Post by 2600 »

How do you only allow an administrator to see the red message on the index saying there has been a failed login?
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
tas2580
Registered User
Posts: 295
Joined: Wed May 30, 2007 1:56 am
Location: Stuttgart, Germany
Contact:

Re: [DEV] Failed logins

Post by tas2580 »

In styles/all/template/event/overall_header_content_before.html replace with

Code: Select all

<!-- IF U_ACP -->
<!-- IF FAILED_LOGINS -->
<div id="information" class="rules">
	<div class="inner">{FAILED_LOGINS}</div>
</div>
<!-- ENDIF -->
<!-- ENDIF -->
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: [DEV] Failed logins

Post by 2600 »

Will try this thanks!
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
Locked

Return to “Extensions in Development”