Lost Password Recovery WITHOUT username

Your code modifications and patches you want to share with others.
Wingnut
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Thu Nov 03, 2005 9:00 pm

Re: Lost Password Recovery WITHOUT username

Post by Wingnut » Wed Aug 09, 2006 2:22 pm

I'll apologise for this simple question in advance, but I'm pretty new to this....
I have managed to remove the Username box using the hack (thanks japh). However, the text still says "Please enter your Username and e-mail address...". How do I edit this text? Which file is this text in? I've tried to search for it but it can't find it.

Any help would be appreciated.

gypsydogg
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Fri Jun 16, 2006 12:12 am

Re: Lost Password Recovery WITHOUT username

Post by gypsydogg » Wed Aug 09, 2006 4:38 pm

Are you using community builder?
Signature rules: Literal URLs only - http://forum.joomla.org/viewtopic.php?f=8&t=65

Wingnut
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Thu Nov 03, 2005 9:00 pm

Re: Lost Password Recovery WITHOUT username

Post by Wingnut » Wed Aug 09, 2006 5:38 pm

Yes, although with a little bit more digging I realised that all the text is held in 'english.php' (you learn something new every day!) so I edited it from there. Thanks.

Alfredo Tester
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 103
Joined: Thu Jun 29, 2006 7:31 pm

Re: Lost Password Recovery WITHOUT username

Post by Alfredo Tester » Thu Aug 10, 2006 2:09 am

Thanks for this great hack.  It is great.  We have a bunch of people on our site that aren't very computer savy.  I'm thinking this will help alleviate some of the efforts required in dealing with people that can't remember their username.  Thank you so much. 

Wingnut no need to apologize.  Your simple little question made me realize that the instructions still mentioned that they had to enter their username.  Thanks.

HulaQueen
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Tue Jun 20, 2006 9:02 am

Re: Lost Password Recovery WITHOUT username

Post by HulaQueen » Tue Sep 12, 2006 3:23 am

Is this fix still working with the new versions of Joomla, SMF and the bridge? Would love to know!

Thanks

ordep zerep
Joomla! Intern
Joomla! Intern
Posts: 66
Joined: Mon Feb 06, 2006 4:24 pm

Re: Lost Password Recovery WITHOUT username

Post by ordep zerep » Mon Nov 27, 2006 5:41 pm

hi, this is a great hack, I¡ve being looking for it since a couple of weeks ago.

Since I'm a newbee into programming with php, I'd like to especifically ask what part of registration.php code needs to be removed so I don't get the "Sorry, no corresponding user was found" message. I allready tryed some things without any succes. Someone sayd befor something about removing the sql query for username in registration.php. Can someone highlight that piece of code please?

Thank you

Asphyx
Joomla! Hero
Joomla! Hero
Posts: 2454
Joined: Sun Aug 28, 2005 5:03 pm

Re: Lost Password Recovery WITHOUT username

Post by Asphyx » Mon Nov 27, 2006 7:30 pm

How could this be wrong.
Well it is generally bad practice to send a username AND a password in the same email...But then again it is also generally a bad practice to send any security information via email since it is unencrypted and can be intercepted by a packet sniffer. Which is why a partial send of info is preferred...Even if they have the password unless they know the username that goes with it the password is useless...
By the same token by requiring the username it thwarts any hack attempts from an exposed computer...

IE: In an open enviornment, someone goes to your computer, looks up your email account (or knows it already), and makes a lost PW request...They have the password but still have to hack the username out before it does any good...

By sending them every bit of info they need you are giving them the keys to the entire account...now they can get any saved CC info or other personal data enough for an identity theft! Delete the incomming email and the owner may never know!
A reset with code that does not allow you to reset to the old password would be one way of allowing the sending of data as it would at least alert the owner that something happened to their account!

RE: the question of why hasn't this been done yet?
My best guess is that they are planning to redesign the entire ACL system to allow multi level and fine grained user control. It may have been determined "lets not try to add to the old code that will soon be discarded" and instead work on the more expansive system and registration routines it will require and replace the old legacy user system in one shot...

J! 1.5's focus was redesigning the framework these subsystems work in. So the subsystems themselves were in some cases put on the shelf and only tweaked to work in the new framework for backward compatability purposes. Once the Beta is final I would expect a lot of changes to the nagging problems people have wanted fixed in the subsystems and in some cases entirely new functionality and improvment in those areas!

They basically cleaned house on the framework code...Once that job is complete they can get back to how they decorate it with improved features!


I applaud the user who decided to make their own solution to the problem though...
That is the true spirit of Open Source! It is initiative like that which helps open source projects grow!
Last edited by Asphyx on Mon Nov 27, 2006 7:32 pm, edited 1 time in total.

Alfredo Tester
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 103
Joined: Thu Jun 29, 2006 7:31 pm

Re: Lost Password Recovery WITHOUT username

Post by Alfredo Tester » Wed Dec 20, 2006 1:13 am

I had this working on our site before.  It was such a nice hack.  We have community builder and I modified the comprofiler.html file and such as described in this thread.  Have upgrade to 1.02 community builder and the hack is no longer working.  I have noticed that the files are showing registration.php and it seems like 1.02 got rid of the comprofiler files.  Has anyone gotten this to work.  1.0.11 joomla and 1.02 community builder.

After looking at this some more I found the comprofiler files in another folder.  Tried to hack those like I did before but I get this error message once i try it out.

Parse error: syntax error, unexpected T_STRING in /home/inwardtr/public_html/testingshs/components/com_comprofiler/comprofiler.html.php on line 1

so still stuck and wondering what I'm missing.  Any help is greatly appreciated. 
Last edited by Alfredo Tester on Wed Dec 20, 2006 1:42 am, edited 1 time in total.

Alfredo Tester
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 103
Joined: Thu Jun 29, 2006 7:31 pm

Re: Lost Password Recovery WITHOUT username

Post by Alfredo Tester » Wed Dec 20, 2006 2:25 am

Never mind.  Seems like i was commenting out some lines wrong.  It's working great again.  This is such a nice hack.  Thanks so much.

User avatar
guilliam
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4181
Joined: Thu Aug 18, 2005 10:27 am
Location: Sunny City Cebu, Philippines!
Contact:

Re: Lost Password Recovery WITHOUT username

Post by guilliam » Sat Jan 13, 2007 5:58 am

this is a good one should be included as feature to turn on or off int he core joomla. keep it up!

- g
"I was one of those who wondered why people would pay so much $$$$ to do something that was so much fun!" -R. Harkrider, Fortran Code Engr.

http://www.joomlaconsultancy.net

User avatar
costa man
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Tue Aug 23, 2005 4:24 pm
Location: Spain

Re: Lost Password Recovery WITHOUT username

Post by costa man » Wed Jan 31, 2007 8:29 pm

Nice hack -  I had exactly the same situation with an e.commerce store using virtuemart.  BTW the virtuemart login has a redirect to the login component and so these changes are also reflected in the virtuemart lost password routine.

I wonder however about the security issues that this presents - you go someone else's computer in your office, ask for the password and bingo you get the user name and the password all in one go.

Obviously you then need to go PayPal or some other payment gateway and they will ask for a password/user name/email but we all know that many people don't change their password / user name. Thus the seasoned thief has an easier way forward for social engineering.

Any one have any solutions to this?  Should we post an additional warning telling people to eat their email on sites with this hack?  Or am I just being paranoid? :-\

User avatar
GarlicBred
Joomla! Intern
Joomla! Intern
Posts: 86
Joined: Fri Dec 22, 2006 2:56 am
Location: Adelaide, Australia

Re: Lost Password Recovery WITHOUT username

Post by GarlicBred » Sun Feb 25, 2007 1:14 am

Hi I tried the solution by japh, but I got a windows pop-up error:
"JSMF CB Plugin error:: Failed to update password to SMF:: Table 'buddh_joom1.members' doesnt exits SQL=UPDATE members SET passwd = '89e9a36.... etc

Im using:
Joom  1.0.12
SMF 1.1.1
Joomla-SMF version: 2.0.2  (joomlahacks version)
CB 1.0.2
CiviCRM 1.6.8124


My original comprofiler.php code does not match that posted by japh. Ive tried commenting out some of the newer code, but not surprisingly that doesnt help.

Heres my code if someone wants to have a bash at it. I have no idea beyond basic echo statements & trial & error & Im sure many would benefit from an update.

Code: Select all

function sendNewPass( $option ) {
	global $database, $Itemid;
	global $ueConfig,$_PLUGINS;
	// for _NEWPASS_MSG and _NEWPASS_SUB :
	global $mosConfig_live_site, $mosConfig_sitename;
	
	// simple spoof check security
	cbSpoofCheck();

	// ensure no malicous sql gets past
	$checkusername = trim( mosGetParam( $_POST, 'checkusername', '') );
	$confirmEmail = trim( mosGetParam( $_POST, 'confirmEmail', '') );

	// these two are used by _NEWPASS_SUB message below:
	$_live_site = $mosConfig_live_site;
	$_sitename = "";	// sitename already added in subject by cbNotification class. was = $mosConfig_sitename;

	$database->setQuery( "SELECT id FROM #__users"
	. "\nWHERE username='$checkusername' AND email='$confirmEmail'"
	);

	if (!($user_id = $database->loadResult()) || !$checkusername || !$confirmEmail) {
		mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword".($Itemid ? "&Itemid=".$Itemid : "")),_ERROR_PASS );
	}
Thanks, ant
The greater our command over language, the sharper are the tools with which we disect reality.

Alfredo Tester
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 103
Joined: Thu Jun 29, 2006 7:31 pm

Re: Lost Password Recovery WITHOUT username

Post by Alfredo Tester » Sun Feb 25, 2007 3:42 am

Hey Garlicbred.

I have the same setup as you and it is working.  I believe I ran into the same problem as you at one point when I upgraded to the new community builder 1.02.

Here is what I was doing wrong.  Don't modify the main comprofiler.php if you are using the community builder login.  You need to go in and modify the community builder login.  I wish I could remember what it was called and the file.  Maybe the same thing but in a different directory. 

I think that might fix your problem. I will try to figure out where it was that I did this and get back to you if I find something out.    But maybe that is something to check into and it will give you a lead. 

User avatar
GarlicBred
Joomla! Intern
Joomla! Intern
Posts: 86
Joined: Fri Dec 22, 2006 2:56 am
Location: Adelaide, Australia

Re: Lost Password Recovery WITHOUT username

Post by GarlicBred » Sun Feb 25, 2007 5:57 am

Thank you .. I searched around & found com_registration/registration.php which has almost identical code.
I applied the hack, leaving in the xtra original code in as before. It returned a
"Sorry, no corresponding User was found" message, so I would probably guess that the original comprofiler.php is the right file to edit? At least if gives an ugly error...
The greater our command over language, the sharper are the tools with which we disect reality.

Alfredo Tester
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 103
Joined: Thu Jun 29, 2006 7:31 pm

Re: Lost Password Recovery WITHOUT username

Post by Alfredo Tester » Sun Feb 25, 2007 7:27 am

Hi Garlicbred.  Sorry about that.  I think that was with CB before 1.02.  I looked at my files and I did indeed edit the comprofiler.  I have a question for you.  did you edit both the comprofiler.php and comprofiler.html.php.  You ahve to do both files. 

I also looked at my joomla-smf bridge.  I have 2.0 going on one site and 2.0 rC 3 on my testing.  I took a look at joomla hacks and saw a thread on 2.0.2 not passing on passwords correctly.  Maybe you are editing the files correctly and it resides with the newest bridge.  That might be something to check in to.  That might be a good starting point. 


My comprofiler.php looks like this

Code: Select all

function sendNewPass( $option ) {
        global $database, $Itemid;
        global $ueConfig,$_PLUGINS;

        // ensure no malicous sql gets past
        // $checkusername = trim( mosGetParam( $_POST, 'checkusername', '') );
        $confirmEmail = trim( mosGetParam( $_POST, 'confirmEmail', '') );

        //$database->setQuery( "SELECT id FROM #__users"
        //. "\nWHERE username='$checkusername' AND email='$confirmEmail'"
        //);
        $database->setQuery( "SELECT id FROM #__users
                              WHERE email='$confirmEmail'");
        $user_id = $database->loadResult();
        $database->setQuery( "SELECT username FROM #__users
                              WHERE email='$confirmEmail'");
        $checkusername = $database->loadResult();


        //if (!($user_id = $database->loadResult()) || !$checkusername || !$confirmEmail) {
        //      mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
        //}

        if (!$user_id  || !$confirmEmail) {
                mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
        }

 
Sorry I couldn't be more help.  I know I was banging my head over this for a while and then got it to go.
Last edited by Alfredo Tester on Sun Feb 25, 2007 7:31 am, edited 1 time in total.

User avatar
GarlicBred
Joomla! Intern
Joomla! Intern
Posts: 86
Joined: Fri Dec 22, 2006 2:56 am
Location: Adelaide, Australia

Re: Lost Password Recovery WITHOUT username

Post by GarlicBred » Sun Feb 25, 2007 11:28 am

Thanks for your effort Alfredo. I had not changed the html.php file. I did so, then I pasted your code in comprofiler.php

Result is the same pop-up error message as before;
"JSMF CB Plugin error:: Failed to update password to SMF:: Table 'buddh_joom1.members' doesnt exits SQL=UPDATE members SET passwd = '89e9a36.... etc"

I should probably leave a message at the joomlahacks forum coz it's their bridge that's in the error message, so probably more likely to find the right specialist there.

I presume you are using the joomlahacks bridge - not the one from SMF?
The greater our command over language, the sharper are the tools with which we disect reality.

king.lui
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 24, 2007 9:36 am

Re: Lost Password Recovery WITHOUT username

Post by king.lui » Wed Mar 07, 2007 11:15 am

GarlicBred wrote: Result is the same pop-up error message as before;
"JSMF CB Plugin error:: Failed to update password to SMF:: Table 'buddh_joom1.members' doesnt exits SQL=UPDATE members SET passwd = '89e9a36.... etc"
Edit administrator/components/com_smf/admin.smf.class.php in function updatePass FROM

Code: Select all

$query =
"UPDATE {$jsmfConfig->smf_prefix}members " .
"SET passwd = '".sha1(strtolower($username).$pass)."' " .
"WHERE id = '$smf_id' ";
TO

Code: Select all

$query =
"UPDATE smf_members " .
"SET passwd = '".sha1(strtolower($username).$pass)."' " .
"WHERE ID_MEMBER = '$smf_id' ";
id => ID_MEMBER
{$jsmfConfig->smf_prefix} => your prefix like jos, smf

king.lui
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 24, 2007 9:36 am

Re: Lost Password Recovery WITHOUT username

Post by king.lui » Wed Mar 07, 2007 11:35 am

O.K. that's working. fine. Thanks alot for this patch!

But now all funny people can reset all passwords with posting all email-addresses they know. The resetet users a wondering, because they doesn't resetet their password. Then they must login with the new passwd and change it. They're thinking "what a stupid community, where anybody can reset other passwords". Theat's not the best way. Better would be a 2-stage-reset with Request -> Email -> Confirm -> Reset. This 2-stage-reset ist standrd on most (bigger) websites.

- Like now the user can post his email.
- No new passwd will be generated. Only an uuid and an email with a link with the uuid.
- If the user want reset his password, he will click on the link, when not: not.
- Now, if the uuid is right, the password will be resetet and be mailed to the user

I think, thats a way:

1. The DB need a new field. We can use the comprofiler-table. Eample. cb_pwdreset_uuid
2. Changing the function, so the password will only reset, if an uuid is postet.
  a) without uuid (like now): generate an uuid, save it to db and send an email with the reset-link.
      the reset-link will be our reset-form. with the uuid we can load email/userid from db.
  b) with $_GET['uuid']: generate a new password, send the email, delete the uuid in the db

What do you mean? I can make it. Or any other ideas?

king.lui
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 24, 2007 9:36 am

Re: Lost Password Recovery WITHOUT username

Post by king.lui » Wed Mar 07, 2007 2:19 pm

I am talking with myself  ;)

O.K. - here is the solution for the 2-stage-reset with Request -> Email -> Confirm -> Reset.

1. First you need a new text-field in your #_comprofiler tabble with name cb_pwdresetuuid
2. You need text-entries in your language.php:

Code: Select all

DEFINE('_RESETPASS_SUB','$_sitename :: You have requested a new password?');
DEFINE('_RESETPASS_SENT','Check your email!');
DEFINE('_RESETPASS_ERR','Error! Please contact the support!');
DEFINE('_RESETPASS_MSG','The User account $checkusername has this e-mail associated with it.\n\n'
.'You habe requested a new password?\n\n'
.'If so click here:\n$mosConfig_live_site/index.php?option=com_comprofiler&task=sendNewPass&id=$uuid \n\n'
.'If this was an error just ignore this email');
4. Comment out the username-field in comprofiler.html.php:

Code: Select all

<? /* <tr>
      <td>< ?php echo _PROMPT_UNAME; ? ></td>
      <td><input type="text" name="checkusername" class="inputbox" size="40" maxlength="25" /></td>
    </tr> */ ?>
5. You must replace your function sendNewPass in your comprofiler.php:

Code: Select all

function sendNewPass( $option ) {
	global $database, $Itemid, $ueConfig,$_PLUGINS;
	global $mosConfig_live_site, $mosConfig_sitename;
	global $mosConfig_mailfrom, $mosConfig_fromname;
	
	$_live_site = $mosConfig_live_site;
	$_sitename = "";
	
 	$uuid = trim( mosGetParam( $_GET, 'id', 0) );
	if ($uuid) {
		$sql = "SELECT users.username, users.email, users.id 
				FROM #__users AS users 
				Inner Join #__comprofiler AS cb ON cb.user_id = users.id 
				WHERE cb.cb_pwdresetuuid = '$uuid'";
		
		$database->setQuery($sql);
		$rows = $database->loadObjectList();
		if(count($rows)) {
			$userrow = $rows[0];
			$checkusername=$userrow->username;
			$user_id=$userrow->id;
			$confirmEmail=$userrow->email;
			
			$newpass = makePass();
			
			$message = _NEWPASS_MSG;
			eval ("\$message = \"$message\";");
			$subject = _NEWPASS_SUB;
			eval ("\$subject = \"$subject\";");
		
			$_PLUGINS->loadPluginGroup('user');
			$_PLUGINS->trigger( 'onBeforeNewPassword', array( $user_id, &$newpass, &$subject, &$message ));
			if ($_PLUGINS->is_errors()) {
				echo "<script type=\"text/javascript\">alert(\"".$_PLUGINS->getErrorMSG()."\"); window.history.go(-1); </script>\n";
				exit();
			}
		
			$cbNotification = new cbNotification();
			$res=$cbNotification->sendFromSystem($user_id,$subject,$message);
			
			if ($res) {
				$_PLUGINS->trigger( 'onNewPassword', array($user_id,$newpass));
		
				$newpass = md5( $newpass );
				$sql = "UPDATE #__users SET password='$newpass' WHERE id = " . (int) $user_id;
				$database->setQuery( $sql );
				if (!$database->query()) { die("SQL error" . $database->stderr(true)); }
				
				$sql = "UPDATE #__comprofiler SET cb_pwdresetuuid='' WHERE user_id = " . (int) $user_id;
				$database->setQuery( $sql );
				if (!$database->query()) { die("SQL error" . $database->stderr(true)); }

				echo '<div class="message">'._NEWPASS_SENT.'</div>';
			 } else { 
 				echo '<div class="message">'._UE_NEWPASS_FAILED.'</div>';
			}
			
		}else{ // no count(rows)
			mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_RESETPASS_ERR );
		}
	} else { // no uuid
	
		// simple spoof check security
		cbSpoofCheck();
	
		$confirmEmail = trim( mosGetParam( $_POST, 'confirmEmail', '') );
		$database->setQuery( "SELECT id FROM #__users WHERE email='$confirmEmail'");
		$user_id = $database->loadResult();
		$database->setQuery( "SELECT username FROM #__users WHERE email='$confirmEmail'");
		$checkusername = $database->loadResult();

		if (!$user_id  || !$confirmEmail) {
			mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
		}
		
		// generate uuid and save it into the db
		$uuid = $user_id.uniqid("");
		$sql="UPDATE #__comprofiler SET cb_pwdresetuuid='$uuid' WHERE user_id=".(int) $user_id;
		$database->SetQuery($sql);
		$database->query();

		
		// email
		$message = _RESETPASS_MSG;
		eval ("\$message = \"$message\";");
		$subject = _RESETPASS_SUB;
		eval ("\$subject = \"$subject\";");
	
		$_PLUGINS->loadPluginGroup('user');
		$_PLUGINS->trigger( 'onBeforeNewPassword', array( $user_id, &$newpass, &$subject, &$message ));
		if ($_PLUGINS->is_errors()) {
			echo "<script type=\"text/javascript\">alert(\"".$_PLUGINS->getErrorMSG()."\"); window.history.go(-1); </script>\n";
			exit();
		}
	
		$cbNotification = new cbNotification();
		$res=$cbNotification->sendFromSystem($user_id,$subject,$message);
		
		mosRedirect(sefRelToAbs("index.php?option=$option&task=done".($Itemid ? "&Itemid=".$Itemid : "")),_RESETPASS_SENT );
		
	}
	
	if (!$user_id  || !$confirmEmail) {
		mosRedirect(sefRelToAbs("index.php?option=$option&task=lostPassword"),_ERROR_PASS );
	}

}
That's all. Good luck  :)

[Edit-1] Don't forget: make Backups before changing your files!
[Edit-2] Changing $uuid = uniqid(); to $uuid = $user_id.uniqid("");
[Edit-3] Add "if (!$user_id  || !$confirmEmail)..." before "// generate uuid and save it into the db" after // no uuid
[Edit-4] At this moment it is not working with the cb-captcha-plugin!
Last edited by king.lui on Thu Mar 08, 2007 10:36 am, edited 1 time in total.

User avatar
GarlicBred
Joomla! Intern
Joomla! Intern
Posts: 86
Joined: Fri Dec 22, 2006 2:56 am
Location: Adelaide, Australia

Re: Lost Password Recovery WITHOUT username

Post by GarlicBred » Wed Mar 07, 2007 2:36 pm

WOW thanks king!
I havent tried it yet, battling a deadline.. trying to resist the temptation to stray, but those nice clear instructions are just too tempting. Might take me a little while though..
I had given up on the idea after carefully considering the inevitable problems with pestulence resetting passwords, but this makes it possible again. Dont uderstand why this isnt standard foor joomla. Having to remember username makes the stock password reset totally unuseable for most. Ok, lets see how we go ...
The greater our command over language, the sharper are the tools with which we disect reality.

User avatar
GarlicBred
Joomla! Intern
Joomla! Intern
Posts: 86
Joined: Fri Dec 22, 2006 2:56 am
Location: Adelaide, Australia

Re: Lost Password Recovery WITHOUT username

Post by GarlicBred » Wed Mar 07, 2007 9:08 pm

I get errors - different ones!

a Windows pop-up error: "Invalid Security Code" (no other text on that message)

and in the content of the page I get:
"Warning: uniqueid() expects at least 1 parameter, 0 given in /home/.../comprofiler.php line 836

I have some questions:
When adding the
1. First you need a new text-field in your #_comprofiler tabble with name cb_pwdresetuuid
I just did exactly that -  (but Ive not done manual edit to msql db before - total newby there) I messed with the null & default values a bit to see if that helped - just trial & error.
Another question - several posts above, where you edit the code in admin.smf.class.php there appears a little bit of code that I dont know what to do with.
id => ID_MEMBER
{$jsmfConfig->smf_prefix} => your prefix like jos, smf
- does it go somewhere or is it an explanation. What does it mean?
Thanks.
The greater our command over language, the sharper are the tools with which we disect reality.

king.lui
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 24, 2007 9:36 am

Re: Lost Password Recovery WITHOUT username

Post by king.lui » Wed Mar 07, 2007 9:54 pm

GarlicBred wrote: I get errors - different ones!
a Windows pop-up error: "Invalid Security Code" (no other text on that message)
Hmm .. I don't know what it mean. Try first the next change.
GarlicBred wrote: and in the content of the page I get:
"Warning: uniqueid() expects at least 1 parameter, 0 given in /home/.../comprofiler.php line 836
O.K - change this line from $uuid = uniqid(); to: $uuid = $user_id.uniqid("");
GarlicBred wrote: I have some questions:
When adding the
1. First you need a new text-field in your #_comprofiler tabble with name cb_pwdresetuuid
I just did exactly that -  (but Ive not done manual edit to msql db before - total newby there) I messed with the null & default values a bit to see if that helped - just trial & error.
You can do it in the backend with community builder -> filed management
GarlicBred wrote: Another question - several posts above, where you edit the code in admin.smf.class.php there appears a little bit of code that I dont know what to do with.
id => ID_MEMBER
{$jsmfConfig->smf_prefix} => your prefix like jos, smf - does it go somewhere or is it an explanation. What does it mean?
Thanks.
It's a description for the codechange. in the code-snippet (sql-query) you must change id to ID_MEMBER and {$jsmfConfig->smf_prefix} to your smf_prefix.

User avatar
GarlicBred
Joomla! Intern
Joomla! Intern
Posts: 86
Joined: Fri Dec 22, 2006 2:56 am
Location: Adelaide, Australia

Re: Lost Password Recovery WITHOUT username

Post by GarlicBred » Wed Mar 07, 2007 11:05 pm

Thanks (& sorry I fell asleep on couch).
Now when testing the lost password, the error in the content of the page is gone - it returns to forgot password page.
I still get the "Invalid Security Code" pop-up message.

Thanks for the explanation of the ID_MEMBER and {$jsmfConfig->smf_prefix} bit. I guessed that was what you meant, but wasnt certain.

When I first created the text field, I did it in PHPMyAdmin. Ive deleted that field & set it up using CB field management as you suggested.
CB required a title - I set that same as cb_pwdresetuuid
CB requires tab position - figured anything is fine.
Set to be non-visible & non-required.

So just the invalid security code issue is holding this up for me now. Wonder if anyone else is testing this?
The greater our command over language, the sharper are the tools with which we disect reality.

king.lui
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 24, 2007 9:36 am

Re: Lost Password Recovery WITHOUT username

Post by king.lui » Thu Mar 08, 2007 8:52 am

GarlicBred wrote: Thanks (& sorry I fell asleep on couch).
Now when testing the lost password, the error in the content of the page is gone - it returns to forgot password page.
I still get the "Invalid Security Code" pop-up message.
You're using the cb-captcha-plugin? I've installed it and now i have the same error.
I'm looking today for a solution.
GarlicBred wrote: When I first created the text field, I did it in PHPMyAdmin. Ive deleted that field & set it up using CB field management as you suggested.
CB required a title - I set that same as cb_pwdresetuuid
CB requires tab position - figured anything is fine.
Set to be non-visible & non-required.
Yes, that's right.

king.lui
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 24, 2007 9:36 am

Re: Lost Password Recovery WITHOUT username

Post by king.lui » Thu Mar 08, 2007 10:38 am

Hmm .. at this moment it is not working with the cb-captcha-plugin. I don't know, what's the problem.
If you're searching the Joomlapolis-Forum you can see that other people also have this problem.

User avatar
GarlicBred
Joomla! Intern
Joomla! Intern
Posts: 86
Joined: Fri Dec 22, 2006 2:56 am
Location: Adelaide, Australia

Re: Lost Password Recovery WITHOUT username

Post by GarlicBred » Thu Mar 08, 2007 10:50 pm

I just unpublished the captcha and now the hack is working wonderfully!!
Yes, I should have mentioned - I use the captcha plugin - I had previously disabled it for the password request and user email, then since it was out of sight I completely forgot it was still installed.
Was hard to find anything solid at Joomlapolis Forum. I really thought that this functionality must be too hard, otherwise every1 would do it.

Note for anyone looking for a quick low-tec solution - just edit the welcome emails that new users get on registration to say very clearly that they will need both user & email to reset pass, so they better store the email carefully. Messages can be found in Admin > components > cb > config > registration, and in Languages > english.php about line 345ish.

Thank you King, for your help. I hope we can get the captcha working, but Im more than happy for the moment. I figure joomla is probably reasonably secure from bots, so probably dont need the captcha ... anyone want to contradict this? I dont have any sites out there long enough to know from my own experience.
The greater our command over language, the sharper are the tools with which we disect reality.

king.lui
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 24, 2007 9:36 am

Re: Lost Password Recovery WITHOUT username

Post by king.lui » Thu Mar 08, 2007 11:28 pm

I think you can use the captcha for register if you comment out some lines at the top of components/com_comprofiler/plugin/user/plug_captcha/cb.captcha.php:

Code: Select all

// $_PLUGINS->registerFunction( 'onLostPassForm', 'onLostPassForm', 'getcaptchaTab' );
// $_PLUGINS->registerFunction( 'onLostPassForm', 'onLostPassFormB', 'getcaptchaTab' );
// $_PLUGINS->registerFunction( 'onBeforeNewPassword', 'onBeforeNewPassword', 'getcaptchaTab' );
I think you can then use "Include Captcha in Registration Process" in your Captcha Placement Parameters.
I hope so - i haven't try it.

If you still have problems, you can also try to comment out the next two lines:

Code: Select all

// $_PLUGINS->registerFunction( 'onAfterEmailUserForm', 'onAfterEmailUserForm', 'getcaptchaTab' );
// $_PLUGINS->registerFunction( 'onBeforeEmailUser', 'onBeforeEmailUser', 'getcaptchaTab' );

king.lui
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 24, 2007 9:36 am

Re: Lost Password Recovery WITHOUT username

Post by king.lui » Thu Mar 08, 2007 11:33 pm

@GarlicBred:
Adelaide, Australia ... WOW!
And I idiot sit here in cold Germany.  :'(

User avatar
GarlicBred
Joomla! Intern
Joomla! Intern
Posts: 86
Joined: Fri Dec 22, 2006 2:56 am
Location: Adelaide, Australia

Re: Lost Password Recovery WITHOUT username

Post by GarlicBred » Fri Mar 09, 2007 10:24 pm

Yep, that works too. I commented the 1st 3 lines as above.
Then in CB Captcha plugin enable "Include Captcha in Registration Process:" and "Include Captcha in User Emailing Process:" also works without error.

Was hoping that 2nd one would do it for my contact form, but it doesnt. Must be used for some other function ... Oh I see, its not meant to work with com_contact.

So thats all done for me. I now have the perfect lost password system. Amazing & THANKS.

I'll get back to the pool (in my dreams) in sunny Adelaide - gonna bake at 100+ today they say. Been the hottest summer in a few hundred years (again).
The greater our command over language, the sharper are the tools with which we disect reality.

king.lui
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 24, 2007 9:36 am

Re: Lost Password Recovery WITHOUT username

Post by king.lui » Fri Mar 09, 2007 11:43 pm

oh yeah .. and here it's snowing  :'(
i must emigrate  8)


Locked

Return to “Core Hacks and Patches”