Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Forum Module /

Discuss the Forum Module.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Password troubles - Profile and lost password


Go to End
Reply


9 Posts   2560 Views

Avatar
freakout

Community Member, 49 Posts

5 July 2010 at 8:08pm

When a Forum User maintains data in his profile and does not fill the two password fields, the password is set to NULL in the database. This leads to outlock this user from the forum.

This is especially annoying because lost Password Form is also not working!

The user does receive the email reset password, but after clicking it, he is asked to login, which requires to input the password, but this password has been lost or resetted by the malicious profile settings form!

Any help would be appreciated.

Avatar
Willr

Forum Moderator, 5513 Posts

5 July 2010 at 10:13pm

What version of Forum are you using?

Avatar
freakout

Community Member, 49 Posts

5 July 2010 at 10:18pm

Using: silverstripe-2.4.0 with forum-0.3-r106922

Avatar
freakout

Community Member, 49 Posts

14 July 2010 at 3:39am

Willr - no idea to fix this?

Avatar
Willr

Forum Moderator, 5513 Posts

14 July 2010 at 10:35pm

Hmm I am unable to reproduce the issue (of setting the password to null). Heres what I tried -

* Registering a user with password 'test' - this was added to the db
* Editing the users profile (with not setting anything in the password field)
* Editing the users profile in the cms (with not setting anything in the password).

Looking at the code also has empty() checks to ensure that passwords could not be set to nothing. Saying that I think this area needs some unit tests to ensure I'm not missing something or an edge case. It is the edit profile form on the front end which is setting the password to null correct?

Avatar
freakout

Community Member, 49 Posts

14 July 2010 at 11:07pm

Yes - the Front-End profile editor - i just tested the behaviour again - i only changed the signature and left the password fields empty - after submit the Password is NULL in the database. i could reset the password with the profile form within the same session by filling the two password fields. You can just test it on http://icybolt.de/larp-forum/ - just create an account - log in and change your signature - when you log out you can no more login because your password is NULL in the database.

Avatar
draft

Community Member, 57 Posts

26 July 2010 at 6:59pm

hi, this also happened to me..

I think it's because the 2.4 version, when u do this $member = DataObject::get_by_id('Member', $data['ID']); , it return NULL on the password data, if i print out the dataobject, there are two password displayed, one is null, the other is the current password, the problem is, it get the first one so on $form->dataFieldByName("Password")->setValue($member->Password);, it set a null value.

the PasswordEncryption also set to null..

Anyone has idea on this?

Avatar
draft

Community Member, 57 Posts

26 July 2010 at 7:36pm

It turn out if i changed the get_by_id to get_one , it worked,
so the member query would be $member = DataObject::get_one('Member', 'ID='.$data['ID']);

Hope this could help someone...

Go to Top