972 Posts in 316 Topics by 302 members
Page: 1 2
|Go to End||Next >|
5 July 2010 at 8:08pm
When a Forum User maintains data in his profile and does not fill the two password fields, the password is set to NULL in the database. This leads to outlock this user from the forum.
This is especially annoying because lost Password Form is also not working!
The user does receive the email reset password, but after clicking it, he is asked to login, which requires to input the password, but this password has been lost or resetted by the malicious profile settings form!
Any help would be appreciated.
5 July 2010 at 10:13pm
What version of Forum are you using?
5 July 2010 at 10:18pm
Using: silverstripe-2.4.0 with forum-0.3-r106922
14 July 2010 at 3:39am
Willr - no idea to fix this?
14 July 2010 at 10:35pm
Hmm I am unable to reproduce the issue (of setting the password to null). Heres what I tried -
* Registering a user with password 'test' - this was added to the db
* Editing the users profile (with not setting anything in the password field)
* Editing the users profile in the cms (with not setting anything in the password).
Looking at the code also has empty() checks to ensure that passwords could not be set to nothing. Saying that I think this area needs some unit tests to ensure I'm not missing something or an edge case. It is the edit profile form on the front end which is setting the password to null correct?
14 July 2010 at 11:07pm
Yes - the Front-End profile editor - i just tested the behaviour again - i only changed the signature and left the password fields empty - after submit the Password is NULL in the database. i could reset the password with the profile form within the same session by filling the two password fields. You can just test it on http://icybolt.de/larp-forum/ - just create an account - log in and change your signature - when you log out you can no more login because your password is NULL in the database.
26 July 2010 at 6:59pm
hi, this also happened to me..
I think it's because the 2.4 version, when u do this $member = DataObject::get_by_id('Member', $data['ID']); , it return NULL on the password data, if i print out the dataobject, there are two password displayed, one is null, the other is the current password, the problem is, it get the first one so on $form->dataFieldByName("Password")->setValue($member->Password);, it set a null value.
the PasswordEncryption also set to null..
Anyone has idea on this?
26 July 2010 at 7:36pm
It turn out if i changed the get_by_id to get_one , it worked,
so the member query would be $member = DataObject::get_one('Member', 'ID='.$data['ID']);
Hope this could help someone...
Page: 1 2
|Go to Top||Next >|