Loading...
 
Features / Usability

Features / Usability

Forum List Topic List

 
Thread actions
PDF Print this page
  • Print all pages

    • First login

    Posted by Christian Clausen posts: 75 Denmark

    I am using Tikiwiki 1.9.8.3 and I have configured that users can register. When users have clicked the link in the validation mail, they get the message that they they have been successfully validated. If they then try to log in, they are told that it was an illegal user name or password. Despite that they are actually loggied in.

    I suspect it is becaus the pagi is still the user validation page, to which it is apparently not possible to access twice.

    Does anybody know what to do about that?

    Best regards
    Christian

    Reads: 2156
    Link
    Posted by Marc Laporte posts: 1633 Canada

    Did you upgrade from 1.9.7 or was this a clean install? If it's an upgrade, please make sure to run the upgrade script.

    Are you using admin must validate? If so, try turning it off.

    Let me know,

    M ;-)

    Link
    Posted by Christian Clausen posts: 75 Denmark

    Hmm, my first anser seems to have dissapeared.

    I messed up my upgrade from 1.9.8.2 to 1.9.8.3, so it is a clean install.

    I tied admin validate. Then it works fine.

    /Clausen

    > Did you upgrade from 1.9.7 or was this a clean install? If it's an upgrade, please make sure to run the upgrade script.
    >
    > Are you using admin must validate? If so, try turning it off.
    >
    > Let me know,
    >
    > M ;-)

    Link

    Posted by Zeladin posts: 7

    I just been browsing though forums and trawling though Google with this. I've been having more or less the same problem, so I thought I'd register here and put in my little bit on it.

    I'm using tiki 1.9.9 a fresh install, well more or less, I had it all running in a local sandbox before putting it live. So the current versions sql database was moved and the folders copied to a webserver. To reset the sql database connection I simply enabled to install script and clicked proceed to wiki, I read to do that somewhere. So that's my history, the user registration wasn't tested in my sandbox due to lack of a local smtp server to send the emails.

    Now the details of the problem. When a new user arrives at the first login page, it confirms that they have been validated. Then when you log in it claims the password or user is invalid (but it log you in anyway). If you log out, you can't log back in again with that password. If you don't log out but try to change your password it won't let you.

    I thought there might be a problem with encryption so I enabled store plain text passwords. Then to see was there a password stored I clicked the "I forgot my password" button. This sends a email all right, but there is no password. Switching off plaintext passwords allows a workaround in the mean time, the user's password is reset and then they can change it to whatever they like if they click the "I forgot my password" thing. I can also fix a user entry by manually changing their password in users admin. This suggests to me the password is somehow not stored, or corrupted on registration, it's even possible there is a bug with expiry and passwords are expiring instantly.

    But it makes user registration very clunky and non-intuitive. If you want you can check out the site at www.skynet.ie/~cu .

    Link

    Posted by Zeladin posts: 7

    Okay, so I played around with this a bit myself, and I've developed a hack to fix the issue, included in the attachment are "tiki-register.php" and "tiki-login_validate" from version 1.9.9.

    So the problem is definitely that the password isn't stored in provpass var in users_users table. This might be due to the table being incorrectly initialised or some bug in the code somewhere. Anyway in the mean-time I have a workaround.

    in tiki-register
    -A new temporary user is created using the temporary password hash as username
    -global var for storing plaintext passwords set to yes temporarily
    -Actual password is stored in plaintext in temporary user
    -global var for storing password is returned to original value

    in tiki-login_validate
    -gets plaintext password from temporary user
    -using $userlib->change_user_password sets the real user's password
    -remove temporary user.

    Its a hack certainly, but if you think about it its not much less secure than the way that it should work. The password is always in plaintext temporarily. As far as I'm concerned though, this is a silly way to make users valid/invalid. There should be another variable activated/deactivated, this way the admin could manually enable or disable accounts easily. Also the password would never have to be stored in plain text.

    LoginHack.zip (3.40 Kb)
    Link

    Posted by MacLeod posts: 43 United States

    I think this may be an interaction between "admin must validate" and "validate users by email". I experienced the exact same problem described above after a recent upgrade from v1.9.8.3 to v1.9.9 by the contractors handling the back-end of our site. (I don't know if they did a clean install or an upgrade script.)

    When I turned off admin must validate, the problem went away. Not only that, but "validate users by email" started working, and it hadn't been previously. I had been trying to use both validation methods, as each can be circumvented:

    • With just admin validation, a user could enter a fake email address using one of our company's domain names. He wouldn't receive notification that his account was validated, but he could just wait and keep trying to log in.

    • With just email validation, a user from any given domain could register and gain access before any admin was aware of it.


    To test the interaction hypothesis, I disabled "validate by email" and enabled "admin must validate", and was successfully able to register a test account and login without the password having to be reset from my admin account. So for now, it looks like TW will allow one method or the other, but not both.

    - ))MacLeod((

    Link
    Posted by Rick Sapir / Tiki for Smarties posts: 3665 United States

    >
    >account. So for now, it looks like TW will allow one method or the other, but not both.

    I'm not sure about this. On my 1.9.9 site I have both validate by email and admin must validate and it works as expected:

    1. User registers.
    2. Admin receives an email with click-to-validate-user link.
    3. Admin clicks the link. User receives an email indicating they can now login.
    4. User logs in.



    HTH,

    -Rick
    Need more help? Try TikiWiki for Dummies Smarties — A beginner's guide to using ))TikiWiki((.

    Link
    Posted by MacLeod posts: 43 United States

    >On my 1.9.9 site I have both validate by email and admin must validate and it works as expected:

    >User registers.
    >Admin receives an email with click-to-validate-user link.
    >Admin clicks the link. User receives an email indicating they can now login.
    >User logs in.

    That's exactly how it works for me with "admin must validate" enabled and "validate users by email" disabled. The sequence that I had intended was:

    1. User registers.
    2. User receives an email with a click-to-validate-email-address link.
    3. After user clicks, Admin receives an email with a click-to-validate-user link.
    4. After admin clicks, user receives an email indicating that they can now log in.
    5. User logs in.


    - ))MacLeod((

    Link
    Posted by Zeladin posts: 7

    Hmm, it seems likely that this is the source of the problem. I take it ticking the admin must validate and validate by email together may be what causes the issue. I haven't tested that specifically. I'm fairly sure I tried both separately though, an it still wasn't working, maybe enabling it once was enough to corrupt something? I did want to have a system by which I could vet my users first, and also validate their email addresses.

    I had envisaged it somewhat like this though;
    1.User registers
    2.Admin is notified of registration request.
    3.Admin confirms - then the account is created. (no ->declined request email is sent to user)
    4.Validation and login email is sent to user.
    5.User is validated and logs in.

    The only difficulty is finding somewhere to store the username/password hash temporarily - which I've already done using a temporary user account. I think I might actually be able to code this up sensibly - except for the weirdo storage of the password hash. I'd have to learn how to do mysql entry for that. A separate new table for accounts pending validation.

    Link

    Posted by Christian Clausen posts: 75 Denmark

    I have been examining this a little further. There seems to be a suite of problems.

    When the user validates, he is logged in automatically. This is not reflected in the login box, because the login box is apparently built before the login.

    If he tries to reload it fails, because the login validation page does not support that.

    It seems like the password of the new user is not the password the user specified but the user name.

    Possibliy the two last problems are in fact the same.

    Link
    Posted by MacLeod posts: 43 United States

    Clausen is correct. I just confirmed on our 1.9.9 install that TW erroneously records the username as the password when a user self-registers and "admin must validate" is turned on, but this failure does not occur if "admin must validate" is turned off. When it was turned on, I was able to successfully log in with a test account if and only if I entered the username in both the username and password fields in the login module. The password that I had created in the registration page did not work.

    Since we're probably not going to upgrade until 1.10 is fully released and stable, can anyone recommend a workaround that will allow us to keep "admin must validate" on, and won't require each user to employ the "forgot my password" feature? Will Zeladin's hack from a few posts up work?

    Thx,
    MacLeod

    Link