pw reset overrides pw control plugin settings?

8 years 3 months ago #1 by murales
Hi, first of all thanks for this useful plugin!
I wanted to give my small contribution and I translated it to italian on transifex :-)

Now to the issue: I run a joomla 2.5 site, the plugin works perfectly and every new user, upon first login, is correctly required to choose a new pw which meets the requirements I set up. However, the password the user picks up upon registration is not checked for these requirements ...should it be?

Also, if an user asks for a pw reset, he gets a verification code emailed, and then he can choose a new password, which isn't checked for the set requirements, completely bypassing the pw control functionality!

Maybe I set up something wrong, hope you can help....

Fabrizio

Please Log in or Create an account to join the conversation.

8 years 3 months ago - 8 years 3 months ago #2 by geoffc
Thank you for reporting the problem.

Taking the last problem first. Yes this is a bug since the code is not specifically checking for the com_users.reset_complete form. I have a fix for this but I wish to test it out a little more to ensure it is solid before I release the fix.

The first one makes me ask whether this is version 0.1.5 of the plugin? We couldn't specifically test 0.1.5 against Joomla 2.5 since we no longer have an instance to test against hence we announced it only for Joomla 3.4. If you could confirm the version it would enable me to isolate the problem.

.

Regards
Geoff

Please Log in or Create an account to join the conversation.

8 years 3 months ago - 8 years 3 months ago #3 by geoffc
I have just created a Joomla 2.5 instance and carried out my tests and release 0.1.5 works fine, although my tests are not as extensive as those I performed for Joomla 3.4.5.

I am a little puzzled when you say that the ' the password the user picks up upon registration is not checked for these requirements'. If a user is created in the back end where the password generator may/may not be used, the password criteria is not specifically checked, mainly because the user can be forced to change their password when they first log in. Arguably if one sets a strong password in the back end then if the password is going to be changed anyway, an argument could be made that it is only temporary and therefore slightly overkill? (There were several discussions/posts on this topic if I recall. Hence the decision to let the admin decide whether they wish to use a 'strong' password when they create a user.)

In the front end the user enters their own password which is checked. I think therefore you must be referring to the back end creation.

If this does not answer the question could you please elaborate and I will try and answer more specifically.

Re the password reset, the change that is required is as follows.

In the file plugins/system/passwordcontrol/passwordcontrol.php

Change line 76 from:
if (!($fname == 'com_users.profile') && !($fname == 'com_users.registration') && !($fname== 'com_users.user') ) {

To
if (!($fname == 'com_users.profile')
            && !($fname == 'com_users.registration')
            && !($fname== 'com_users.user')
            && !($fname == 'com_users.reset_complete') ) {

Also change line 80 from:
if (!($fname == 'com_users.profile' && $input->get('layout') == 'edit') && !($fname == 'com_users.registration') && !($fname== 'com_users.user') ) {

To
if (!($fname == 'com_users.profile' && $input->get('layout') == 'edit')
            && !($fname == 'com_users.registration') && !($fname== 'com_users.user')
            && !($fname == 'com_users.reset_complete') ) {

Tested on Joomla 3.4.5 and 2.5.28,

Regards
Geoff
The following user(s) said Thank You: murales

Please Log in or Create an account to join the conversation.

8 years 3 months ago - 8 years 3 months ago #4 by murales
Hi, thanks for answering so quickly and for taking time to set up a specific joomla installation to test!
Sorry if my english isn't so good and my explanation wasn't clear...

I'm using plugin version 0.1.2 , but I'm going to update asap

About the password check upon registration, I was referring to the front end ...here is the website
indiosca.altervista.org/
and the registration form
indiosca.altervista.org/joomla/il-tuo-profilo?view=registration

Password generator link is not shown, even if it's enabled (I read that probably I should modify my template, but it doesn't matter for now), but the password user sets here can be as simple as 4 identical characters, overriding pw control settings! :ohmy:

Please Log in or Create an account to join the conversation.

8 years 3 months ago #5 by geoffc
Release 0.1.2 is a little old. Over twelve months old in fact I can't really remember the changes since them. I would suggest you try 0.1.4 until I release 0.1.6 with the reset fix. (Release 0.1.5 should work as well, but I have only done limited testing against Joomla 2.5.28).

Looking at the registration form you will probably will not need to create a template override as the field names (labels) look fine. I suspect that for some currently unknown reason the checking code is not being loaded but I couldn't see any javascript error. This would be why a user can enter anything bypassing the password checks.

Certainly the generator button should show in the front end, and off hand without a lot of delving I wouldn't like to suggest what is wrong. If 0.1.4 isn't working then I would need back end admin and FTP access to debug/resolve the problem.

Regards
Geoff
The following user(s) said Thank You: murales

Please Log in or Create an account to join the conversation.

8 years 3 months ago - 8 years 3 months ago #6 by murales
Hi Geoff,
I tried updating to 0.1.4, still no psw strenght check upon registration. I edited the php file a suggested, but I was still able to set any psw after reset. No psw generator button, either.

I updated to 0.1.5, I tried disabling and re-enabling the plugin, but nothing changed. :(

Maybe I did something wrong, I'm no joomla expert at all...

I can give you admin access if you want to try some debug, you are very kind offering to do so. Which type of access level would you need...administrator?

Thanks

Please Log in or Create an account to join the conversation.

Time to create page: 0.169 seconds
Go To Top

Joomla! Debug Console

Session

Profile Information

Memory Usage

Database Queries