UserSpice Forum Archive
This forum is archived. Posts are preserved for historical reference. For current help, join us on Discord.

verify.php bug and possible solution.

In UserSpice 4.3 and Below · Started by anphung on 2016-09-03 3:52 pm · 29692 views · 14 replies

Posted 2016-09-03 3:52 pm
Hi, I would like to say a big thank you for such a wonderful project! Very nicely thought out and saves me months if not weeks of work.
I've installed the latest version 4.1.4b and initial testing worked extremely well.
However when I changed the admin email address, the system breaks down and sends me to a not found page with the
message:
The requested URL /userManagement/users/users/verify.php was not found on this server.
(where userManagement is the userSpice installation.)

I can't even log in!

I searched the forum and notice others are having similar (if not the same) problem.

Anyway, after much digging around, I found the bug in the verify.php:

verify.php
if($user->isLoggedIn()){
$user->logout();
Redirect::to('users/verify.php');
}

Simply change it to:

if($user->isLoggedIn()){
$user->logout();
Redirect::to('verify.php');
}

and you should be good to go. Note that if error still exist, close browser and log in again.
Not sure if this is the proper fix, please advice.
Posted 2016-09-06 1:51 pm
Fantastic! Thanks for the compliments and thanks for offering a fix. That makes perfect sense. I obviously never would have come across that situation in my testing... but it makes perfect sense! Thanks again!

Sorry for the slow reply. I went to the Arctic Ocean and got stuck there longer than expected. I'm playing catch up.
Posted 2016-09-07 4:14 am
hey mudmin, great having you back. Hope you had a good time in the Arctic, the word itself sounds extremely cold!
I will try debugging the code if I find any bugs and obviously the userspice community cannot just expects you to do all the hard work!

Keep up the good work!
Posted 2016-09-07 10:28 pm
Thanks for all your help. I know that GlacierView Alaska is not exactly considered "modern" civilization, but it feels great to be back to where I have internet and heat. haha.

Posted 2016-09-08 5:04 am
This change to Redirect.php will solve this problem:

http://userspice.org/forums/topic/banned-user-cant-log-out/

(you have to look several replies down)

Ultimately it would be better (as mentioned there) if each call to Redirect::to() used the $us_url_root.'full/path/to/script.php' - that definitely needs to be gradually implemented for the long-term as this (what I did in redirect.php) is just a hack-job to make it work.
Posted 2016-09-08 5:56 am
Basically the problem is that when you have a relative path (users/verify.php or just verify.php) then it is relative to your current directory. If you are on a page in the users/ directory then you need to redirect to verify.php but if you are on a page in the root directory (or some other application directory that your developer-who-is-using-US has created for their app) then you need to redirect to users/verify.php (or ../users/verify.php or ../../users/verify.php or etc.).

The right solution is to change the relative redirect into an absolute redirect:
Redirect::to($us_url_root.'users/verify.php');

but until that can be done across the board in all US scripts (and probably in applications that other people have developed and have used the Redirect::to() call and used relative paths as an argument) then a change/hack such as I have suggested in the link above will get past most of the pain.
Posted 2016-09-09 2:22 am
yeah, absolute path would definitely work lol. However, what if I have a customized verify.php in the usersc/ directory? It wont get accessed! Correct me if I am wrong, my understanding of the design of the system is to allow all files under users/ to be customizable. I am sure the author used relative path for a good reason hence I stuck with the original design.
I wouldn't call the above a hack either but a minor fix for the system, i.e. a fix for version 4.1.5 perhaps?
Posted 2016-09-09 6:44 am
Looking at the code starting at line 25 on 
header.php
(included in every US page) we have this:
//check for a custom page
$currentPage = currentPage();
if(file_exists($abs_us_root.$us_url_root.'usersc/'.$currentPage)){
if(currentFolder()!= 'usersc'){
Redirect::to($us_url_root.'usersc/'.$currentPage);
}
}

Here is the definition, roughly, of 
currentPage()
(I've simplified it for brevity):
return(basename($_SERVER['PHP_SELF']));

So if there is a page existing in 
usersc/
then this redirection will happen automatically and it will happen to an absolute path so that there is no ambiguity about that. Choosing a consistent way to specify Redirect:too() arguments will not harm the ability to override pages with 
usersc/
.

Where I sometimes have questions is with the scripts that are require_once'd (i.e., not a "page" per-se). It appears that these are require_once'd from init.php with an absolute path and no use of include_path or anything. I *think* this means that 
usersc/
cannot be used to "override" scripts which are include'd or require'd. But that's a totally different question, unrelated to the Redirect.php class.
Posted 2016-09-09 12:37 pm
I'm surprised the absolute and relative variables are working as well as they are. That was an afternoon well spent I guess!

We are in the process of going through all the code for a far in the future release, and you have reminded us that we need to think about a few more scenarios. In my case, I've used UserSpice for one or two things, and that definitely helped flush out some bugs, but the more people use it and report back, the more we can fix.

You are absolutely right about the "currentPage()" functions and the other files that are require'd or require_once'd into the scripts. I think the idea there (and how we are trying to handle the next Major release) is that there would be one, or maybe two lines required to "secure" the page, while another 3-4 lines would be required to make use of the rest of the navigation, admin pages, footers, etc. In this respect, we are trying to "bundle" things together to minimize the number of lines required to get the full UserSpice environment versus just the page securing functionality.

@mudmin is working hard to keep up the patches on the 4.1.x release, while I'm working to try to make the next major release be something even more flexible.
Posted 2016-09-09 12:40 pm
One of our ultimate goals is to have a "UserSpice Core" set of files that users don't need to, and shouldn't ever need to touch, with all customization being done to files either in the root or in usersc/ or some other custom folder. This involves moving some things to the database so that updates and upgrades will be as easy as extracting and overwriting any files in the update/upgrade package.

in a way, the usersc/ customization was our first crack at this approach, but we realize there are a lot of shortcomings of this approach.

Posted 2016-09-09 4:18 pm
I think I have run up to the same issue with my testing where paths aren't right or something like that. On a previously activated account, I set the email_verified flag to 0 and tried logging in, resulting in a redirect loop, and then eventually a 404 when I tried going back to the root of the US install.

At least the issues are somewhat known now.

***Edit***

I have resolved my issue with the redirect loop. But I'm not sure if your issue is the same as mine was. If you could summarize any issue you still have with verify.php I can double check that use case.
Posted 2016-09-11 9:22 am
It would be nice to know where this is going, long-term, so that current development apart from US (but using US helpers and classes) doesn't have to be re-worked.

Are you aiming for a relative path in Redirect::to() which will then be prepended by various paths (perhaps in Config)?

Or are you aiming for an absolute path in Redirect::to() which would go directly to the desired page?
Posted 2016-09-11 12:46 pm
UserSpice 4 is going to be supported indefinitely even if things change in future development, so there shouldn't be an issue. Anything new added to the database is being designed to not conflict with old stuff.

As always, if you're going to modify core files (which will be less and less necessary moving forward) you're definitely encouraged to use the usersc folder. If you need to modify functions, as often as possible it would be great to include your own custom scripts and functions in a different file and then include them somewhere like in your own init...something we're definitely not ever going to change in US4.

I'm going to make a roadmap forum where we can start talking about direction on this stuff.
Posted 2016-09-11 3:36 pm
I was wondering about the Redirect::to() function specifically - as I develop should I use 
Redirect::to('script.php');

or
Redirect::to('my/app/script.php');

or
Redirect::to($us_root_url.'my/app/script.php');

It depends how you are going to move forward with the development of Classes/Redirect.php
Posted 2016-09-11 6:31 pm
Basically all 3 of those will work. Originally UserSpice was all in one folder, so it wasn't really an issue. In general I side towards going with the most complete path unless you have a reason you want your links to be relative. I'd lean towards number 3 personally.