The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.1.2-1ubuntu2.14 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/showthread.php 28 require_once





× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!
UserSpice   ›   Support Center   ›   UserSpice 4.3 and Below   ›   Status Update 004

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Status Update 004
mudmin
Lead Developer
*******
Joined: Dec 2015
Posts: 2,285

Reputation: 17
#1
08-14-2017, 05:29 PM
Many thanks to Brandon and Firestorm for these mods. This build requires dropping/reimporting the db (or at least the settings table).

This includes the new backup features that are in 4.2.10, latest messaging system, admin.php, admin_page, and related files. Much is untested at this point.

Like they say...move fast and break things.

Also, just FYI...for those of you who are new, I tend to do new builds on Mondays unless I get unexpected time off.
  Reply
Brandin
Lead Developer
*******
Joined: Oct 2016
Posts: 1,297

Reputation: 7
#2
08-14-2017, 05:51 PM
Looks like we forgot msg_notification in the users table int 1 default 1 - sorry if I forgot to put that!

We are also missing protected from users table, int 1 default 0

And dev_user int 1 default 0 lol I'm sorry

I also forked your admin_user.php lol oopsies, remove line 40, the fetchSys function

Scratch that, you need more than that:
http://pasted.co/95bed121

That is your new admin_user.php lol
  Website
  Reply
Brandin
Lead Developer
*******
Joined: Oct 2016
Posts: 1,297

Reputation: 7
#3
08-14-2017, 08:58 PM
Okay - as a followup to above, I smasher tested everything and only have issues in two sections:
-As above, you need to add 2 columns to users, protected and dev_user, int 1 def 0
-Replace your admin_user.php as above

With the auto-assign username option you need to do the join stuff I pasted here:
https://userspice.com/forums/topic/user-...#post-5301

And adminverify.php was missing from the pages DB
  Website
  Reply
Brandin
Lead Developer
*******
Joined: Oct 2016
Posts: 1,297

Reputation: 7
#4
08-20-2017, 03:34 PM
Mudmin,

What's the purpose of Force Password Reset? What was your vision of it? If you let me know I'll code it so we can have it - just wasnt sure your purpose. Was it to enable and you can check a box on the user form to force them to reset on login and in custom login we have it check this value?

Thanks.
  Website
  Reply
mudmin
Lead Developer
*******
Joined: Dec 2015
Posts: 2,285

Reputation: 17
#5
08-21-2017, 12:13 PM
Yeah. It was just a button that was going to force everyone to change their passwords. Primarily for either a DB breach or for users upgrading from UserCake. Two thoughts on it.

1. It probably needs to be in the users table. It needs to foreach through the users and put a 1 in the reset column.
2. Then, my thought is that there needs to be 2 ways to use it.
a. Generic password reset where people need to use their old password but upon login, they're redirected to reset their password.
b. (Such as the case with UserCake). It foreaches through the database and encrypts a random hash for their password so the only way they can login again is through the "forgot password" link. This would be useful if we change encryption algorithms etc.
  Reply
Brandin
Lead Developer
*******
Joined: Oct 2016
Posts: 1,297

Reputation: 7
#6
08-21-2017, 12:35 PM
Good thing about putting it in the users table is we can also allow what I was talking about above, forcing a specific user to do a password reset on next login...

Your 2B case I am not sure how exactly I am going to do.......so I will work on the first part, and you might just have to handle the hashing part...sorry!
  Website
  Reply
mudmin
Lead Developer
*******
Joined: Dec 2015
Posts: 2,285

Reputation: 17
#7
08-21-2017, 12:44 PM
Ok. Sounds good.
  Reply
karsen
User
Joined: Mar 2017
Posts: 150

Reputation: 0
#8
08-21-2017, 09:45 PM
I implemented this when I added in a password strength check. From the admin page you can force all users to reset their password, which takes effect on next page load mid-session. This is useful for db breaches or changes to your strength logic. From admin_user.php you can set a single person to the same effect, and creating a new user through the admin page also uses this.

I also have a check that looks at anyone who doesn't pass the strength check and requires a new password on their next login (this only affects users with accounts made prior to password strength enforcement and that also have weak passwords).

Lastly I added in the ability to auto-force a reset every x months, depending on the value you set in admin.php, and remembers the last x passwords so you cannot reuse them (also set in admin.php).

Each reset type has a code in the users db table (1= everyone, 2= weak password, 3= expired, 4= single user) that the forgot password form uses to give the correct text to the user.

I'd share the code with you but I've had to heavily modify US to work with our existing site and even have a custom Permissions class, so it'd be faster to write it from scratch than extract what I have and convert it back to traditional US code. I'm more than happy to help with the planning though.

I am currently using the PHP zxcvbn-php library for password strength, in case anyone is curious, with an Ajax call to test the strength and return a result before submitting the form. This lets me use a colorful meter so people know their weak password is red and BAD! I tried the jQuery library first but the word dictionaries are different and it allows much weaker passwords to pass when they shouldn't.
  Reply
mudmin
Lead Developer
*******
Joined: Dec 2015
Posts: 2,285

Reputation: 17
#9
08-22-2017, 11:10 AM
That's awesome! I would love to see how you did this sometime. Thanks for all your work.
  Reply
Brandin
Lead Developer
*******
Joined: Oct 2016
Posts: 1,297

Reputation: 7
#10
08-22-2017, 04:44 PM
While coding this I also noticed we should add successes and errors to the admin form. No need for validation in my opinion, but we should be displaying success codes on this page.

Also, there is an issue with the Redirect:: call on after_logout or whatever. It does the redirect, but it quickly flashes an error and then obviously I can't see it because it redirects you. I couldn't figure out what it was or replicate it without the redirect occurring...It only shows up when the redirect happens on logout.

This script repurposes force_pr in settings to be the force_pr definition when creating a new user from admin_users.php.

I'm not posting the whole files (yet) because you have some changes above to make Smile
-Add errors and successes to admin.php, you need the PHP and the HTML portion
On admin.php:
-Replace the force_pr PHP in POST to this:
http://pasted.co/9e8ea755
-Replace the force_pr HTML to this:
http://pasted.co/6cd0c8b4

On admin_user.php:
Replace the block user PHP with this:
http://pasted.co/ec0382a4
Add this HTML under the block user:
http://pasted.co/04264c09

At the bottom of the PHP on header.php (under the track_guest) add:
http://pasted.co/cdf7ad3b

And add this to your add user fields whenever you have this (if you use my new user management stuff, or on the old page)
Code:
'force_pr' => $settings->force_pr,

I put it under the vericode.

SQL:
http://pasted.co/fb982bda

Let me know if you have any issues!

...update....5 hours later because I knew I'd forget something. You need to reset force_pr when you change the password! Duh! lol

Replace the update on line 195 of
Code:
user_settings.php
to:
Code:
$user->update(array('password' => $new_password_hash,'force_pr' => 0,),$user->data()->id);

And add this to the fields array on
Code:
forgot_password_reset.php
:
Code:
'force_pr' => 0,
  Website
  Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)