Before I go any further, let me state that this will not work for SMF 1.1.x or any version of 2.0 lower than RC4 nor do I plan to support either of those in the future. This mod works soley off of SMF's integration hooks that are only available in RC4+.
Now, onto the good stuff. First and foremost, this is not a GPL licensed product. I despise software companies that provide a way for folks to plug into their systems, yet license it in a way that requires you to use their license for your work. But I digress... this mod is released, as my others are, under the MPL 1.1. I will soon have it up on BitBucket.org, but still have some final touches to place on for it's first release.
Some basic features and caveats:
- All user registrations and logins/logouts must go through SMF
- Wordpress and SMF can reside in different databases with different database users if you wish
- If a user doesn't exist in one of the systems when logging in, they will be created automatically
- When a user registers in SMF, they will be registered into WP as well
- When a user updates their profile in SMF, it will update in Wordpress (future feature: create a separate profile screen in SMF admin panel that maps to profile in Wordpress)
- Map Wordpress Roles to SMF Membergroups and vice versa. If their membergroup changes in SMF, it will change in Wordpress. If a user doesn't exist in SMF, but does in Wordpress, they will get a SMF membergroup that you have associated with their Wordpress Role (and vice versa for users in SMF but not WP).
- The only thing you need to enter in the admin panel after installing is the path to your wp-config.php file. The mod even tries to auto-locate this file for you on your file system.
- Has not been tested on Windows servers yet
- Has not been tested in IE
- Has not been tested when Wordpress and SMF are not on the same subdomain
- Manual hacks must be made to Wordpress files if you wish to disable logging in and registering through Wordpress (simple one line edit in wp-login.php).
Once I have the code up on BitBucket, I'd invite anyone who wishes to test it out and play with it and see what features you'd like (so long as it doesn't involve editing any SMF code, nor adds anything to Wordpress) and what things don't quite work right. As I only use Wordpress very little for my own blog/site, I'd like to gauge some feedback based on the above features to see what people might like to see early on and maybe catch anything ahead of time that I didn't think of before releasing the code.
Thoughts?
Haha you did some great job (like playing Snake game on your phone at level 20)
Dang, this is cool SD.
Can this be applied to already established forums? I mean, not only to new installs?
I thought I read SMF had to be a fresh install when using those old bridges. Hmm, I don't remember.
With this particular bridge, it can be installed on already established wordpress and SMF sites.
If I ever start using WP again I'll be sure to test this out!!
Nice, let me follow this!
It's nice to hear that someone is finally working on this. :)
I'm really hoping to get the code uploaded to BitBucket this weekend (although I am moving into a new house)... I need to finish adding some error checking to the mod and also go through the hooks a bit more to make sure I'm not missing any.
Ping for later
really excited about this
Quote from: SlammedDime on March 14, 2011, 03:07:17 PMOnce I have the code up on BitBucket, I'd invite anyone who wishes to test it out and play with it and see what features you'd like (so long as it doesn't involve editing any SMF code, nor adds anything to Wordpress) and what things don't quite work right. As I only use Wordpress very little for my own blog/site, I'd like to gauge some feedback based on the above features to see what people might like to see early on and maybe catch anything ahead of time that I didn't think of before releasing the code.
Thoughts?
I'm too stupid. I can't find the code up on BitBucket. Have a link for me? ???
he said once i have the code up on bitbucket, that does not mean it is up there now.
Too bad! Would be nice if I could get the code. Is it possible? Would be really great... :)
Quote from: busymouse on March 23, 2011, 08:54:39 AM
Too bad! Would be nice if I could get the code. Is it possible? Would be really great... :)
Be patient! It will be up eventually!
/me patience wins...
Yea, moving into my house has made me quite busy so I haven't had time to work on it... I'm hoping to get my office setup this weekend and get my computer(s) and server back up and running.
I can't wait to see it.
Very cool; I've been needing a workable version of this for a while. Great job !
Ok, I've upped the code and provided a download package as well... I cannot stress enough to test this on a test site before going live with it (just in case, ya know?).
Please report any issues or errors from the error log that occur during use.
https://bitbucket.org/mattzuba/blogbridger/downloads
Looks like there has been a couple of downloads... anyone have any feedback?
Quote from: SlammedDime on April 06, 2011, 12:28:44 PM
Looks like there has been a couple of downloads... anyone have any feedback?
Trying it on my testsite. http://www.ourfamilyforum.org/SMF2.0/index.php
After activating the bridge everything appears to be OK until going to the 'Role Settings' screen where it tells me:
QuoteYou do not have the required keys or salts in your Wordpress installation. Please visit https://api.wordpress.org/secret-key/1.1/salt/ (https://api.wordpress.org/secret-key/1.1/salt/) and copy the output to your wp-config.php file.
Inserting that code as directed seems to have no effect on displaying WP in the forum, but it gives this error page when accessing WP directly:
http://www.ourfamilyforum.org/wordpress/ (http://www.ourfamilyforum.org/wordpress/)
Quote*fod61AfVlw#Q}7;-BFi@jM/`QP#c8-cD~=x>T~Pon4.+');// You can have multiple installations in one database if you give each a unique prefix$table_prefix = 'wp_'; // Only numbers, letters, and underscores please!// Change this to localize WordPress. A corresponding MO file for the// chosen language must be installed to wp-content/languages.// For example, install de.mo to wp-content/languages and set WPLANG to 'de'// to enable German language support.define ('WPLANG', '');/* That's all, stop editing! Happy blogging. */define('ABSPATH', dirname(__FILE__).'/');require_once(ABSPATH.'wp-settings.php');?>
Fatal error: Call to undefined function wp() in /home/kenkayjm/public_html/wordpress/wp-blog-header.php on line 14
If that is showing when visiting your wordpress site, then the php code for the salts/keys weren't copied correctly to your wp-config.php file.
I copied and pasted the codes directly after the existing 'define' entries in the file... should the code for the keys/salt go somewhere else?
Can you attach your wp-config.php file, replacing all of the sensitive information with dummy data?
OK, here it is.
I see the salts are a bit different from the original error... is the error still occurring after you have replaced them with new ones? I dropped the file into my WP install and adjusted the database info and it worked without issue...
My existing WP has content and may have file issues, so I did a clean install to a new db and tried the bridge to that new WP and it all seems to work OK now... the Role Settings now open to a CP for setting membergroup access(s).
Now I just need to find and fix whatever the issue is with my existing install of WP, or move the content into this new one. :)
Couple of questions:
Must a blog button be manually added, or is the mod supposed to install one?
If registration is off in WP will it pick up the registrations from SMF, including those already in place?
http://www.ourfamilyforum.org/SMF2.0/index.php (http://www.ourfamilyforum.org/SMF2.0/index.php)
http://www.ourfamilyforum.org/wordpress2/ (http://www.ourfamilyforum.org/wordpress2/)
EDIT: The reg question arises because in your description it says, "If a user doesn't exist in one of the systems when logging in, they will be created automatically"... But when my 'testuser' is logged into SMF the user in not showing up in the WP users.
EDIT#2: NM on the reg question... after a couple of cycles of the page the testuser showed up in the WP membership.
Any idea why this is failing when it should not be?
require_once($boarddir.'/WordpressPassword.php'); //$sourcedir
$wpPass = new WordpressPassword(8);
if(!$wpPass->checkPassword($_POST['passwrd'],$wpUser['user_pass'])) return 'retry';
Is the password decryption more complicated than this? ???
EDITED: WordPress was upgraded to 3.1 for the record. I also reset the password since it was pre 3.0 before I started. I don't have any "salt" values in the wp-config file. But I don't see anywhere within checkPassword that requires any such values.
Parse error: syntax error, unexpected T_STATIC in /home/***/public_html/forummyth/Sources/WordpressBridge.php on line 1037
I Agree - I have no idea why it would be failing... either the password isn't correct, or wpUser['user_pass'] doesn't have the proper value.
Antes - On line 1037, try changing 'static::' to 'self::' and see if/how that affects operation.
QuoteParse error: syntax error, unexpected T_STATIC, expecting T_STRING or T_VARIABLE or '$' in /home/***/public_html/forummyth/Sources/WordpressBridge.php on line 1067
I changed static to self on 1067 too and get
QuoteParse error: syntax error, unexpected T_STATIC, expecting T_STRING or T_VARIABLE or '$' in /home/***/public_html/forummyth/Sources/WordpressBridge.php on line 1070
By the way forget to add using WP 3.1.1 MU
Yea, there are a few instances of 'static::'... change them all to 'self::' and see if it will work... if not, PHP 5.3 will be required for the time being until I can figure out a way around that...
Changed all 'static::' to 'self::'
Fatal error: protected static $__CLASS__ = __CLASS__; must be contained in child class in /home/***/public_html/forummyth/Sources/WordpressBridge.php on line 1068
Yea, looks like the static keyword is PHP 5.3 only. I'll have to look into trying to work around that.
Wow, I'm really excited about this! I've been holding out on 1.1.x waiting for a production-ready 2.0 install... but this? Might be enough to tempt me over early.
Quote from: SlammedDime on April 14, 2011, 12:32:49 PM
I Agree - I have no idea why it would be failing... either the password isn't correct, or wpUser['user_pass'] doesn't have the proper value.
Hmmm, I thought I'd checked $_POST['passwrd'] before but maybe it was $user instead... anyway, it's empty. I assumed $_POST['passwrd'] would have to be set. There is a hidden hash_passwrd field on the form in the theme. I suppose actually returning what's in passwrd client side would be a bad thing to do, assuming it would be sent as is (type="password") ??
Thoughts? Your integrate_validate_login seems to rely upon $_POST['passwrd'] being set. Does it set it itself somewhere? Or does it just expect a different situation? Might be worth considering if different themes do things differently.
If you have any advice, that would be cool! Thanks.
^So now the situation is I have $_POST['hash_passwrd'] and no $_POST['passwrd'] (dunno if they are different) which is the same as the hashpassword arg provided the integrate_validate_login hook.
I'm stuck comparing the hashword with the value in the WP db. I'm not sure what the passwords even are. I assume none of them are the literal password.
Anyway, I'm confused why WordPressBridge.php uses $_POST['passwrd']. Is it supposed to have something in it on login?
Thanks
on a normal SMF login, hash_password is set. As far as the bridge goes, if a user does not exist in one or the other, I can't insert them without having a plaintext password. By returning 'retry', this causes login hashing to be disabled, so the next login attempt sends a plaintext password in $_POST['passwrd'].
Quote from: SlammedDime on April 14, 2011, 06:03:58 PM
on a normal SMF login, hash_password is set. As far as the bridge goes, if a user does not exist in one or the other, I can't insert them without having a plaintext password. By returning 'retry', this causes login hashing to be disabled, so the next login attempt sends a plaintext password in $_POST['passwrd'].
Ah, the plot thickens. I was kinda getting that kind of vibe from some of the inline documentation (comments) around the hook definition. I don't like the sound of this.... surely there is a better way to go? Does WP's code receive the same hash? Or is it tailored to SMF? Like by some javascript or something?
I've always wondered myself why their's not a popular webapp for user/password verification that all webapps could agree to share/support. That seems a lot more reasonable than every webapp trying to provide every service. But that's another topic. One of many.
I'd not think plaintext passwords would be transmitted in this day and age. What with https not being very common (read: provider friendly) and wireless being more so.
Anyway, I need to be able to verify the login against the WP password. I can't assume the SMF one is identical. Please throw me a bone if you can. Or explain why the situation is hopeless if it really is :o
It's not really hopeless... the only way to create a SMF user or a Wordpress user, or validate a wordpress password from SMF is to have a plaintext password to work with (just like SMF does when you register, the plain text password is transmitted and transformed on the backend). Wordpress uses phpass, a portable php password system, whereas SMF, and many other pieces of software use some sort of md5 or sha1 variant. The advantage of using the latter is the ability to hash client side before transmitting.
With Wordpress, Drupal, phpBB, that's not possible due to the complexities of generating the password and validating. With phpass, a single password can generate thousands upon thousands of different hashes, yet still validate. This isn't the case with sha1 or md5 varients. With phpass, the plaintext password and the hashed password are both required to validate the password. The hashed password itself contains the salt that creates the password, which is needed to then recreate the hashed password from plaintext for verification.
Since the two systems use two different hashes (albeit, you can throw a wordpress hash into the SMF database and SMF can 'fix it' into an SMF variant by doing the same thing this mod does, which is asking the user for their password again, and then properly hashing it, as Wordpress uses the same password scheme that phpBB3 does, which SMF supports), it is not possible to easily register a person into either system without their plaintext password.
Quote from: SlammedDime on April 14, 2011, 10:57:58 PM
It's not really hopeless... the only way to create a SMF user or a Wordpress user, or validate a wordpress password from SMF is to have a plaintext password to work with (just like SMF does when you register, the plain text password is transmitted and transformed on the backend). Wordpress uses phpass, a portable php password system, whereas SMF, and many other pieces of software use some sort of md5 or sha1 variant. The advantage of using the latter is the ability to hash client side before transmitting.
With Wordpress, Drupal, phpBB, that's not possible due to the complexities of generating the password and validating. With phpass, a single password can generate thousands upon thousands of different hashes, yet still validate. This isn't the case with sha1 or md5 varients. With phpass, the plaintext password and the hashed password are both required to validate the password. The hashed password itself contains the salt that creates the password, which is needed to then recreate the hashed password from plaintext for verification.
Since the two systems use two different hashes (albeit, you can throw a wordpress hash into the SMF database and SMF can 'fix it' into an SMF variant by doing the same thing this mod does, which is asking the user for their password again, and then properly hashing it, as Wordpress uses the same password scheme that phpBB3 does, which SMF supports), it is not possible to easily register a person into either system without their plaintext password.
Well I have a better idea of what is going on now. I don't have a problem with getting the plaintext if it's totally necessary if the WP password does not validate (ie. has probably been changed on the WP end) ... is btw the plaintext literally transmitted as plaintext? Or is it (other than any kind of compression) at least obscured in a reversible way by virtue of being a password input?
It seems like the thing to do then, is to have the login prompts generate both kinds of hashes client side, then just copy whatever the WP sources do to validate the WP hashword.
EDITED: Or does PHPass mean the password is always transmitted in plaintext?? Since as you say nothing is done before transmission.
I swear to god though there's got to be a better way to manage passwords than this. But I'd just like to do what is expedient for now.
Has anyone here ever heard of something (not like OpenID) that is like WordPress/SMF (a webapp with a problem domain) but is strictly interested in storing/verifying usernames/passwords via a database? It seems like if there was something like that (that caught on) all frameworks like SMF would want to be interoperable with it out of the box.
I like the idea of just passing validation off to a 3rd party like ReCaptcha or something. But it would have to allow for fine grain anonymity and allow service providers to dictate their own namespace to be my cup of tea. Would make biometrics more manageable, and might be more secureable than trusting X websites to not let your password/email be stolen on their end. I dunno if the hashing is any good for preventing those passwords from being reused or not.
^Also the hypothetical 3rd party could easily provide an SSL certificate.
PHPass is only a backend for hashing and verifying hashed passwords. It's not possible to generate a hash client side and compare it to the hash in the database like can be done with SMF. A single password (ie: 'passw0rd') can generate literally thousands of unique hashed passwords (vs SMF where a single password and username will always generate the same hash). The only way to verify that 'passw0rd' matches the hash in the database is to actually have the hashed password, as the hashed password itself contains the seed used to hash the password.
And by plain text, yes, I mean plain plain text. Anyone listening on the wire or over the air on an unencrypted wifi transmission could grab and inspect the packets to get the password if the site was not using SSL.
If you're not on PHP 5.3, it won't work properly... I dev on 5.3 and forgot to check some things before making the package. Once I get it fixed up I'm hoping it will work on 5.1+, but it may be 5.2+ only.
Offtopic-ish: I hate to keep piggy backing this thread, but I feel like I'm likely to get more attention here :-[
My much less code bridge I've derived from yours more or less is doing fine atm. But I've noticed the login seems to only last for like a day or an evening. I'd not be surprised if I'm just imagining things, since I can't really think of any reason this would be the case. My code only touches integrate_validate_login.
Quote from: SlammedDime on April 17, 2011, 07:42:07 PM
If you're not on PHP 5.3, it won't work properly... I dev on 5.3 and forgot to check some things before making the package. Once I get it fixed up I'm hoping it will work on 5.1+, but it may be 5.2+ only.
So If I switch to PHP 5.3 it will work? I am hosted at 1and1 so I am going to see how I can implement it. I've been needing something like this for the longest.
I don't have PHP6 installed on any of my dev machines and haven't touched it at all... it may work, but I don't think even SMF is fully compatible with PHP 6 yet.
Okay, I've updated the mod to version 1.1 on bitbucket that should work on PHP 5.2+ now.
Seriously? Ok I will give it a try and be back with good news ... hopefully :D
If it's causing problems, you can just remove or rename Sources/WordpressBridge.php and that will essentially deactivate the bridge.
I don't know why it would be just spitting out a php page to download... any core files in your SMF directory?
Thank you SD 1.1 working :)
When i enter my wp-admin redirects to
http://forum.mythoseurope.net/fromWp.1303287890/url./wp-login.php?redirect_to=http://www.mmobrowser.com/wp-admin//reauth.1/
Using WPMU
Site 1 is mmobrowser.com (main site based on WP Files)
Site 2 is mythoseurope.net (using WPMU system)
Antes - I'm not sure how well this will work with MU... nor if it will work well with SimpleSEF (which it looks like you're using)... I still have to test it out with both of those.
mibodega - If you removed all files and created a new database and reinstalled SMF and you're still being prompted to download files, something is up with your host.
I tested this on my host which runs PHP 5.2.9 and it worked as expected without hiccups.
New version 1.1.1 addressing a small unexpected problem in the way Wordpress can save site paths in it's admin panel.
Hi, I just started setting this up on a test site and after installing your bridge I get the error:
QuoteWe found the following problems:
wp-login.php is not redirecting to SMF
How do I fix this and is it possible to only have wp login and not have a login on the forum?
You can fix it by clicking the button about 2 inches below that that says 'Fix File'.
For your second question, no, the bridge will only work if people login through SMF (there is a feature that if someone clicks the 'Log in' link or goes to a page in wordpress that requires logging in, SMF will redirect them back to that page after logging in.
Holy ******t It works!!
Thanks a lot for this mod ! I'm glad to see someone working to bridge Wordpress and SMF.
The only thing I'd like to know is how can I make this work for subdomains ?
I have my SMF forum located in forum.thewebsite.us
And the blog on thewebsite.us
Users are added to the Wordpress database but are not logged in :/
Also, I got a nasty:
Fatal error: Call to undefined method WordpressUser::setPassword() in /var/www/discovr/forum/Sources/WordpressBridge.php on line 434
When trying to change a password...
Hrm... I haven't tested using it with subdomains... can I have a link to your site (feel free to PM if needed) and a test account to check with? Also, are you using version 1.1.1?
could it be effected by subdomain independent cookies being checked in the admin panel?
Not likely... this implementation doesn't use any SMF cookies in Wordpress, it creates the Wordpress cookies as if you were logging into Wordpress itself.
I created an account just to thank you for this package, I really needed it for my community so my users wouldn't have to go through annoying registration hassles. I hope you will continue to develop this bridge and may it prosper. :)
Will this work with 2.0 RC5 and the latest 3.1.? wordpress?
Locking this topic... Mod is now available on mod site and has it's own support topic.
http://www.simplemachines.org/community/index.php?topic=434738.0