Hi, i would like to completely disable the secret question function in my forum. I don't really care whether my users are still prompted to set a secret question & password as they register or through their profile, all i want to do is to make it unable for anyone to use the secret question function, in order to re-gain access to an account.
It should be in the Reminder.php and maybe somewhere else, but i don't want to start messing things up in case something goes bad.
Thanks in advance! :D
Or better, deal with it higher up the food chain.
It only prompts for secret question in the event that the user has actually set one. So, if you remove any existing ones and then prevent users from being able to do so later... job done.
To empty out existing users' questions, the following SQL query run in phpMyAdmin will do it:
UPDATE smf_members SET secret_question = '', secret_anwer = '';
Change smf_members to your own table's name if smf_members is not it.
Then we need to patch Profile-Modify.php to disable these fields.
Find:
'secret_question' => array(
'type' => 'text',
'label' => $txt['secret_question'],
'subtext' => $txt['secret_desc'],
'size' => 50,
'permission' => 'profile_identity',
),
'secret_answer' => array(
'type' => 'text',
'label' => $txt['secret_answer'],
'subtext' => $txt['secret_desc2'],
'size' => 20,
'postinput' => '<span class="smalltext" style="margin-left: 4ex;"><a href="' . $scripturl . '?action=helpadmin;help=secret_why_blank" onclick="return reqWin(this.href);">' . $txt['secret_why_blank'] . '</a></span>',
'value' => '',
'permission' => 'profile_identity',
'input_validate' => create_function('&$value', '
$value = $value != \'\' ? md5($value) : \'\';
return true;
'),
),
Replace:
'secret_question' => array(
'type' => 'text',
'label' => $txt['secret_question'],
'subtext' => $txt['secret_desc'],
'size' => 50,
'permission' => 'profile_identity',
'enabled' => false,
),
'secret_answer' => array(
'type' => 'text',
'label' => $txt['secret_answer'],
'subtext' => $txt['secret_desc2'],
'size' => 20,
'postinput' => '<span class="smalltext" style="margin-left: 4ex;"><a href="' . $scripturl . '?action=helpadmin;help=secret_why_blank" onclick="return reqWin(this.href);">' . $txt['secret_why_blank'] . '</a></span>',
'value' => '',
'permission' => 'profile_identity',
'input_validate' => create_function('&$value', '
$value = $value != \'\' ? md5($value) : \'\';
return true;
'),
'enabled' => false,
),
I'm not going to package this into a mod but if anyone else wants to, they're more than welcome (provided they credit this thread)
LainaaIt only prompts for secret question in the event that the user has actually set one.
hmmm yeah i've been having some security issues lately and it
seems from apache's acces-logs, the person who's causing the trouble is able to bypass that so i want to disable only that function, so to understand whether he is causing the trouble through that or not.
Your code would be very useful to me if i just didn't want my members to use secret questions, but in this case i want to completely disable the secret questions function so that there's completely nothing for him to mess with there, since there will be no secret question function.
-sigh- It DOES disable it.
The function is only available when the user actually HAS a secret question. Step one removes any secret questions, step two prevents any more from being used.
hmm, i'm really sorry if i'm just being ignorant, but what about:
Lainaa// Delegation can be useful sometimes.
$subActions = array(
'picktype' => 'RemindPick',
'secret2' => 'SecretAnswer2',
'setpassword' =>'setPassword',
'setpassword2' =>'setPassword2'
);
and the "secret_question" function etc in the Reminder.php?
Also, as i mentioned, i've been having a security issue where accounts have been taken over and i can see in the access logs that the person who is taking them over is able to access the "&action=reminder;sa=secret2" page which is only available to the users that have secret questions (after 3 tries he manages to re-gain access).
However that user did NOT have a secret question at all!!!! >:(
Then there's something else wrong. The code in Reminder.php checks to see whether the user has a question and if not, it prevents it going any further.
From SecretAnswer2(), after we established the user exists (and we've got the question and answer out of the DB), but before we change the password:
// Check if the secret answer is correct.
if ($row['secret_question'] == '' || $row['secret_answer'] == '' || md5($_POST['secret_answer']) != $row['secret_answer'])
{
log_error(sprintf($txt['reminder_error'], $row['member_name']), 'user');
fatal_lang_error('incorrect_answer', false);
}
I'd check that the secret question was actually empty, since it seems like it wasn't at the time.