HOOK : integrate_reset_pass -> Problem changing Username AND pwd same time

Started by blueshack, September 21, 2015, 03:12:33 PM

Previous topic - Next topic

blueshack

whenn I use the hook
"integrate_reset_pass"

everything works fine when I change e.g. username.
I get username and old username and new generated password (it will be send by email)

when I change pwd, I get username and old username ( the same!) and the new pwd.


BUG:
when I change username AND password, the new username and the old username are the same in hookprog!
in SMF membertable the username is changed, but I will never know, what the username was before.


So if I want to use in a 'private' DB username and pwd from SMF, I can't update the PWD, because I do not know the old username.

So changing username and pwd at the same time should not be done, but it can happen ;)

It's in SMF 2.0.9
sorry, I can't use a 2.0.11 at the moment.

Ninja ZX-10RR

May I ask what actually prevents you from spending 5 minutes to update SMF, given that it should update just fine in most cases? It updated fine on my forum with 140 mods, I don't know how many you are running but I *think* not more than that, to prevent a regular update...
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

blueshack

Thank you for reply.

No, there are only few mods. But there was just no time to update and it will take at least some days for me to start update.
But I will do so - I promise ;)


But I will try it local on a new installation.



Ninja ZX-10RR

You can easily update even from a mobile device with a few clicks in the admin panel, you don't even need to download the package and upload it manually :)
Yep, do it with 2.0.11 and update this, but I am pretty sure it won't change a thing, it's just for the looks of the "latest version".
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

margarett

I see your issue, but I'm not sure it's a bug...
From the wiki
http://wiki.simplemachines.org/smf/Integration_hooks#integrate_reset_pass

QuotePurpose: For notifying external code when a user's password is modified outside of registration.
(which I understand as NOT being used for the username change, in fact it's not common to allow username changes...)

I think I also see where the hook is called, and why does it send you the old user equals new user. Let me have a look at it for a while...
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

blueshack

Thank you margarett

But you can change the username. And it works fine if you change only the username - you will get username and oldusername.
http://wiki.simplemachines.org/smf/Integration_hooks#integrate_reset_pass ->
"Sends: $old_user, $user, $newPassword"

But if you (by accident ;) change password too (the field is not locked/grayed out)-> username and password will be changed in smf_members but the hook gets only the new username for both variables (oldusername and username) ->
so nobody could look up the right  dataset somewhere in an external DB using this hook, because the username in this external DB is still the old and I know/get only the new one.

Thank you, andi

margarett

Yeah, I see your issue, as I said ;)

It's just that the hook gets called in different places, depending on what you do to your profile. I haven't yet had a chance to look at this but I stil want to ;)
The easiest way is really to edit the hook call and append the user ID in it ;) That way you can always query the database with the ID and make sure you know who is who. But I need to investigate a bit ;)
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

blueshack

Thank you.

No problem for me, I use allready the smfID in this external SabreDAV db for consistency.

I was just wondering why I shouldn't use the member id because in:
http://wiki.simplemachines.org/smf/Integration_hooks#integrate_activate
" Sends: string representing the member's name (since that is guaranteed to be consistent, member id is not)"

but maybe this is only for this specific hook.

And take your time - as I sayed - no problem for me.

Thank you, Andi

margarett

I would suggest that this is a typo someone made several years ago. Member ID is the fundamental key of the members table, so it doesn't get more consistent than that :P
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

Oldiesmann

The integrate_activate thing isn't a bug at all. It's done that way because the ID of the user in the external system won't necessarily be the same as it is in SMF. If we don't do it that way, then you have to pull the username from SMF unless you can guarantee that the IDs will be the same each time. You can guarantee that the username will be the same in both each time.

I'm not entirely sure if the integrate_change_password issue is a bug or not, because we use the username as part of the password hash (though I'm not sure why the external system needs to know that). Either way I think it would be best to add an integrate_change_username hook instead, since you can change someone's username without changing their password (in which case they get a password reset email sent to them as well).
Michael Eshom
Christian Metal Fans

Illori

Quote from: Oldiesmann on September 26, 2015, 01:50:22 PM
Either way I think it would be best to add an integrate_change_username hook instead, since you can change someone's username without changing their password (in which case they get a password reset email sent to them as well).

i dont think that is possible... as you said the username is used to hash the password, so how can you change the username without changing the password? in SMF this is not possible.

Oldiesmann

Quote from: Illori on September 26, 2015, 02:04:01 PM
Quote from: Oldiesmann on September 26, 2015, 01:50:22 PM
Either way I think it would be best to add an integrate_change_username hook instead, since you can change someone's username without changing their password (in which case they get a password reset email sent to them as well).

i dont think that is possible... as you said the username is used to hash the password, so how can you change the username without changing the password? in SMF this is not possible.

What I meant is you can change the username without specifying a new password for the user, in which case SMF will generate one for them. In fact, after further digging, it turns out that the expected behavior occurs in this situation (the old username is sent along with the new one and the generated password). Based on this, and the fact that the same "send the same username twice" behavior occurs two other places (besides the one mentioned in this topic), I'm thinking it's done that way as a way for the other system(s) to check whether the username changed as well and update it accordingly.

The best option here will be to fix the way things are done in the profile, so the old username is always sent when the username is changed, regardless of whether the admin chooses a new password for the user or lets SMF do it.
Michael Eshom
Christian Metal Fans

Oldiesmann

This should be fixed on GitHub now... I added another call to that hook for the situation where the admin changes both the username and the password (if you leave the password fields blank, letting SMF generate the password instead, you'll get the desired behavior already).
Michael Eshom
Christian Metal Fans

Advertisement: