Am I missing something?

[imforumman]

So, after the disaster with the Synch-Users button (which I still feel needs an extra warning in the sotware itsself and not just in the documentation), here I am back after having tried the joomlahacks (Joomla-SMF-Component) and being scared to hell by the prospect of patching files of either installation... I just like the patch-free approach so much better.

To start: Joomla 1.0.9, SMF 1.1 RC2 and the Bridge v1.1.4. Localhost.
Relevant component: Community Builder 1.0.

Installed the Bridge. Configured it to use CB Registration. (Q1: Could I uninstall SMF-Bridge-Registration-Component at this time?) SMF Login form appears. (Q2: I have to use that one, there is no way to use the CB one?). It contains all sorts of greetings and info I don't want, the forum is only a small part of the site and should not dominate the login process. (Q3: How do I remove all that stuff?) So much for configuration.

So I started testing. I can log in, using the Bridge login form, and true enough, I am logged in, into the forum -- ONLY. Neither does the usermenu appear nor does the CB login module behave as if it were logged in (The user menu does not appear either, if I unpiublish the the CB login module, in case it was interfering). I can log in using the CB-login module, then the usermenu appears but then neither the bridge-login-module nor the forum know of the logged-in status.

As I feel the approach this bridge takes is the better one, I would love to use this software... does anybody have any suggestions?

Thank you all in advance.

PS:

While writing this I explored the not so far-fetched option of trying this on a completely clean install. So I... installed Joomla (id admin, pw admin), installed SMF (user admin, pw admin), installed the Bridge, configure it, and... same results as above. So I'm thinking: am I missing something completely obvious here? Am I just that stupid? Or is the Bridge not designed what I am expecting it to do (Login the user into the usermenu and into the forum at the same time)?

But this is not the end of my story. Ok, continue with the clean system just created. I decided, maybe I had forgotten the obvious, so I hit that scary button Migrate Joomla Users to SMF. And yes, it added the Administrator. Ok, so I'm thinking, try again, it will work now. But... same results as above.

So in my desperation, I type "Administrator" (instead of "admin") into the bride login form and type the password. Wrong password (but right user?). So I try the emailaddress as the password... let's just call it intuition ... "secury has been reworked, enter again"... so I enter again, and woah!!! Logged in (to the forum only) using the real-name and the email-address!?!?!?! Ok, NOW I'm scared!

[Orstio]

(Q1: Could I uninstall SMF-Bridge-Registration-Component at this time?)

No.  Joomla has no native function for resending an activation email.  I added this into the bridge registration.  Also, when a new password is created and sent via the "Forgot Password" function, the native Joomla function won't insert that new password into SMF, while the bridge will.  So, it is still required, even if not used for the actual registration.

SMF Login form appears. (Q2: I have to use that one, there is no way to use the CB one?).

That is correct.  The CB login form will not set the SMF cookie.

It contains all sorts of greetings and info I don't want, the forum is only a small part of the site and should not dominate the login process. (Q3: How do I remove all that stuff?) So much for configuration.

Go to your Joomla admin panel.  Go to your Modules Menu.  Click on Site Modules.

Find mod_smf_login in the list of modules.  It might not be on the first page.  When you find it, click on it.

Set the params to your liking.  There are parameters to hide or show whatever you want in the information on the login box.  Make sure to Save when you are done.

While writing this I explored the not so far-fetched option of trying this on a completely clean install. So I... installed Joomla (id admin, pw admin), installed SMF (user admin, pw admin), installed the Bridge, configure it, and... same results as above. So I'm thinking: am I missing something completely obvious here? Am I just that stupid? Or is the Bridge not designed what I am expecting it to do (Login the user into the usermenu and into the forum at the same time)?

Joomla 1.0.9 made changes to the name of the session cookie (again), so a small change is required to the bridge:

For the 1.1.4 bridge, one small change needs to be made for the Joomla 1.0.9 upgrade.  Find this in smf.php (in the integrate_login function):

Koodi [Valitse] Laajenna


//Joomla 1.0.8 compatibility

if (isset($_VERSION) && $_VERSION->PRODUCT == 'Joomla!' && $_VERSION->DEV_LEVEL >= '8'){
$remCookieName = mosMainFrame::remCookieName_User();
                        $remCookieValue = mosMainFrame::remCookieValue_User( $username ) . mosMainFrame::remCookieValue_Pass( $passwd );
setcookie( $remCookieName, $remCookieValue, $lifetime, '/' );
}

and replace it with this:

Koodi [Valitse] Laajenna


//Joomla 1.0.8 compatibility

if (isset($_VERSION) && $_VERSION->PRODUCT == 'Joomla!' && $_VERSION->DEV_LEVEL >= '8'){
$remCookieName = mosMainFrame::remCookieName_User();
//Joomla 1.0.9 compatibility
                        if ($_VERSION->DEV_LEVEL>='9')
$remCookieValue = mosMainFrame::remCookieValue_User( $username ) . mosMainFrame::remCookieValue_Pass( $passwd ) . $row['id'];
                        else
$remCookieValue = mosMainFrame::remCookieValue_User( $username ) . mosMainFrame::remCookieValue_Pass( $passwd );
setcookie( $remCookieName, $remCookieValue, $lifetime, '/' );
}

[imforumman]

Orstio, thank you for your fast and detailed reply. I did not find that information on 1.0.9, possibly such a thing could be made sticky?

What abou the login with name and email? I checked the database user database of SMF, and it does have that entry with email and password mixed up... possibly a securty issue?

I'm away till tomorrow, so i can reply only then.
Thanks again!

[Kindred]

the 1.0.9 correction code is posted in TWO of the sticky threads already.

[Orstio]

Being able to login with your email address instead of your username is a native function of SMF.  It is for those who know which email address they used to register, but forgot their username.

The mixed up password/email entries for the users in the jos_users table is a bug in the synch function of the bridge:

http://www.simplemachines.org/community/index.php?topic=83667.msg570114#msg570114

[imforumman]

Yes, but this is abug which enables a third person to log in using
The Username and the e-mailaddress. That is, IMHO, a security risk... no?

[Orstio]

No.  You can't login with a combination of username and email.

You can login with a combination of username and password.

You can login with a combination of email and password.

[imforumman]

Orstio: I beg you: I did it. Logged in using Username and email.
Since I can't upload attachments here, here is the part of the table generated by phpmyadmin:

Table: smf_members
memberName        passwd           emailAddress
admin     2d9b30dced98bf92dcbd7c27493c0c81f85a59b7     [email protected]
Administrator      [email protected]           50b75b1c5d855e7b61e13b02370e9aed

The first one is the admin account created during the smf installation. the second one was synched by the bridge. Now use: username Administrator and the emailaddress as the password. after a confirmation, it works!!!!

[Orstio]

It does not matter what is in the SQL table.  The password that is typed in is hashed in MD5 before it is compared to the value in the database.  If the value in the database is not a MD5 hash, it can't possibly match the hashed value that was typed into the login form.

It NEVER compares the typed value with the value in the table.

[imforumman]

That would have been my logic too, but I just experienced something else. Well, since the bridge was so Forum-focused (I see the forum as just another small part of the site) I decided to ditch SMF and the bridge. I'm truly sorry it didn't work out, SMF is such a cool forum. But software with security issues, especially ones the author does not take seriously, well, I stay away from those as much as posibly anyway. Maybe someday I'll have the time to send you screenshots...