Allowing phpBB users to login to WP with email address

[kay]

I recently helped a web site with an existing phpBB forum integrate a WordPress-based support system, using wp_w3all to allow existing users to access the new support system. However, WordPress allows users to sign in with email address or password, whereas forum users, although they are prompted for email address or password on the support page login, can only login if they enter their username.

To remove confusion and allow forum users to login with their email address, we changed the following line in class.wp.w3all-phpbb.php :

WHERE u.username = '".$username."'

to

WHERE (u.username = '".$username."' OR u.user_email = '".$username."')

I realize that modifying plugin code is not a good idea for future compatibility reasons - is there any chance that this change could be incorporated into a future version of the plugin, perhaps as an option? Alternatively, is there another way to accomplish this same thing?

Thanks - and also thanks for writing this great plugin, allowing our existing users to login to WordPress solved a huge problem for us

[axew3]

Wow! Yes it has been already resolved.
You just published a piece of code, very similar to the new one, that more or less will be this:

Code: Select all

$db_eu = is_email($username) ? 'users.user_email) = \''.mb_strtolower($username,'UTF-8').'\'' : 'users.username) = \''.mb_strtolower($username,'UTF-8').'\'';

  $phpbb_user = $w3db_conn->get_results("SELECT *  
    FROM ". $w3all_config["table_prefix"] ."groups 
    JOIN ". $w3all_config["table_prefix"] ."users ON LOWER(". $w3all_config["table_prefix"] . $db_eu ." 
    AND ". $w3all_config["table_prefix"] ."users.group_id = ". $w3all_config["table_prefix"] ."groups.group_id");

Seem there is no needs of many words necessary to you to understand: 2.3.9 if you let users register in phpBB, presents a security bug in certain conditions.
If the user, register in phpBB, and is not immediately added into wp, because phpBB not in iframe mode, and the redirect trick from phpBB to wp, after registration process terminated in phpBB (so the user also is added into wp at same time) not applied, presents a security bug for this user, then, on 2.4.0, but 2.3.9 will be also patched asap, switch the function
w3_check_phpbb_profile_wpnu()
on /wp-content/plugins/wp-w3all-phpbb-integration/class.wp.w3all-phpbb.php

into this:

Code: Select all

public static function w3_check_phpbb_profile_wpnu($username){ // email/user_login

 if( defined('W3ALL_WPNU_CKU') OR empty($username) ): return; endif;

	global $w3all_config,$wpdb,$w3all_add_into_wp_u_capability,$w3cookie_domain;
	
  $username = trim($username);
  $user = is_email($username) ? get_user_by('email', $username) : get_user_by('login', $username );

   if ( strlen($username) > 50 ){
	   echo '<p style="padding:30px;background-color:#fff;color:#000;font-size:1.3em">Your <strong>registered username on our forum contain characters not allowed on this CMS system, or your username is too long (max 49 chars allowed)</strong>, you can\'t be added or login in this site side (and you\'ll see this message) until logged in on forums as <b>'.$phpbb_user_session[0]->username.'</b>. Please return back and contact the administrator reporting about this error issue. Thank you <input type="button" value="Go Back" onclick="history.back(-1)" /></p>';
      return;
   } 
   
   
  $wpu_db_utab = (is_multisite()) ? WPW3ALL_MAIN_DBPREFIX . 'users' : $wpdb->prefix . 'users';
  $wpu_db_umtab = (is_multisite()) ? WPW3ALL_MAIN_DBPREFIX . 'usermeta' : $wpdb->prefix . 'usermeta';
  $w3phpbb_conn = self::wp_w3all_phpbb_conn_init(); 

  $username = esc_sql($username);
 /*$db_eu = is_email($username) ? 'users.user_email = \''.$username.'\'' : 'users.username = \''.$username.'\'';
  $phpbb_user = $w3phpbb_conn->get_results("SELECT *  
    FROM ". $w3all_config["table_prefix"] ."groups 
    JOIN ". $w3all_config["table_prefix"] ."users ON ". $w3all_config["table_prefix"] . $db_eu ." 
    AND ". $w3all_config["table_prefix"] ."users.group_id = ". $w3all_config["table_prefix"] ."groups.group_id");*/

  $db_eu = is_email($username) ? 'users.user_email) = \''.mb_strtolower($username,'UTF-8').'\'' : 'users.username) = \''.mb_strtolower($username,'UTF-8').'\'';

  $phpbb_user = $w3db_conn->get_results("SELECT *  
    FROM ". $w3all_config["table_prefix"] ."groups 
    JOIN ". $w3all_config["table_prefix"] ."users ON LOWER(". $w3all_config["table_prefix"] . $db_eu ." 
    AND ". $w3all_config["table_prefix"] ."users.group_id = ". $w3all_config["table_prefix"] ."groups.group_id");

  if( !isset($phpbb_user[0]->user_id) OR $phpbb_user[0]->user_id < 3 ){ return; }

// default wp allow allow only [-0-9A-Za-z _.@]
  if( preg_match('/[^-0-9A-Za-z _.@]/',$phpbb_user[0]->username) ){
    echo __('<p style="padding:30px;background-color:#fff;color:#000;font-size:1.3em"><strong>Notice: your username contains illegal characters that are not allowed in this system. Please contact an administrator.</strong></p>', 'wp-w3all-phpbb-integration');
     return;
  }
  
// mums allow only '[0-9A-Za-z]'
  if( is_multisite() && preg_match('/[^0-9A-Za-z]/',$phpbb_user[0]->username) ){
  	if (!defined('WPW3ALL_NOT_ULINKED')){
  	 define('WPW3ALL_NOT_ULINKED', true);
  	}
  	 setcookie ("w3all_set_cmsg", "phpbb_uname_chars_error", 0, "/", $w3cookie_domain, false);
  	 echo __('<p style="padding:30px;background-color:#fff;color:#000;font-size:1.3em"><strong>Notice: your username contains illegal characters that are not allowed in this system. Please contact an administrator.</strong></p>', 'wp-w3all-phpbb-integration');
  	  return;
  }

  // activated in phpBB?
 if( $user && !empty($phpbb_user) && $phpbb_user[0]->user_type == 0 && empty($user->wp_capabilities) ){ // re-activate this 'No role' WP user
     $user_role_up = serialize(array($w3all_add_into_wp_u_capability => 1));
	   $wpdb->query("UPDATE $wpu_db_umtab SET meta_value = '$user_role_up' WHERE user_id = '$user->ID' AND meta_key = 'wp_capabilities'");
  }

  // Banned or deactivated?
 if(!defined("W3BANCKEXEC") && !empty($phpbb_user)){
 	 define("W3BANCKEXEC", true);
 	 $banned_phpbb = self::w3_phpbb_ban($phpbb_user[0]->user_id, $phpbb_user[0]->username, $phpbb_user[0]->user_email);
 	 if($banned_phpbb === true){
 	 // to return an error message // see function w3all_msgs()
 		setcookie ("w3all_set_cmsg", "phpbb_ban", 0, "/", $w3cookie_domain, false);
     self::w3all_wp_logout('wp_login_url'); // should be just a redirect, not a logout, since the user here isn't still logged!
 	 }
 	}
  	
 if ( !empty($phpbb_user) && $phpbb_user[0]->user_type == 1 ){ 
 		setcookie ("w3all_set_cmsg", "phpbb_deactivated", 0, "/", $w3cookie_domain, false); 
    self::w3all_wp_logout('wp_login_url');  // well, same as above ... should be just a redirect, not a logout, since the user here isn't still logged
  }		  
// END banned or deactivated


 if ( !is_multisite() && !empty($phpbb_user) ) {
  if( $user && $phpbb_user[0]->user_type == 1 && !empty($user->wp_capabilities) ){
   $w3phpbb_conn->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_type = '0' WHERE user_email = '$user_email'");
  }
 } 

 if ( ! $user && !empty($phpbb_user) && $phpbb_user[0]->user_type != 1 ) { 

     if ( $phpbb_user[0]->group_name == 'ADMINISTRATORS' ){
      	  $role = 'administrator';
      	} elseif ( $phpbb_user[0]->group_name == 'GLOBAL_MODERATORS' ){
          $role = 'editor';
        } else { // $role = 'subscriber'; // for all others phpBB Groups default to WP subscriber
               	 $role = $w3all_add_into_wp_u_capability;
               	}

   $userdata = array(
     'user_login' => $phpbb_user[0]->username,
     'user_pass' => $phpbb_user[0]->user_password,
     'user_email' => $phpbb_user[0]->user_email,
     'user_registered' => date_i18n( 'Y-m-d H:i:s', $phpbb_user[0]->user_regdate ),
     'role' => $role
    );
               
    $user_id = wp_insert_user( $userdata );
    
    // * update user_login and user_nicename and force to be what needed
       $user_username_clean = sanitize_user( $phpbb_user[0]->username, $strict = false ); 
       $user_username_clean = esc_sql(mb_strtolower($user_username_clean,'UTF-8'));
       $user_username = esc_sql($phpbb_user[0]->username);  

     if( !is_wp_error( $user_id ) ){ 
      $wpdb->query("UPDATE $wpu_db_utab SET user_login = '".$user_username."', user_pass = '".$phpbb_user[0]->user_password."', user_nicename = '".$user_username_clean."', display_name = '".$user_username."' WHERE ID = ".$user_id."");
      $wpdb->query("UPDATE $wpu_db_umtab SET meta_value = '".$user_username."' WHERE user_id = '$user_id' AND meta_key = 'nickname'");
     }
     
   if( is_wp_error( $user_id ) ){ 
   	  // TODO: return error via cookie instead
      echo '<h3>Error: '.$user_id->get_error_message().'</h3>' . '<h4><a href="'.get_edit_user_link().'">Return back</a><h4>';
      exit;
   } else {
    	 define("WPUSERCREATED",true);
     
     if($user){
    	   	
      // let wp_check_password() set phpbb session and login the user, if pass match
      if(isset($_POST['log']) && isset($_POST['pwd'])){
    	 wp_check_password($_POST['pwd'], $phpbb_user[0]->user_password, $user_id);	
      }
         
      if ( is_multisite() ){
       if ( !function_exists( 'get_current_blog_id' ) ) { 
        require_once ABSPATH . WPINC . '/load.php'; 
       } 
     
       if ( !function_exists( 'add_user_to_blog' ) ) { 
        require_once ABSPATH . WPINC . '/ms-functions.php'; 
       } 
       
       $blogID = get_current_blog_id();  

       // this way add only to the current visited blog
       $result = add_user_to_blog($blogID, $user_id, $role); 
      }
    
     } 
    }
   }
      
 define('W3ALL_WPNU_CKU', true);
 
}

note this part:

Code: Select all

(      // let wp_check_password() set phpbb session and login the user, if pass match
      if(isset($_POST['log']) && isset($_POST['pwd'])){
    	 wp_check_password($_POST['pwd'], $phpbb_user[0]->user_password, $user_id);	
      }

It is still not complete/cleaned but will be +- like this. Also the user's transfer process (wp to phpBB) need to be fixed to correctly match lower upper case, or user Btester, will be detected like different from btester so it can create some confusing problem, for transferred users in phpBB, where an user Btester, will be added, if his email is different from user btester, may existent in phpBB. The integration do not allow duplicated usernames, so those users may will not properly when not with unique pairs email/usernames.

2.4.0 is coming, and resolve any known reported bug, discrepancy, and more and more and more and more!
Thank you for report!