Password change problem

jambo
User ww
User ww
Posts: 21
Joined: Fri May 15, 2020 7:23 pm

Password change problem

Post by jambo »

Hello,

When a user changes their password on my "change password" screen, I watch the change happen IN the wordpress database. The hash is changes and I can tell it got updated.

The next time a user clicks on a page in wordpress it gets changed BACK to the old password.

The interesting part is when I click directly on my "forum" link to go to phpBB the password stays the same UNTIL I go back to Wordpress in which time it is changed back to the old one.

The only system that has my password is phpBB so I surmise that the change never happened in phpBB after they changed it in Wordpress. So, the update is not happening or something else weird is going on!

Thank you!!!

James
jambo
User ww
User ww
Posts: 21
Joined: Fri May 15, 2020 7:23 pm

Re: Password change problem

Post by jambo »

I fixed it. For everyone else, I needed to make sure that I called the action 'after_password_reset' and that made WP-W3all update the phpBB password. So, the whole flow looks like:

do_action( 'password_reset', $current_user->ID, $pass1 );

wp_set_password( $pass1, $current_user->ID );

do_action( 'after_password_reset', $current_user, $pass1 );

Thanks!!
User avatar
axew3
w3all User
w3all User
Posts: 2689
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Password change problem

Post by axew3 »

Hello James! Thank for the report.
"change password" screen
with a specific plugin or default wp?

When an user change password in wordpress, it should be also updated to the same in phpBB at same time.
If it is not, then happen what you correctly say: the pass is updated to the old one, because the verify_phpbb_credentials(){ function check for password match, and if mismatch, update the pass of the wp user with phpBB password. This because you could let users change their passwords into phpBB. So when a wp profile update happen, the password should be updated at same time into phpBB also.
If this do not happen, then what you experience come out.

The solution you propose seem to be the right way to resolve, but ... answering to you right now, and looking into code at same time, this aspect come out with a bug into plugin code i assume (do not know why it is this way, why at this moment in the past, this function has been coded like this):

into wp_w3all.php file there is a call to the after_password_reset hook:

Code: Select all

add_action( 'after_password_reset', 'wp_w3all_wp_after_password_reset', 10, 2 );
that into same file, fire then the function:

Code: Select all

function wp_w3all_wp_after_password_reset($user, $new_pass) {
     $phpBB_user_pass_set = WP_w3all_phpbb::phpbb_pass_update_res($user, $new_pass); 
     $phpBB_user_activate = WP_w3all_phpbb::wp_w3all_wp_after_pass_reset($user); 
}
then into file class.wp.w3all-phpbb.php:

Code: Select all

public static function phpbb_pass_update($user, $new_pass) { 

     	 global $w3all_config,$wpdb;
     
     $w3phpbb_conn = self::wp_w3all_phpbb_conn_init();

        	$wpu_db_utab = (is_multisite()) ? WPW3ALL_MAIN_DBPREFIX . 'users' : $wpdb->prefix . 'users';

	     $ud = $wpdb->get_row("SELECT * FROM  $wpu_db_utab WHERE ID = '$user->ID'");
       
     if(empty($ud)){
       	return;
      }

    if ( $user->ID == 1 ){ // update phpBB admin uid2
       $w3phpbb_conn->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$ud->user_pass' WHERE user_id = '2'");
     } else { 
        $w3phpbb_conn->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$ud->user_pass' WHERE username = '".$user->user_login."'");
       } 
} 
I see it update retrieving the user data via a query to db, then it update using retrieved data.
I assume that this way, is the wrong way because maybe, the time of the query happen BEFORE the effective WP user pass update, so why do not use, the $new_pass value, going to query the db instead? So the function should be like this instead?

Code: Select all

public static function phpbb_pass_update($user, $new_pass) { 

     	 global $w3all_config;
     
     $w3phpbb_conn = self::wp_w3all_phpbb_conn_init();

    if ( $user->ID == 1 ){ // update phpBB admin uid2
       $w3phpbb_conn->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$new_pass' WHERE user_id = '2'");
     } else { 
        $w3phpbb_conn->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$new_pass' WHERE username = '".$user->user_login."'");
       } 
} 

if it possible to test it without changing nothing else into plugin code, and look if all after this change works fine would be great, or please let me know what (if using) plugin you experience the issue.
Another issue to be fixed on next coming soon 2.3.6
Thank you!
User avatar
axew3
w3all User
w3all User
Posts: 2689
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Password change problem

Post by axew3 »

a moment ...
Remark: the $new_pass parameter is the “New password for the user in plaintext” originally passed to reset_password( $user, $new_pass )
so the function should maybe be like this ... a moment ...
User avatar
axew3
w3all User
w3all User
Posts: 2689
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Password change problem

Post by axew3 »

Code: Select all

public static function phpbb_pass_update($user, $new_pass) { 

     	 global $w3all_config,$wpdb;
     
     $w3phpbb_conn = self::wp_w3all_phpbb_conn_init();
      
   $new_pass = wp_hash_password($new_pass);
 
    if ( $user->ID == 1 ){ // update phpBB admin uid2
       $w3phpbb_conn->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$new_pass' WHERE user_id = '2'");
     } else { 
        $w3phpbb_conn->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$new_pass' WHERE username = '".$user->user_login."'");
       } 
}
going to check all about asap
User avatar
axew3
w3all User
w3all User
Posts: 2689
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Password change problem

Post by axew3 »

Yes it seem to work into my tests, with the function changed to the above.
So the
function public static function phpbb_pass_update($user, $new_pass) {
into file class.wp.w3all-phpbb.php
should may be changed like this

Code: Select all

public static function phpbb_pass_update($user, $new_pass) { 

     global $w3all_config;
     $w3phpbb_conn = self::wp_w3all_phpbb_conn_init();
     $new_pass = wp_hash_password($new_pass);
 
    if ( $user->ID == 1 ){ // update phpBB admin uid2
       $w3phpbb_conn->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$new_pass' WHERE user_id = '2'");
     } else { 
        $w3phpbb_conn->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$new_pass' WHERE username = '".$user->user_login."'");
       } 

} 
and all works fine now?
Post Reply