Password change problem

jambo
User w
User w
Posts: 19
Joined: Fri May 15, 2020 7:23 pm

Password change problem

Post by jambo »

Hello,

When a user changes their password on my "change password" screen, I watch the change happen IN the wordpress database. The hash is changes and I can tell it got updated.

The next time a user clicks on a page in wordpress it gets changed BACK to the old password.

The interesting part is when I click directly on my "forum" link to go to phpBB the password stays the same UNTIL I go back to Wordpress in which time it is changed back to the old one.

The only system that has my password is phpBB so I surmise that the change never happened in phpBB after they changed it in Wordpress. So, the update is not happening or something else weird is going on!

Thank you!!!

James

jambo
User w
User w
Posts: 19
Joined: Fri May 15, 2020 7:23 pm

Re: Password change problem

Post by jambo »

I fixed it. For everyone else, I needed to make sure that I called the action 'after_password_reset' and that made WP-W3all update the phpBB password. So, the whole flow looks like:

do_action( 'password_reset', $current_user->ID, $pass1 );

wp_set_password( $pass1, $current_user->ID );

do_action( 'after_password_reset', $current_user, $pass1 );

Thanks!!

User avatar
axew3
w3all User
w3all User
Posts: 1971
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Password change problem

Post by axew3 »

Hello James! Thank for the report.
"change password" screen
with a specific plugin or default wp?

When an user change password in wordpress, it should be also updated to the same in phpBB at same time.
If it is not, then happen what you correctly say: the pass is updated to the old one, because the verify_phpbb_credentials(){ function check for password match, and if mismatch, update the pass of the wp user with phpBB password. This because you could let users change their passwords into phpBB. So when a wp profile update happen, the password should be updated at same time into phpBB also.
If this do not happen, then what you experience come out.

The solution you propose seem to be the right way to resolve, but ... answering to you right now, and looking into code at same time, this aspect come out with a bug into plugin code i assume (do not know why it is this way, why at this moment in the past, this function has been coded like this):

into wp_w3all.php file there is a call to the after_password_reset hook:

Code: Select all

add_action( 'after_password_reset', 'wp_w3all_wp_after_password_reset', 10, 2 );
that into same file, fire then the function:

Code: Select all

function wp_w3all_wp_after_password_reset($user, $new_pass) {
     $phpBB_user_pass_set = WP_w3all_phpbb::phpbb_pass_update_res($user, $new_pass); 
     $phpBB_user_activate = WP_w3all_phpbb::wp_w3all_wp_after_pass_reset($user); 
}
then into file class.wp.w3all-phpbb.php:

Code: Select all

public static function phpbb_pass_update($user, $new_pass) { 

     	 global $w3all_config,$wpdb;
     
     $w3phpbb_conn = self::wp_w3all_phpbb_conn_init();

        	$wpu_db_utab = (is_multisite()) ? WPW3ALL_MAIN_DBPREFIX . 'users' : $wpdb->prefix . 'users';

	     $ud = $wpdb->get_row("SELECT * FROM  $wpu_db_utab WHERE ID = '$user->ID'");
       
     if(empty($ud)){
       	return;
      }

    if ( $user->ID == 1 ){ // update phpBB admin uid2
       $w3phpbb_conn->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$ud->user_pass' WHERE user_id = '2'");
     } else { 
        $w3phpbb_conn->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$ud->user_pass' WHERE username = '".$user->user_login."'");
       } 
} 
I see it update retrieving the user data via a query to db, then it update using retrieved data.
I assume that this way, is the wrong way because maybe, the time of the query happen BEFORE the effective WP user pass update, so why do not use, the $new_pass value, going to query the db instead? So the function should be like this instead?

Code: Select all

public static function phpbb_pass_update($user, $new_pass) { 

     	 global $w3all_config;
     
     $w3phpbb_conn = self::wp_w3all_phpbb_conn_init();

    if ( $user->ID == 1 ){ // update phpBB admin uid2
       $w3phpbb_conn->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$new_pass' WHERE user_id = '2'");
     } else { 
        $w3phpbb_conn->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$new_pass' WHERE username = '".$user->user_login."'");
       } 
} 

if it possible to test it without changing nothing else into plugin code, and look if all after this change works fine would be great, or please let me know what (if using) plugin you experience the issue.
Another issue to be fixed on next coming soon 2.3.6
Thank you!

User avatar
axew3
w3all User
w3all User
Posts: 1971
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Password change problem

Post by axew3 »

a moment ...
Remark: the $new_pass parameter is the “New password for the user in plaintext” originally passed to reset_password( $user, $new_pass )
so the function should maybe be like this ... a moment ...

User avatar
axew3
w3all User
w3all User
Posts: 1971
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Password change problem

Post by axew3 »

Code: Select all

public static function phpbb_pass_update($user, $new_pass) { 

     	 global $w3all_config,$wpdb;
     
     $w3phpbb_conn = self::wp_w3all_phpbb_conn_init();
      
   $new_pass = wp_hash_password($new_pass);
 
    if ( $user->ID == 1 ){ // update phpBB admin uid2
       $w3phpbb_conn->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$new_pass' WHERE user_id = '2'");
     } else { 
        $w3phpbb_conn->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$new_pass' WHERE username = '".$user->user_login."'");
       } 
}
going to check all about asap

User avatar
axew3
w3all User
w3all User
Posts: 1971
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Password change problem

Post by axew3 »

Yes it seem to work into my tests, with the function changed to the above.
So the
function public static function phpbb_pass_update($user, $new_pass) {
into file class.wp.w3all-phpbb.php
should may be changed like this

Code: Select all

public static function phpbb_pass_update($user, $new_pass) { 

     global $w3all_config;
     $w3phpbb_conn = self::wp_w3all_phpbb_conn_init();
     $new_pass = wp_hash_password($new_pass);
 
    if ( $user->ID == 1 ){ // update phpBB admin uid2
       $w3phpbb_conn->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$new_pass' WHERE user_id = '2'");
     } else { 
        $w3phpbb_conn->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$new_pass' WHERE username = '".$user->user_login."'");
       } 

} 
and all works fine now?

jambo
User w
User w
Posts: 19
Joined: Fri May 15, 2020 7:23 pm

Re: Password change problem

Post by jambo »

Sorry for getting back to you so late! I was working other small issues on the site and because the password integration was working I never checked back here.

Now that the site looks good and the number issues are almost zero I came back to check what I missed and saw this.

I made those changes and it still works fine. I did not remove the changes I made to the plugin and will keep them there because I that since Wordpress calls those functions in that order, so should the plugin.

The plugin I am using is "Paid Memberships Pro" and it works very good with your phpbb integration!

I am going to wait a few weeks to upgrade to 2.3.6 for all theater issues to calm down.

Thank you for everything!!!

User avatar
axew3
w3all User
w3all User
Posts: 1971
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Password change problem

Post by axew3 »

Hello! On 2.3.6
add_action( 'after_password_reset', 'wp_w3all_wp_after_password_reset', 10, 2 );
has been switched to add_action( 'password_reset', 'wp_w3all_wp_after_password_reset', 10, 2 );
because on many front-end plugins, after_password_reset simply do not fire.

I tested some plugin that was not working before, that now works fine on 2.3.6.
Some bug resolved, and more fixes coming on 2.3.7.
2.3.6 resolve any password problem, eliminate the use of Bcript plugin's library, and switch to native Php functions.
It is working fine without problems tested until Php 7.4.7.

You can always return back to old plugin code because there are not database changes since several versions now, and this will be for long time in the future also. So you can save your modified version, and return back just replacing plugins files.
Or may apply the modification you did into 2.3.6, that resolve more bugs from 2.3.5.
See you soon, cheers!

Post Reply