Allow some multisite illegal username characters

[pennymachines]

In order to integrate my WP multisite with a long-standing phpBB forum, I had to take measures to allow upper-case, periods, underscores, hyphens and spaces in WP usernames.

My question - I wonder what is the best way for WP3all to allow these users to login?

I see that I could edit '/[^0-9A-Za-z\p{Cyrillic}]/u' etc. in class.wp.w3all-phpbb.php, but changes will be lost when that file is updated in the future.

[axew3]

Hello David. I try to explain as best i can and if any wrong assumption may someone can help on fix until a general review will not be done asap i can.

Into a wp multisite, for what it was my little investigation about it, it do not allow several chars

Code: Select all

  // If it is a multisite, then Usernames can only contain lowercase letters (a-z) and numbers.
  // Setup as not linked this user (or get a loop)

    //if( is_multisite() && !empty($phpbb_user_session) && preg_match('/[^-0-9A-Za-z _.@\p{Cyrillic}]/u',$phpbb_user_session[0]->username) ){
    if( is_multisite() && !empty($phpbb_user_session) && preg_match('/[^0-9A-Za-z\p{Cyrillic}]/u',$phpbb_user_session[0]->username) ){
     setcookie ("w3all_set_cmsg", "phpbb_uname_chars_error", 0, "/", $w3cookie_domain, false);
     echo __('<p style="padding:30px;background-color:#fff;color:#000;font-size:1.3em"><strong>Notice: logged in username contains illegal characters forbidden on this CMS. Please contact an administrator.</strong></p>', 'wp-w3all-phpbb-integration');
     if (!defined('WPW3ALL_NOT_ULINKED')){
      define('WPW3ALL_NOT_ULINKED', true);
      return;
     }
    }

actually so, the code above that is into

Code: Select all

private static function verify_phpbb_credentials(){

on file /class.wp.w3all-phpbb.php, just define the user as not linked, if coming into wp with a session valid in phpBB, but the username do not satisfy chars requirements into wordpress.
While i realize, it need to be so changed because, instead, into the same function more below, IF THE USER IS not LOGGED INTO WP AND some other function (on wp_w3all.php) that manage the login for example, like the login widget or the hook onlogin, what it happen is the follow:
} // END is_user_logged_in()

Code: Select all

     // fix nicenames after addition
     // * update user_login and user_nicename for Cyrillic
     // [^-0-9A-Za-z _.@] check done before insertion

      // the username is too long or contain illegal chars
      // DISMISSED --> here checking only for , ' " \ and / chars, but regexp for legal chars in WP should be this: '/[^-0-9A-Za-z _.@]/'

      // if mums allowed only letters and numbers '/[^0-9A-Za-z]/' mums
      // preg_match('/[^-0-9A-Za-z _.@]/',$phpbb_user_session[0]->username) // default wp

      $phpbb_user_session[0]->username = mb_convert_encoding($phpbb_user_session[0]->username, "UTF-8");
      $contains_cyrillic = (bool) preg_match('/[\p{Cyrillic}]/u', $phpbb_user_session[0]->username);
      $phpBB_user_sanitized = sanitize_user( $phpbb_user_session[0]->username, $strict = false );

      if ( is_multisite() && preg_match('/[^0-9A-Za-z\p{Cyrillic}]/u',$phpbb_user_session[0]->username) OR $contains_cyrillic && preg_match('/[^-0-9A-Za-z _.@\p{Cyrillic}]/u',$phpbb_user_session[0]->username) OR strlen($phpbb_user_session[0]->username) > 50 OR strlen($phpBB_user_sanitized) < 1 ){
        // if ( is_multisite() && preg_match('/[^-0-9A-Za-z _.@\p{Cyrillic}]/u',$phpbb_user_session[0]->username) OR $contains_cyrillic && preg_match('/[^-0-9A-Za-z _.@\p{Cyrillic}]/u',$phpbb_user_session[0]->username) OR strlen($phpbb_user_session[0]->username) > 50 OR strlen($phpBB_user_sanitized) < 1 ){
        // avoid a loop if on forum's page
        if( isset($_SERVER['REQUEST_URI']) && !empty($wp_w3all_forum_folder_wp) && strstr($_SERVER['REQUEST_URI'], $wp_w3all_forum_folder_wp) ){
         echo __('<p style="padding:30px;background-color:#fff;color:#000;font-size:1.3em"><strong>Notice: your username contains illegal characters not allowed on this cms or contains more than 50 characters.<br />The forum cannot be displayed on this page.<br />Please contact an administrator.</strong></p>', 'wp-w3all-phpbb-integration');
         exit;
        }

       echo __('<p style="padding:30px;background-color:#fff;color:#000;font-size:1.3em"><strong>Notice: your username contains illegal characters not allowed on this cms or contains more than 50 characters.<br />Please contact an administrator.</strong></p>', 'wp-w3all-phpbb-integration');
       return;

      }

      $ck_wpun_exists = username_exists($phpbb_user_session[0]->username); // this way, if allowing any char, is not the right way to check if phpBB usernames allowed with forbidden chars in wp
      $user_id = email_exists($phpbb_user_session[0]->user_email); // this is the right way, if email update only allowed in wp, or login and email update done only in phpBB side
... ....
user addition in wp etc
... ...

it will follow to create the user in wp if possible, purging the phpBB username of unwanted wp chars.
The joke is little over complicated (but easy to understand) because different NON latin alphabets (i just added cirillic as example) require a different check using preg_match
So that after the insertion, into wp, the username may will result different than in phpBB:
for example Da vid will become David.
Because since 2.4.0 and lately on all versions, the integration works linking only by email.
So an username x in phpBB can be username y in WP, if user's emails are the same.

Let know where is the point you would see changed (explain the wrong behavior you have when doing something) so that it will be fixed

[pennymachines]

Thanks for the detailed response.

Let know where is the point you would see changed (explain the wrong behavior you have when doing something) so that it will be fixed

My problem is that, for example, username 'mr spam' can log into phpBB, but when he goes to Wordpress he sees: 'Notice: logged in username contains illegal characters forbidden on this CMS. Please contact an administrator.'

If he tries to log into Wordpress, he just gets that message, but cannot log in.

[pennymachines]

My issue solved by substituting

Code: Select all

preg_match('/[^0-9A-Za-z\p{Cyrillic}]

with:

Code: Select all

preg_match('/[^-0-9A-Za-z _.@\p{Cyrillic}]

in class.wp.w3all-phpbb.php

I appreciate this can't be permanently "fixed" without offering other complicated options in the w3all Admin for allowed characters.

[axew3]

You should not if on multisite because:
/wp-includes/ms-functions.php

Code: Select all

function wpmu_validate_user_signup( $user_name, $user_email ) {
	global $wpdb;

	$errors = new WP_Error();

	$orig_username = $user_name;
	$user_name     = preg_replace( '/\s+/', '', sanitize_user( $user_name, true ) );

	if ( $user_name != $orig_username || preg_match( '/[^a-z0-9]/', $user_name ) ) {
		$errors->add( 'user_name', __( 'Usernames can only contain lowercase letters (a-z) and numbers.' ) );
		$user_name = $orig_username;
	} .... 

The code should work already at best, purging eventual unwanted chars from username and using email in place of the old way, by username, to manage users logins/sessions