PKP Support

[davidsorfa]

I have found that if I use the "Forgot Your Password" function everything works perfectly (a confirmation email is sent; a new password is assigned) until logging in with the reset password, OJS attaches a must_change_password flag to that login but the next "change login" page refuses to accept the old password (sent via email) and also gives an error stating that the new passwords do not match each other (when they do).

(I thought I'd locked myself out of the system but realised that I could go into the MySQL database and change the flag on must_change_password from 1 to 0 - a bit scary for a database novice!).

I think I've isolated the problem to the loginChangePassword files - but really can't figure out what the problem is. Is there a way of disabling the "must change password" function? Or a fix for the general problem?

Thanks
David

http://www.film-philosophy.com/index.php/f-p

[davidsorfa]

Is this error just me?

In any case, any suggestions on how I can turn off the forced password change after reset?

Thanks
David

[davidsorfa]

Managed to sort this out finally. Just involved commenting out one line of code in the end.

[mcrider]

Hi David,

Would you mind letting us know what line you commented out? I'll do some investigation to see if this is an actual bug.

Cheers,
Matt

[davidsorfa]

Yes, sorry:

The file in question is:

/lib/pkp/pages/login/PKPLoginHandler.inc.php

I commented out line 111:

// } else if ($user->getMustChangePassword()) {

Even if a user has a "must change password" tag attached to them, this just skips them through to User Home. The User is then able to use "Reset Password" to change their password as usual.

I can't say whether this is a system bug or whether it is just due to my own ISP's database set up (or whatever - sorry, I realised there that I don't really know what I'm talking about!).

[aliasmohd]

I can't find the line in the said file?
Version 2.3.1.1

mport('pages.login.PKPLoginHandler');

class LoginHandler extends PKPLoginHandler {
/**
* Sign in as another user.
* @param $args array ($userId)
*/
function signInAsUser($args) {
$this->addCheck(new HandlerValidatorJournal($this));
// only managers and admins have permission
$this->addCheck(new HandlerValidatorRoles($this, true, null, null, array(ROLE_ID_SITE_ADMIN, ROLE_ID_JOURNAL_MANAGER)));
$this->validate();

if (isset($args[0]) && !empty($args[0])) {
$userId = (int)$args[0];
$journal =& Request::getJournal();

if (!Validation::canAdminister($journal->getJournalId(), $userId)) {
// We don't have administrative rights
// over this user. Display an error.
$templateMgr =& TemplateManager::getManager();
$templateMgr->assign('pageTitle', 'manager.people');
$templateMgr->assign('errorMsg', 'manager.people.noAdministrativeRights');
$templateMgr->assign('backLink', Request::url(null, null, 'people', 'all'));
$templateMgr->assign('backLinkLabel', 'manager.people.allUsers');
return $templateMgr->display('common/error.tpl');

$userDao =& DAORegistry::getDAO('UserDAO');
$newUser =& $userDao->getUser($userId);
$session =& Request::getSession();

// FIXME Support "stack" of signed-in-as user IDs?
if (isset($newUser) && $session->getUserId() != $newUser->getId()) {
$session->setSessionVar('signedInAs', $session->getUserId());
$session->setSessionVar('userId', $userId);
$session->setUserId($userId);
$session->setSessionVar('username', $newUser->getUsername());
Request::redirect(null, 'user');
}
}
Request::redirect(null, Request::getRequestedPage());
}

/**
* Restore original user account after signing in as a user.
*/
function signOutAsUser() {
$this->validate();

$session =& Request::getSession();
$signedInAs = $session->getSessionVar('signedInAs');

if (isset($signedInAs) && !empty($signedInAs)) {
$signedInAs = (int)$signedInAs;

$userDao =& DAORegistry::getDAO('UserDAO');
$oldUser =& $userDao->getUser($signedInAs);

$session->unsetSessionVar('signedInAs');

if (isset($oldUser)) {
$session->setSessionVar('userId', $signedInAs);
$session->setUserId($signedInAs);
$session->setSessionVar('username', $oldUser->getUsername());
}
}

Please help
Alias

[mcrider]

Hi aliasmohd,

It should be at about line 111--Its in the signIn() function, not the signInAsUser() function.

Cheers,
Matt

[aplatanado]

We have the same problem in OJS 2.3.1-2 and OJS 2.3.4 (after upgrade from 2.3.1-2).

All user recives two erros when they try to change their password in the form which are redirected after login:

* The current password you entered was incorrect.
* The passwords do not match.

I have done some test and have found that:
* $passwordForm->-data contains the right form values after $passwordForm->readInputData() in PKPLoginHandler->savePassword()
* $form->_data is empty inside the functions setted to validate the form at LoginChangePasswordForm constructor.

I think the custom validation functions are recieving a copy of the LoginChangePasswordForm object before load the form data in it (that is, before readInputData is called). So the problem could be in the last argument passed to FormValidatorCustom constructor.

[aplatanado]

Hello,

Finally, I found that the construction by reference of LoginChangePasswordForm inside savePassword()

$passwordForm =& new LoginChangePasswordForm(); // before the patch of #4772#

was removed

$passwordForm = new LoginChangePasswordForm(); // after the patch of #4772#

to fix the bug

Thanks.

[richl]

I've just installed OJS 2.3.6 I have a local copy of the site and everything seems to work fine; however, the live version seems to be suffering from the same problem described above - when resetting a forgotten password, I keep getting two error messages in the Change Password screen: * The current password you entered was incorrect and *The password you entered is not long enough. Even when I correctly enter the password sent from OJS, I still receive both errors.

@aplatanado: I'd like to try the fix you've mentioned above, however I'm not sure exactly where the #4472# patch is within the code.

Ok, thanks.

[jmacgreg]

Hi richl,

If you've copied an install over to work on locally, you should also double-check that your "encryption" settings in your config.inc.php files are the same. If you installed OJS and registered users using one encryption scheme (eg. md5, sha1) and migrated/copied the DB to another location, you won't be able to log in if the new encryption scheme doesn't match the original.

Cheers,
James

[richl]

Thanks for your reply James.

It turns out that the log in issue was being caused by the PHP configuration setting on my cpanel. Once I'd changed the the .php file extension from default to PHP 5, the change password form accepted both my old password and a new passord.

[sweidman]

Hi all.

I have exactly this problem with a site running 2.3.6, which was recently upgraded from 2.2.3. I checked our encryption settings in config.inc.php, and we were using sha1 before and after the upgrade, so I don't think that's the problem. I tried to see if the problem could be resolved by removing the & from the call to LogingChangePasswordForm inside savePassword, but in the current version of the code (which was moved into /lib/pkp/pages/login/PKPLoginHandler.inc.php:307) does not have an ampersand in that call. See http://pkp.sfu.ca/support/forum/viewtopic.php?f=8&t=5416#p29282.

Also, the cpanel config change suggested in one of the posts doesn't apply to us either because we run our own server.

Does anyone have any clue as to what might be causing this and how we might fix the problem?

Any assistance would be greatly appreciated.

Regards,
Syd

[blstzus]

Hi all,
We have the same problem as above. except that we migrated from 2.2.4 to 2.3.7 (full installation).
No users can login, but using the 'forgot password' function will allow the user to login as usual after that.
Anyway to fix that?

Is it something to do with PKPLoginHandler too? I checked the code, is it somthing related to this lines (line 113 -133)?:

Code: Select all

$user = Validation::login(Request::getUserVar('username'), Request::getUserVar('password'), $reason, Request::getUserVar('remember') == null ? false : true);
      if ($user !== false) {
         if ($user->getMustChangePassword()) {
            // User must change their password in order to log in
            Validation::logout();
            PKPRequest::redirect(null, null, 'changePassword', $user->getUsername());

         } else {
            $source = Request::getUserVar('source');
            $redirectNonSsl = Config::getVar('security', 'force_login_ssl') && !Config::getVar('security', 'force_ssl');
            if (isset($source) && !empty($source)) {
               PKPRequest::redirectUrl(
                  ($redirectNonSsl?'http':Request::getProtocol()) . '://' . Request::getServerHost() . $source,
                  false
               );
            } elseif ($redirectNonSsl) {
               PKPRequest::redirectNonSSL();
            } else {
               Request::redirectHome();
            }
         }