OJS OCS OMP OHS

You are viewing the PKP Support Forum | PKP Home Wiki



[RELEASE] User registration process validated by mail

Are you responsible for making OJS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
What to do if you have a technical problem with OJS:

1. Search the forum. You can do this from the Advanced Search Page or from our Google Custom Search, which will search the entire PKP site. If you are encountering an error, we especially recommend searching the forum for said error.

2. Check the FAQ to see if your question or error has already been resolved.

3. Post a question, but please, only after trying the above two solutions. If it's a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a development question, try the OJS Development subforum.

Postby asmecher » Thu Jan 11, 2007 1:00 pm

Hi mbria,

Your method sounds good to me -- if I recall, phpBb uses the same approach. It should be suitable for inclusion as a core feature unless unexpected complications arise in the implementation, which I don't expect OTOH.

I'd suggest making this a site-wide configuration option rather than a journal-specific one. In this case, you can add the configuration options either to the config.inc.php configuration file or the site settings page.

Regards,
Alec Smecher
Open Journal Systems Team
---
Don't miss the First International PKP Scholarly Publishing Conference
July 11 - 13, 2007, Vancouver, BC, Canada
http://ocs.sfu.ca/pkp2007/
asmecher
 
Posts: 8860
Joined: Wed Aug 10, 2005 12:56 pm

About accessKeys

Postby mbria » Wed Jan 17, 2007 6:28 am

Hi Alec et.al,

I quite finished my patch but I'm stacked with two silly things.

The new registration process will be:

Code: Select all
    User registers ->
        OJS creates the user (disabled) and mails an activation mail ->
            User request the mail's activation url ->
                OJS closes the process:
                    Enables user and mails the login username and password.


I did my best been carefully with OJS API and I think the patch follows OJS logic and coding standards but I'm unable to fix a couple of issues in the "OJS way":

a) How do I temporally store the password? to secure it a little I didn't send the pass in the activation mail (only user/token are sent) but when the new user request the activation, OJS needs to mail him/her password, so it need to be stored somewhere. May I store this within any accessKey? How?

b) Also related with the accessKeys... I think I really don't catch the concept. I understand I need to create a new key for each user (what I called "token") and I managed to store it successfully in access_key table but after this I'm unable to "validate" with the mail information.

At "RegistrationForm" I patched as follows:
Code: Select all
                // Create the user's token as an access_key
                // and send an activation mail to user.
                import('security.AccessKeyManager');
                import('mail.MailTemplate');

                $accessKeyManager =& new AccessKeyManager();
                $keyLifetime = 14;  //Should be better as a journal setting?
                $userId = $user->getUserId();
                $token=$accessKeyManager->createKey('RegisterContext', $userId, null, $keyLifetime);

                // Some data as URL attributes:
                $activateUserUrl =$journal->getUrl();
                $activateUserUrl.="/user/activateUser";
                $activateUserUrl.="/".$this->getData('username');
                $activateUserUrl.="/".$token;

                $mail = &new MailTemplate('USER_REGISTER_VALID');
                $mail->setFrom($journal->getSetting('contactEmail'), $journal->getSetting('contactName'));
                $mail->assignParams(array('username' => $this->getData('username'), 'activateUrl' => $activateUserUrl));
                $mail->addRecipient($user->getEmail(), $user->getFullName());

                $mail->send();


This first patch perfectly generates the activation url that will be something as:

Code: Select all
http://www.example.net/site/index.php/journal/user/activateUser/marc/MPz3SpRt


As you will notice, it calls a new verb-action (activateUser) that accepts 2 arguments that are username/accessKey

This new action is the only think I need to finish to publish the patch but will be something like:
Code: Select all
function activateUser() {

        $userArgs=Request::getRequestedArgs();

        if (isset($userArgs[1])) {

            $journal = &Request::getJournal();
            $userDao = &DAORegistry::getDAO('UserDAO');
            $user = &$userDao->getUserByUsername($userArgs[0]);
            import('security.AccessKeyManager');

            // Check user/token
            $accessKeyManager =& new AccessKeyManager();
            //$userArgs[1]=AccessKeyManager::generateKeyHash($userArgs[1]);
            $accessKey = & $accessKeyManager->validateKey(
                'ReviewerContext',
                $user->getUserId(),
                $userArgs[1]
            );
            print ("accessKey: <pre>");
            var_dump($accessKey);
            print ("</pre><br/>");

            // Activate user
            $user->setDisabled(false);
            $user->setDisabledReason(null);

            $userDao->updateUser($user);

            // Mail welcome email with login info to user
            import('mail.MailTemplate');
            $mail = &new MailTemplate('USER_REGISTER');
            $mail->setFrom($journal->getSetting('contactEmail'), $journal->getSetting('contactName'));

            //Recovering pass to send full login info:
            $mail->assignParams(array('username' => $user->getUsername(), 'password' => "accessKeyStoresPass"));
            $mail->addRecipient($user->getEmail(), $user->getFullName());
            $mail->send();

            // Redirects to login page:
            $reason = null;
            Request::redirect(null, 'login');
        }
        else {
            //Calls the error template.
            print ("<pre>");
            print ("Unable to activate this user:<br />");
            var_dump ($userArgs);
            print ("</pre>");
            die();
        }
    }


I hope this code illustrates both doubts... first showing why I need to temporally store user's passwords and second, my ignorance about AccessKey class and specially "validateKey" method.

Do you have any suggestion, manual or example? I read "ReviewerHandler" and "SessionEditorAction" but I didn't understand why my validate always return NULL.

BTW (to finish this long post), what is "assocId" attribute in the "access_key" table?

Thousand thanks in advance,

m.
mbria
 
Posts: 306
Joined: Wed Dec 14, 2005 4:15 am

Postby asmecher » Wed Jan 17, 2007 11:24 am

Hi mbria,

That looks very close -- I suspect your access key validation problem is due to mismatching contexts (RegisterContext vs. ReviewerContext, when both should be RegisterContext). Otherwise the code looks fine.

Temporarily storing the passwords in an unencrypted manner is a tricky one; we've entirely avoided the problem so far and I'd suggest continuing to do so if possible. Plaintext password storage is a major security risk. You could consider including the username and password information in the first email, along with a note stating that they will not become active until the URL is followed...?

Regards,
Alec Smecher
Open Journal Systems Team
---
Don't miss the First International PKP Scholarly Publishing Conference
July 11 - 13, 2007, Vancouver, BC, Canada
http://ocs.sfu.ca/pkp2007/
asmecher
 
Posts: 8860
Joined: Wed Aug 10, 2005 12:56 pm

EUREKA !!

Postby mbria » Wed Jan 17, 2007 1:44 pm

I suspect your access key validation problem is due to mismatching contexts (RegisterContext vs. ReviewerContext, when both should be RegisterContext).


Of course was this. Million thanks !!! :lol: :lol:
How silly am I !! I'm the most stupid coder in this side of the sea... :oops:

Looks like I cut&paste from your "Reviewer" example and after reading it a hundred of times, this code was too much printed in my retina to notice the difference. :roll:

Temporarily storing the passwords in an unencrypted manner is a tricky one; we've entirely avoided the problem so far and I'd suggest continuing to do so if possible.


Your wishes are orders for me. :-P
It will be done as you suggest.

You could consider including the username and password information in the first email, along with a note stating that they will not become active until the URL is followed...?


Although I still believe the logical process is sending login information just when user is finally activated I full understand and agree in the security concerns you pointed, so the only choice I see is the one you recommend... but with a little variation (if it's also ok with you):

Instead of sending a single mail with activation code and login info, I suggest two separate mails that will be harder to sniff, hijack... whatever.

I hope I will finish the code tonight and create the patches that I will test tomorrow in our testing server but in a quite "real context" with clean OJS 2.1.1.0 code. After being sure patches work fine, I will forward to your team.

Thanks again (and again, and again) for your fast and invaluable help,

Marc.
mbria
 
Posts: 306
Joined: Wed Dec 14, 2005 4:15 am

Release 0.1: The end?

Postby mbria » Mon Jan 22, 2007 4:55 am

Dear all,

I'm happy to announce that the "validMail" patch is ready and perfectly works for OJS 2.1.1 on the following testing environments:

    Development: Ubuntu 6.10
    Apache 2.0.55
    PHP 5.1.6
    MySQL 5.0.24 (utf8-general)
    Testing:
    Ubuntu Server 5.10
    Apache 2.0.54
    PHP 5.1.4
    MySQL 4.0.24 (utf8-general)
    Production:
    RedHat (kernel 2.6.9-42.0.3)
    Apache 2.0.52
    MySQL 4.1.20 (latin_swedish1)

Here you have the patch (release 0.1): http://www.comunitic.net/OJS/validMail/validMail.0.1.tgz

That tarball includes:

    Patch validMail: With new code (for OJS2.1.1 with "diff -u") and translations to es_US and es_ES. As you notice in my posts, English is not my mother tongue, so probably a review will be required. :oops:
    Any way, is there any further translation required?
    A couple of bash scripts are also included, to facilitate the patch install (applypatch.sh) or recreate the patch (createPatch.sh -probably only useful for my development paths-) are also included.
    Development notes: With comments to explain every add or change in the original code, as well as development decisions. I wrote those comments with "Zim" (a desktop wiki) and after exported to html, so document is readable, but is not perfect.
    SQL script: To add new mail templates (to en_US and es_ES)


You can see it working on my testing server at:
http://test.dehisi.org/athenea/index.php/atheneaDigital

I think that's all. I just hope OJS devteam accept the patch to be core in the next release.

Please, report any problem or comment.

Cheers,

m.
mbria
 
Posts: 306
Joined: Wed Dec 14, 2005 4:15 am

Hummm....

Postby mbria » Thu Jan 25, 2007 1:07 pm

It happens because you always answer mails a few seconds after I wrote them. You made me an impatient poster. :-P

Alec, et. al... any feedback about the "validMail" patch?
Do you think code is clean and the feature useful enough to be added to next OJS release or I need to change something?

Cheers,

m.
mbria
 
Posts: 306
Joined: Wed Dec 14, 2005 4:15 am

Postby asmecher » Thu Jan 25, 2007 1:16 pm

Hi mbria,

Sorry for the delay; we're working hard on getting OCS 2.0 ready for release. In the meantime, I've added a Bugzilla entry for tracking: http://pkp.sfu.ca/bugzilla/show_bug.cgi?id=2483

Regards,
Alec Smecher
Open Journal Systems Team
---
Don't miss the First International PKP Scholarly Publishing Conference
July 11 - 13, 2007, Vancouver, BC, Canada
http://ocs.sfu.ca/pkp2007/
asmecher
 
Posts: 8860
Joined: Wed Aug 10, 2005 12:56 pm

Postby mbria » Thu Jan 25, 2007 1:26 pm

Please, nothing to sorry.

I didn't know about the bugtrack system. :oops:
With your permission, I will complete the patch info there.

Cheers,

m.
mbria
 
Posts: 306
Joined: Wed Dec 14, 2005 4:15 am

Postby asmecher » Thu Jan 25, 2007 3:32 pm

Hi mbria,

If you have time, please do. Make sure to generate a unified patch (-u option to diff). Otherwise, when it comes time to implement the Bugzilla entry, I can get the package from the link above.

Regards,
Alec Smecher
Open Journal Systems Team
---
Don't miss the First International PKP Scholarly Publishing Conference
July 11 - 13, 2007, Vancouver, BC, Canada
http://ocs.sfu.ca/pkp2007/
asmecher
 
Posts: 8860
Joined: Wed Aug 10, 2005 12:56 pm

Previous

Return to OJS Technical Support

Who is online

Users browsing this forum: Google [Bot] and 2 guests