2.9.0 logs
Posted: Sat Aug 17, 2024 1:26 pm
file wp_w3all.php
line
when called at the time that an user has been just created, like it is on
on class.wp.w3all-phpbb.php
so the situation where, for example, a non existent user in WP, but existing in phpBB, come to login into wordpress:
at this time, the function
fire the WP user insertion, so insert the user into WP, but into this function, so, the just created user is created with an hash that is an hash of the hash phpBB password.
So the function follow on updating to the right one of the phpBB user executing a db update.
But anyway, the problem is, that the instance of the user, is the one created by the
wp_insert_user inside
so doing this
inside the wp_check_password function
will get the wrong password of the instanced user object, and not the updated one.
The provided fix will be:
this line on wp_w3all.php
will be removed into the wp_check_password function (so the user pass is retrieved directly from the db and not the instanced user object)
then on class.wp.w3all-phpbb.php the
will be changed/updated to be this:
Now, what it happen is that when a phpBB user come to login into WP and is still not existent (and come as NOT logged in phpBB, so will be added on fly when logging in wp), if the password match, will be correctly logged in, a will not get the wrong password message, until a new login is not repeated (when the WP user object will contain the right data).
All the login flow for all scenarios will be now re-checked, but i think that with last 2.8.9 fixes and this one, all would work smooth into any.
Code: Select all
function wp_check_password($password, $hash, $user_id = '') {Code: Select all
$wpu = get_user_by( 'ID', $user_id );Code: Select all
public static function w3_check_phpbb_profile_wpnu($username){ so the situation where, for example, a non existent user in WP, but existing in phpBB, come to login into wordpress:
at this time, the function
Code: Select all
public static function w3_check_phpbb_profile_wpnu($username){ fire the WP user insertion, so insert the user into WP, but into this function, so, the just created user is created with an hash that is an hash of the hash phpBB password.
So the function follow on updating to the right one of the phpBB user executing a db update.
But anyway, the problem is, that the instance of the user, is the one created by the
wp_insert_user inside
Code: Select all
public static function w3_check_phpbb_profile_wpnu($username){ so doing this
Code: Select all
$wpu = get_user_by( 'ID', $user_id );will get the wrong password of the instanced user object, and not the updated one.
The provided fix will be:
this line on wp_w3all.php
Code: Select all
$wpu = get_user_by( 'ID', $user_id );then on class.wp.w3all-phpbb.php the
Code: Select all
public static function w3_check_phpbb_profile_wpnu($username){ // email/user_loginCode: Select all
public static function w3_check_phpbb_profile_wpnu($username){ // email/user_login
if( defined('W3ALL_WPNU_CKU') OR empty($username) ): return; endif;
global $w3all_phpbb_connection,$w3all_config,$wpdb,$w3all_oninsert_wp_user,$w3all_add_into_wp_u_capability,$w3cookie_domain,$w3all_add_into_phpBB_after_confirm,$w3all_push_new_pass_into_phpbb;
$username = trim($username);
if ( strlen($username) > 50 ){
return;
}
$user = is_email($username) ? get_user_by('email', $username) : get_user_by('login', $username);
$wpu_db_utab = (is_multisite()) ? WPW3ALL_MAIN_DBPREFIX . 'users' : $wpdb->prefix . 'users';
$wpu_db_umtab = (is_multisite()) ? WPW3ALL_MAIN_DBPREFIX . 'usermeta' : $wpdb->prefix . 'usermeta';
$username = esc_sql($username);
//$db_eu = is_email($username) ? 'users.user_email) = \''.mb_strtolower($username,'UTF-8').'\'' : 'users.username) = \''.mb_strtolower($username,'UTF-8').'\'';
$db_eu = is_email($username) ? 'users.user_email) = \''.strtolower($username).'\'' : 'users.username) = \''.mb_strtolower($username,'UTF-8').'\'';
$phpbb_user = $w3all_phpbb_connection->get_results("SELECT *
FROM ". $w3all_config["table_prefix"] ."groups
JOIN ". $w3all_config["table_prefix"] ."users ON LOWER(". $w3all_config["table_prefix"] . $db_eu ."
AND ". $w3all_config["table_prefix"] ."users.group_id = ". $w3all_config["table_prefix"] ."groups.group_id");
///////////
// If a frontend plugin bypass default password reset process, and do not let update the new wp password at same time also into phpBB
// force the password update into phpBB onlogin in wordpress.
if( $w3all_push_new_pass_into_phpbb == 1 ){
if( isset($phpbb_user[0]->user_id) && $user->user_pass != $phpbb_user[0]->user_password && $phpbb_user[0]->user_id > 2 )
{
$new_pass_push = $phpbb_user[0]->user_password = $user->user_pass;
$w3all_phpbb_connection->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$new_pass_push' WHERE LOWER(user_email) = '".$user->user_email."'");
}
}
if( !isset($phpbb_user[0]->user_id) OR $phpbb_user[0]->user_id < 3 ){ return; }
// mums allow only '[0-9A-Za-z]'
// default wp allow allow only [-0-9A-Za-z _.@]
$contains_cyrillic = (bool) preg_match('/[\p{Cyrillic}]/u', $phpbb_user[0]->username);
// if do not contain non latin chars, let wp create any wp user_login with this passed username
if ( is_multisite() && !defined('WPW3ALL_USE_DEFAULT_WP_UCHARS') && preg_match('/[^0-9A-Za-z\p{Cyrillic}]/u',$phpbb_user[0]->username) OR $contains_cyrillic && preg_match('/[^-0-9A-Za-z _.@\p{Cyrillic}]/u',$phpbb_user[0]->username) OR strlen($phpbb_user[0]->username) > 50 )
{
// if ( is_multisite() && preg_match('/[^-0-9A-Za-z _.@\p{Cyrillic}]/u',$phpbb_user[0]->username) OR $contains_cyrillic && preg_match('/[^-0-9A-Za-z _.@\p{Cyrillic}]/u',$phpbb_user[0]->username) OR strlen($phpbb_user[0]->username) > 50 ){
if (!defined('WPW3ALL_NOT_ULINKED')){
define('WPW3ALL_NOT_ULINKED', true);
}
setcookie ("w3all_set_cmsg", "phpbb_uname_chars_error", 0, "/", $w3cookie_domain, false);
echo __('<p style="padding:30px;background-color:#fff;color:#000;font-size:1.3em"><strong>Notice: your username contains illegal characters that are not allowed in this system. Please contact an administrator.</strong></p>', 'wp-w3all-phpbb-integration');
return;
}
// activated in phpBB?
if( $user && !empty($phpbb_user) && $phpbb_user[0]->user_type == 0 && empty($user->wp_capabilities) ){ // re-activate this 'No role' WP user
$user_role_up = serialize(array($w3all_add_into_wp_u_capability => 1));
$wpdb->query("UPDATE $wpu_db_umtab SET meta_value = '$user_role_up' WHERE user_id = '$user->ID' AND meta_key = 'wp_capabilities'");
}
// Banned or deactivated?
if(!defined("W3BANCKEXEC") && !empty($phpbb_user)){
if(self::w3_phpbb_ban($phpbb_user[0]->user_id, $phpbb_user[0]->username, $phpbb_user[0]->user_email) === true){
setcookie ("w3all_set_cmsg", "phpbb_ban", 0, "/", $w3cookie_domain, false);
self::w3all_wp_logout('wp_login_url'); // should be just a redirect, not a logout, since the user here isn't still logged!
}
}
if ( !empty($phpbb_user) && $phpbb_user[0]->user_type == 1 ){
setcookie ("w3all_set_cmsg", "phpbb_deactivated", 0, "/", $w3cookie_domain, false);
self::w3all_wp_logout('wp_login_url'); // well, same as above ... should be just a redirect, not a logout, since the user here isn't still logged
return;
}
// END banned or deactivated
if ( !is_multisite() && !empty($phpbb_user) ) {
if( $user && $phpbb_user[0]->user_type == 1 && !empty($user->wp_capabilities) ){
$user_email = strtolower($user_email);
$w3all_phpbb_connection->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_type = '0' WHERE LOWER(user_email) = '$user_email'");
}
}
if ( ! username_exists( $phpbb_user[0]->username ) && ! email_exists( $phpbb_user[0]->user_email ) && $phpbb_user[0]->user_type != 1 && ! $user && !empty($phpbb_user) ) {
if ( $phpbb_user[0]->group_name == 'ADMINISTRATORS' ){
$role = 'administrator';
} elseif ( $phpbb_user[0]->group_name == 'GLOBAL_MODERATORS' ){
$role = 'editor';
} else { // $role = 'subscriber'; // for all others phpBB Groups default to WP subscriber
$role = $w3all_add_into_wp_u_capability;
}
$userdata = array(
'user_login' => $phpbb_user[0]->username,
'user_pass' => $phpbb_user[0]->user_password,
//'user_email' => $phpbb_user[0]->user_email,
'user_registered' => date_i18n( 'Y-m-d H:i:s', $phpbb_user[0]->user_regdate ),
'role' => $role
);
$w3all_oninsert_wp_user = 1;
$user_id = wp_insert_user( $userdata );
if ( is_wp_error( $user_id ) ) {
echo '<div style="padding:10px 30px;background-color:#fff;color:#000;font-size:1.3em"><p>' . $user_id->get_error_message() . '</p></div>';
echo __('<div><p style="padding:10px 30px;background-color:#fff;color:#000;font-size:1.0em"><strong>ERROR: try to reload page, but if the error persist may it mean that the forum\'s logged in username contains illegal characters OR your forum\'s account is not active. Please contact an administrator.</strong></p></div>', 'wp-w3all-phpbb-integration');
exit;
}
if ( ! is_wp_error( $user_id ) ) {
$phpbb_username = preg_replace( '/\s+/', ' ', $phpbb_user[0]->username );
$phpbb_username = esc_sql($phpbb_username);
$uemail = $phpbb_user[0]->user_email;
$upass = $phpbb_user[0]->user_password;
$user_username_clean = sanitize_user( $phpbb_user[0]->username, $strict = false );
$user_username_clean = esc_sql(mb_strtolower($user_username_clean,'UTF-8'));
// workaround for cyrillic chars: or an username like 'Denis I.' in cyrillic alphabet, will be inserted as a single dot for the user_login value
if ( $contains_cyrillic ) {
$wpdb->query("UPDATE $wpu_db_utab SET user_login = '".$phpbb_username."', user_pass = '".$upass."', user_nicename = '".$user_username_clean."', user_email = '".$uemail."', display_name = '".$phpbb_username."' WHERE ID = ".$user_id."");
$wpdb->query("UPDATE $wpu_db_umtab SET meta_value = '".$phpbb_username."' WHERE user_id = '$user_id' AND meta_key = 'nickname'");
} else { // leave as is (may cleaned and different) the just created user_login
$wpdb->query("UPDATE $wpu_db_utab SET user_pass = '".$upass."', user_email = '".$uemail."', display_name = '".$phpbb_username."' WHERE ID = '$user_id'");
$wpdb->query("UPDATE $wpu_db_umtab SET meta_value = '".$phpbb_username."' WHERE user_id = '$user_id' AND meta_key = 'nickname'");
}
}
if( is_wp_error( $user_id ) ){
// TODO: return error via cookie instead
echo '<h3>Error: '.$user_id->get_error_message().'</h3>' . '<h4><a href="'.get_edit_user_link().'">Return back</a><h4>';
exit;
} else {
//if($user){
define("WPUSERCREATED",true);
if ( is_multisite() ){
if ( !function_exists( 'get_current_blog_id' ) ) {
require_once ABSPATH . WPINC . '/load.php';
}
if ( !function_exists( 'add_user_to_blog' ) ) {
require_once ABSPATH . WPINC . '/ms-functions.php';
}
$blogID = get_current_blog_id();
// this way add only to the current visited blog
// $role
$result = add_user_to_blog($blogID, $user_id, $role);
}
// let login the user, if pass match
if(isset($_POST['log']) && isset($_POST['pwd'])){
wp_check_password(trim($_POST['pwd']), $upass, $user_id);
}
//}
}
}
define('W3ALL_WPNU_CKU', true);
}All the login flow for all scenarios will be now re-checked, but i think that with last 2.8.9 fixes and this one, all would work smooth into any.