• Resolved tommcgee

    (@tommcgee)


    This problem seems to have just surfaced, after using this plugin for many years. After creating a user as a directory-authenticated user, that user can still see and use the password-reset button on their profile page. It used to show a notice that you use your AD password and you can’t reset it from here.

    This is causing confusion, people are going in and getting a password reset, and somehow this is interfering with or overriding the wpDirAuthFlag setting. At least it’s causing some confusion.

    As a super-admin, I can ALSO change people’s passwords, even though they should be using their AD password.

    Is this something I can patch?

Viewing 14 replies - 1 through 14 (of 14 total)
  • Plugin Author Paul Gilzow

    (@gilzow)

    Relevant section of code is here : https://plugins.trac.wordpress.org/browser/wpdirauth/trunk/wpDirAuth.php#L2207

    It uses the filter show_password_fields to hide the password change fields and change the password reset message. And it uses the filter allow_password_reset to disallow a user marked as a dirAuth user to change their password. I don’t see any mention of changes with those two filters in the docs. The second one relies on wpDirAuthFlag being set to 1 in the user’s metadata. That same flag should be preventing them and you from resetting the password. Can you query your database for a known dirAuth user and look to see if that flag is set in their metadata?

    Thread Starter tommcgee

    (@tommcgee)

    wpDirAuthFlag is definitely set to one. I wonder if there’s another plugin stepping on this. I’ll look around and see what I have activated.

    [ … ]

    I’m running this on two multisite blogs, and I get the same problem with both of them. The simpler one has only a dozen or so network-activated plugins.

    So I tried de-activating everything. First all the network-activated plugins (except for this one); then all the activated plugins on the home blog. I still see the reset-password button.

    Plugin Author Paul Gilzow

    (@gilzow)

    a couple of follow-up questions: if they attempt to reset their password in the profile area, does it succeed or do they get an error? If it succeeds, if they log out, can they log back in with the new password (ie bypassing directory authentication)?

    Thread Starter tommcgee

    (@tommcgee)

    Sorry for the delayed response, but in answer to the question:

    I reset my password in the profile page, using the recommended strong password.

    When I logged out and tried to log back in with the new password, it failed; when I entered the original (Active Directory) password it succeeded. So it doesn’t appear to be bypassing directory authentication

    Plugin Author Paul Gilzow

    (@gilzow)

    so that’s good that it’s still enforcing AD authentication.

    I grabbed the code and stripped it down to verify the sections of code I linked above are working properly on my test site, and so far, it’s removing the password reset option in the profile area AND it prevents me from trying to change my password from the login screen.

    The only difference is that you mentioned your site is a multisite and my testing site is a single site. Let me set up a mutlisite and see if I can replicate this issue.

    Plugin Author Paul Gilzow

    (@gilzow)

    ok, converted my personal site into a multisite and tried the same thing: attempting to use the password reset from the login screen for a user that has the dirAuthFlag set to 1 results in an error that it can’t reset the password. If I log in and look at my profile, the password reset options are removed and replaced with the Directory Password Update heading and message as configured in the options.

    By chance do you have any must-use plugins installed or any other plugins that deal with logging in, authentication, user profiles, etc?

    Plugin Author Paul Gilzow

    (@gilzow)

    Same thing if I try to edit a user’s profile as a Super-Admin: password reset fields are replaced with the Directory Auth message about not being able to change the password.

    Thread Starter tommcgee

    (@tommcgee)

    I’m using “User Role Editor,” https://wordpress.org/plugins/user-role-editor/ , to create custom permission sets.

    Plugin Author Paul Gilzow

    (@gilzow)

    I dont see anything immediately in the code that should conflict, but that doesn’t mean this isn’t the root issue. I added the plugin and network activated it, and I’m still not seeing the password fields in either my own profile or if i go to edit a user’s profile.

    There *is* a “send password reset button if you’re a super-admin and are editing a user’s profile, but that does not show up for the user if they go to their profile.

    I haven’t created any new roles though since I’m not sure what settings you have or haven’t enabled.

    Do you have a dev/staging environment where you can temporarily disable that plugin to see if it’s causing the conflict?

    Thread Starter tommcgee

    (@tommcgee)

    I have two multi-user sites that are running both plugins. I disabled User Role Editor in one of them, but it didn’t make any difference. I still saw the Set New Password button.

    Plugin Author Paul Gilzow

    (@gilzow)

    I’m stumped at this point as I can’t recreate it. The only difference I can think of is my sites are all on v6.2.2 of WordPress since 6.3 isn’t available via johnpbloch/wordpress yet.

    What version of WordPress are those sites on? I have one still on 5.9 I just tested but couldn’t replicate the issue there either.

    Plugin Author Paul Gilzow

    (@gilzow)

    ah-ha! found it!
    as of version 6.0 of WordPress, the global variable $profileuser was removed. so in the function at line 1189, it was using a null value when trying to check to see if the current user is an ldap-authenticated user, and therefore always returning true (ie showing the password reset button).

    at line 1191, change
    global $profileuser, $userdata;
    to
    global $user_id, $userdata;

    then at line 1193, change
    $editUserIsDirUser = get_user_meta($profileuser->ID, 'wpDirAuthFlag',true);
    to
    $editUserIsDirUser = get_user_meta($user_id, 'wpDirAuthFlag',true);

    and finally, change line 1211 from
    if ($userdata->ID == $profileuser->ID) {
    to
    if ($userdata->ID === $user_id) {

    And see if that fixes it?

    Big shout-out and gratitude to @silsbyc for the assistance!

    Plugin Author Paul Gilzow

    (@gilzow)

    v1.10.6 released with the above fixes. Going to go ahead and mark this as resolved.

    Thread Starter tommcgee

    (@tommcgee)

    Looks good, thanks!

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Password Reset Button Showing’ is closed to new replies.