Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#73 2019-04-07 22:54:16

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,515
Website GitHub

Re: Textpattern CMS demo site

You’ve got mail, but for completeness this is a pain. We’re going to probably be forced to do the following in upcoming Txp releases:

  • Check if the PASSWORD() function exists prior to trying to invoke it.
  • Not support upgrades from environments prior to Textpattern 4.3, which is when the password system changed.
  • Not permit people to be able to change passwords via MySQL. This is kind of good from a security standpoint, but annoying if you’ve forgotten your password as you can’t just log into the database and change it directly, then have Txp create you a proper one on login. You’ll need a PHP environment to do it and access to the Textpattern core files so you can run some PHP to update the database.

The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#74 2019-04-08 07:43:38

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,172
Website

Re: Textpattern CMS demo site

That’s all new to me.

But for the purposes of the demo, could you not insert the result of PASSWORD('…') in your SQL, thus bypassing the function? The PWs are predictable in this particular case…


TXP Builders – finely-crafted code, design and txp

Offline

#75 2019-04-08 08:29:46

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 3,623
GitHub

Re: Textpattern CMS demo site

jakob wrote #317527:

But for the purposes of the demo, could you not insert the result of PASSWORD('…') in your SQL, thus bypassing the function? The PWs are predictable in this particular case…

I was considering this, but I thought it was too easy a solution…I’m glad to hear someone else suggest it!

I have full access to the PHP environment in the demo, so I’ll weigh up the pros and cons of the phpass route or just crunch each password through PASSWORD(). To be continued!

Offline

#76 2019-04-08 12:33:01

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,172
Website

Re: Textpattern CMS demo site

gaekwad wrote #317529:

I was considering this, but I thought it was too easy a solution…I’m glad to hear someone else suggest it!

In English we say “Great minds think alike” * :-)
In German they say “Two dummies, same thought”. Take your pick ?.

*to which the retort is “… but fools seldom differ!”


TXP Builders – finely-crafted code, design and txp

Offline

#77 2019-04-13 07:55:08

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 3,623
GitHub

Re: Textpattern CMS demo site

jakob wrote #317538:

In English we say “Great minds think alike” * :-)
In German they say “Two dummies, same thought”. Take your pick ?.

This dummy is going to have another attempt at MySQL 8.0 this morning.

And so, please be aware there may some demo site availability issues until 1200UTC today.

Offline

#78 2019-04-13 12:25:43

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 3,623
GitHub

Re: Textpattern CMS demo site

jakob wrote #317527:

But for the purposes of the demo, could you not insert the result of PASSWORD('…') in your SQL, thus bypassing the function? The PWs are predictable in this particular case…

I just tried this: it doesn’t work.

The query…:

INSERT INTO `txp_users` (`user_id`, `name`, `pass`, `RealName`, `email`, `privs`, `last_access`, `nonce`)
VALUES
	(1,'managing-editor1','*148A21ADCD976A60C9CBCC45A4E12B0182C5493A','Managing Editor #1','managing-editor1@example.com',2,NULL,''),
	(2,'managing-editor2','*47BDDAA4BD592DC9EACDF12811C2827423C5AA3C','Managing Editor #2','managing-editor2@example.com',2,NULL,''),
	(3,'managing-editor3','*4EA79AF019C4EF8CE793F9DAEB430A9E8EEC8395','Managing Editor #3','managing-editor3@example.com',2,NULL,''),
	(4,'managing-editor4','*76D4F5138D51A84B0E10E922B4FF2E4729ACE10B','Managing Editor #4','managing-editor4@example.com',2,NULL,''),
	(5,'managing-editor5','*CF72B87C4E0D21DAC39EB5B203CC4ECFDA7781B9','Managing Editor #5','managing-editor5@example.com',2,NULL,''),
	[…]

…inserts fine, no errors. Logging in throws the Internal error dialog, which I was half-expecting.

For completeness, I emailed Stef about this issue a few days and got a comprehensive email reply back very quickly…which I haven’t fully grok’d yet. With my workload and various brain issues the last few weeks, the steps to resolve are about three clicks above my mental pay grade, so it’s going to have to sit until I can digest and action it.

I think what I need to do right now is use phpass to chew through 6001 usernames and generate the respective password, and then use that as the password insert. I just don’t how to do that, at least not at the moment.

Last edited by gaekwad (2019-04-13 12:26:09)

Offline

#79 2019-04-13 14:12:54

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,172
Website

Re: Textpattern CMS demo site

Logging in throws the Internal error dialog, which I was half-expecting.

Hmm, I know nothing about what’s changed in MySQL, but I’m surprised plain-old existing imported passwords from earlier versions won’t carry over.
Would that not have huge implications for thousands or millions of sites with existing user bases? Will all those sites with online shops and large users bases now be obliged to force their users to reset their passwords in order to have continued access?


TXP Builders – finely-crafted code, design and txp

Offline

#80 2019-04-13 14:30:29

Gocom
Plugin Author
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Textpattern CMS demo site

You could use the same password for each user. They do not need to be different, as they are not particularly unique anyways.

Now, if you do want to generate the users in the table, easiest way would be to use the API:

<?php
define('txpinterface', 'css');

require __DIR__ . '/index.php';

for ($i = 1; $i <= 6000; $i++) {
    $name = 'managing-editor' . $i;
    create_user($name, "{$name}@localhost.test", $name, "Managing Editor #{$i}", 2);
}

Setting the txpinterface constant to css and then including index.php appear still to be the only way to actually include all(-ish) dependencies without it echo’ing stuff all over the place. I wish there was a bootstrap file, and that Textpattern didn’t use die etc.

If you want to pre-generate hashes, you can do it the same way. You could dump the resulting database table, or you could generate them with the applicable Password hasher driver:

<?php
define('txpinterface', 'css');

require __DIR__ . '/index.php';

echo \Txp::get('\Textpattern\Password\Hash')->hash("yourPassword");

Last edited by Gocom (2019-04-13 14:31:37)

Offline

#81 2019-04-15 16:27:41

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 3,623
GitHub

Re: Textpattern CMS demo site

Thank you, Gocom. I’ll buy you a coffee next time I’m in Helsinki.

Offline

#82 2019-04-15 21:00:40

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,172
Website

Re: Textpattern CMS demo site

Gocom wrote #317623:

Rah | GitHub

Just an aside: Great to see you updating your plugins Jukka! They’re pretty invaluable, so thanks!


TXP Builders – finely-crafted code, design and txp

Offline

#83 2019-04-16 15:00:43

Gocom
Plugin Author
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Textpattern CMS demo site

gaekwad wrote #317647:

Thank you, Gocom. I’ll buy you a coffee next time I’m in Helsinki.

:-) fika it is then.

jakob wrote #317649:

Just an aside: Great to see you updating your plugins Jukka! They’re pretty invaluable, so thanks!

Thanks.

Offline

#84 2019-05-07 18:48:17

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 3,623
GitHub

Re: Textpattern CMS demo site

I have fine-tuned the SSL ciphers and curves on the demo site server. There are far fewer weak ciphers, and modern operating system/browser compatibility is maintained.

Please report any supported (and non-ancient) browser(s) and operating system(s) that show errors.

Thank you.

Direct links for testing:

Offline

Board footer

Powered by FluxBB