Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#13 2012-01-18 08:45:08

MarcoK
Plugin Author
From: Como
Registered: 2006-10-17
Posts: 248
Website

Re: mck_login

Well… thanks.
In this days I will work!!

Offline

#14 2012-01-18 19:27:35

geoff777
Plugin Author
From: Benarrabá Andalucía Spain
Registered: 2008-02-19
Posts: 282
Website

Re: mck_login

GoCom – MarcoK

Can’t you help each other in private messages?

MarcoK – not quite so many problems :-) Soon this will be usable by the community!


There are 10 types of people in the world: those who understand binary, and those who don’t.

Offline

#15 2012-01-26 19:48:23

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: mck_login

During last few days, or last weekend or so, I took deeper look at the code, and did some patching. Patching which eventually lead to code that isn’t mck_login at all, but still shares the same concept. A ‘fork’ was born and can be found from GitHub. Let me warn tho; I don’t recommend anyone actually using it. It has it’s own issues, and it’s just an off-spring branch. A contribution, which I’m just sharing. Hopefully MarcoK (or someone else) finds it useful.

The main idea I had was to fix security issues the original release of mck_login had. I started working by removing the duplicated code and replacing it with Textpattern’s core methods. I mapped all the security issues (from which initially I’ve had missed few), and got the needed time to fix them. Some security fixes and initial improvements included:

  • Code injection and SQL injection fixes.
  • Nonce-updating/destroying. Doing it the way core does.
  • Cookie destroying/logging out. Uses installation path, and tries not doesn’t unset all cookies across domain.
  • Fixing naming issues (everything global prefixed etc).

Then there were those some things I mentioned earlier; those feature-wise things. For instance the hard-coded content, and some of the security features, like brute attacks and off-hand form sending.

  • All the forms have a time based token which will last for 30 minutes. This means that one can’t simply copy the code and keep using it for eternity. Not exactly nonce grade prevention, but does something.
  • As for brutes, I did what usually is done; limiting request rate.

The way tags and forms are implemented changed too. Instead of a form being single tag, the forms are now ZCR-like set of tags. I.e.

<txp:mck_reset_form>
	<txp:mck_login_errors />
	<txp:mck_login_input type="text" name="mck_reset_name" />
</txp:mck_reset_form>

Which makes forms totally changeable to any format. Feature-wise in addition to localization and tag structure, I added some essential tools and functions including password resetting and changing (as seen above), and CSRF protection support.

I’ve also added some functions for extending the plugin with plugins (spam prevention etc). The plugin has some callback events. All which are listed on the repo’s GitHub page.

So, is it perfect? No. Should I (you) as end-user use it? Not really, no if you are end-user, and need something that is maintained. It has its own issues, it’s untested. It’s written in a whim. I did it all just to share and to contribute. It all ended to the current sate by a change. It’s not going to become my own (rah) plugin project, neither I’m going to support it. Just a contribution.

If some, especially MarcoK finds it useful, that would be great. Treat it as finders keepers, but this ring doesn’t have real maintainer.

Last edited by Gocom (2012-01-26 19:51:45)

Offline

#16 2012-01-27 08:13:47

MarcoK
Plugin Author
From: Como
Registered: 2006-10-17
Posts: 248
Website

Re: mck_login

Wow, it’s amazing!

You have doing in few days what i had mean to do in an year!

In Italy we are accustoms to saying ‘minchia che lavoro!’

I find it very useful, and i start to study what you have written. So, i hope learn something form this code!

Offline

#17 2012-01-27 10:37:53

Pat64
Plugin Author
From: France
Registered: 2005-12-12
Posts: 1,595
GitHub Twitter

Re: mck_login

Hi Jukka ;)

I’m currently trying your fork plugin (thanks to Marco for initial idea). Yet another demonstration of your talents. I would like to thank you for sharing.

That kind of plugin is very interesting and was the subject of some brainstorming with other PHP coders in private messages last month.

My thoughts about a self register and login front-end plugin were to offer a solution to add/delete/change articles by authors directly from the public side – as some other CMS offer like Concrete 5, Drupal 7.x and many others -.
So, I know it’s a very difficult and complex work but do you think you could add that feature?

What do you think? Could you tell us your opinion.

Best regards Jukka.


Patrick.

Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.

Offline

#18 2012-01-27 13:43:01

Pat64
Plugin Author
From: France
Registered: 2005-12-12
Posts: 1,595
GitHub Twitter

Re: mck_login

Jukka, here is the French textpack file:

#@public
#@language fr-fr
mck_login_name_and_pass_required => La saisie du nom et du mot de passe sont obligatoires.
mck_login_form_expired => Le délai du formulaire a expiré. Veuillez soumettre de nouveau votre saisie en cliquant sur le bouton "Envoyer".
mck_login_invalid_token => Soumission refusée en raison d'une erreur interne. Veuillez envoyer de nouveau ce formulaire.
mck_login_invalid_login => La combinaison <b>utilisateur</b> et <b>mot de passe</b> est incorrecte.
mck_login_ip_blacklisted => Soumission refusée. Votre adresse IP figure dans la liste noire anti-spam.
mck_login_you_have_been_banned => Soumission refusée. Votre adresse IP a été bannie.
mck_login_all_fields_required => La saisie de tous les champs est obligatoire.
mck_login_email_too_long => Votre adresse Email est trop longue. Seules les adresses de 100 caractères maximum sont acceptées.
mck_login_password_too_short => Le mot de passe doit comporter au moins 6 caractères.
mck_login_username_too_short => Le nom utilisateur doit comporter au moins 3 caractères.
mck_login_username_too_long => Le nom utilisateur ne doit pas excéder 64 caractères.
mck_login_realname_too_long => Votre nom ne doit pas dépasser 100 caractères.
mck_login_invalid_email => Cette adresse Email est invalide. Veuillez renseigner une adresse différente.
mck_login_email_in_use => Cette adresse Email est actuellement utilisée pour un compte existant. Les adresses associée aux comptes doivent être uniques. Veuillez renseigner une adresse différente.
mck_login_username_taken => Ce nom utilisateur est déjà utilisé. Les noms doivent être uniques.
mck_login_saving_failed => La sauvegarde dans la base de données a échoué. Merci de recommencer le processus.
mck_login_old_password_incorrect => L'ancien mot de passe est incorrect.
mck_login_passwords_do_not_match => Le nouveau mot de passe et sa confirmation ne correspondent pas.
mck_login_invalid_csrf_token => Accès refusé pour raisons de sécurité.
mck_login_your_new_password => [{sitename}] Voici votre nouveau mot de passe
mck_login_redirect_message => Si vous vous n'êtes pas redirigé, cliquez sur cette page : {url}

Last edited by Pat64 (2012-01-27 14:03:52)


Patrick.

Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.

Offline

#19 2012-01-27 16:17:27

MarcoK
Plugin Author
From: Como
Registered: 2006-10-17
Posts: 248
Website

Re: mck_login

This is a Italian Textpack.

#@public
#language it-it
mck_login_name_and_pass_required => Nome e password sono necessari.
mck_login_form_expired => Form scaduto. Prova a reinviare il form cliccando sul pulsante submit.
mck_login_invalid_token => Richiesta negata per token non valido. Prova a inviare nuovamente il form.
mck_login_invalid_login => Combinazione Utente/Password non corretta.
mck_login_ip_blacklisted => Richiesta negata. Il tuo indirizzo IP  fa parte di una blacklist antispam.
mck_login_you_have_been_banned => Richiesta negata. Il tuo indirizzo IP è stato bannato.
mck_login_all_fields_required => Tutti i campi sono necessari.
mck_login_email_too_long => Il tuo indirizzo email è troppo lungo. Sono validi solo indirizzi email lungi al massimo 100 caratteri.
mck_login_password_too_short => La password deve essere lunga almeno 6 caratteri.
mck_login_username_too_short => Lo Username deve essere di almeno 3 caratteri.
mck_login_username_too_long => Lo Username non può essere lungo più di 64 caratteri.
mck_login_realname_too_long => Il tuo nome non può essere più lungo di 100 caratteri.
mck_login_invalid_email => Indirizzo email non valido. Inserisci un indirizzo differente.
mck_login_email_in_use => Email già in uso da un'altro utente. Inserisci un indirizzo email differente.
mck_login_username_taken => Username già in uso.
mck_login_saving_failed => Salvataggio nel database fallito. Riprova.
mck_login_old_password_incorrect => Vecchia password non corretta.
mck_login_passwords_do_not_match => Le password non coincidono.
mck_login_invalid_csrf_token => Accesso negato per ragioni di sicurezza: token non valido.
mck_login_your_new_password => [{sitename}] la tua nuova password
mck_login_redirect_message => Se il redirect non fuzniona, clicca sul seguente link: {url}

Last edited by MarcoK (2012-01-27 16:18:00)

Offline

#20 2012-01-27 16:59:13

sacripant
Plugin Author
From: Rhône — France
Registered: 2008-06-01
Posts: 479
Website

Re: mck_login

What are the differences with cbe_frontauth ?

Offline

#21 2012-01-27 17:16:21

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: mck_login

Thank you for the translation, Patrick and Marco. I’ve added both to the repo.

Pat64 wrote:

So, I know it’s a very difficult and complex work but do you think you could add that feature?

Not at least to the mck_login fork. To me this type of plugin is about managing log-ins and sessions. As editors go, they are kind of hard thing, especially editors that need to be integrated to the front-end layout. It’s difficult to please everyone, and there are things like backend plugins; custom-fields, section aware fields — none of those translates directly to the editor.

In my opinion, the best thing to build an article editor would be couple of Manfre’s projects; mem_public_article, mem_simple_form, and mem_form. Those tools may not be the easiest to use, but if I had to do an article editor (plugin), I would do it like Manfre did. Allows customization, free layout structure etc. And as there is an existing code-base, I don’t think I will be doing form plugins in a close future.

Offline

#22 2012-01-27 18:03:30

Pat64
Plugin Author
From: France
Registered: 2005-12-12
Posts: 1,595
GitHub Twitter

Re: mck_login

Ok. Jukka.

Just a little request. Could you add a way in order to display currently login users (as part of ign_password plugin). That will be useful.

Cheers,


Patrick.

Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.

Offline

#23 2012-01-27 19:55:08

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: mck_login

Pat64 wrote:

Just a little request. Could you add a way in order to display currently login users (as part of ign_password plugin).

Doesn’t that just go to the whole profile management side? Very limited profile management, which beg to question why there isn’t complete profile management. Which would increase the whole code by thousands of lines. One would think that there is a user profile plugin that can do that already (it’s just about sorting the user list according last_access time).

If none of the profile plugins (like smd_bio, which otherwise is a good plugin) can’t generate such list, then you could might be able to do with smd_query. E.g. something like:

<txp:smd_query column="name" table="txp_users" where="1=1 ORDER BY last_access desc">
	{name}
</txp:smd_query>

I do not personally use smd_query so I can not say whether the above snippet is secure. The above might have code-injection hole in it. It depends whether smd_query has the ability to escape curly-tags’ output. If it doesn’t, an user can exploit the site by adding code to their user-data. i.e. using <txp:php> /* bad code */ </txp:php> as their username. If the name isn’t escaped, the code in the username would be executed when the list is generated.

That will be useful.

Please, be careful. I don’t recommend using the fork on live. I would not. I haven’t even really tested the code, apart from very basic “login/logout/change password” tasks. And I know it has potential problem scenarios. If I remember correctly the list of issues include;

  • The self-register function should only allow normal alphabet be used in usernames. All core-data handling isn’t potentially multibyte safe.
  • As above, mails’ encoding is user-configurable. If mail’s encoding is set to something else than UTF-8 and username contains special characters, the received username will be incorrect.
  • As Textpattern’s own mailer is used, and the subject lines are user-configurable, using long message subject will make the mailing potentially fail. Headers shouldn’t be auto-wrapped.
  • The generated cookie isn’t most secure as it uses TXP’s own public-side cookie system, which (I believe) was designed to be very simple identification feature, not secure session manager. As far as I know, the cookie only uses 5-byte key + username. Technically as secure as using five-letter password.
  • Sending one of the forms marks all fields in that form as required, and the error reporting has no relation to the field that invoked the error.
  • Password reset key is identical to Textpattern’s reset functionality. Which may not be for the best. Let’s say that it’s not at least time-restricted, and the generated values are not as strong as login nonces.

Last edited by Gocom (2012-01-27 20:43:49)

Offline

#24 2012-01-28 08:05:51

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,007
Website GitHub Mastodon Twitter

Re: mck_login

a couple corrections to the english translation here (apologies if it has been corrected already)

mck_user_already_exist  => User alredy exist

replace with

mck_user_already_exist  => User already exists

————————

mck_user_unknown => User unknow

replace with

mck_user_unknown => User unknown 

————————

Also here is a greek translation. hoping that somebody who’s better with translations will offer a better one.

#@language el-el
mck_login_name  => Όνομα χρήστη
mck_name_surname  => Πραγματικό όνομα 
mck_user_already_exist  => Ο χρήστης είδει υπάρχει 
mck_register_now  => Δεν έχετε εγγραφεί; Εγγραφείτε τώρα.
mck_site_registration_successfully => Η εγγραφή σας ήταν επιτυχής
mck_can_login_at  => Μπορείτε να συνδεθείτε στο 
mck_your_login_name  => Το όνομα του χρήστη σας είναι: 
mck_your_password  => Ο κωδικός πρόσβασης σας είναι: 
mck_register  => Εγγραφείτε
mck_user_password_send => Εγγεγραμμένος χρήστης. Ο κωδικός πρόσβασης στάλθηκε στο ηλεκτρονικό σας ταχυδρομείο.
mck_user_unknown => Ο χρήστης δεν υπάρχει
mck_data_error => Σφάλμα. Ελέγξτε τα δεδομένα σας

Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

Board footer

Powered by FluxBB