[1.5] User login doesn't work after self-registration?

[dietmar-s9y]

Hello,

I found out that - in version 1.5 - if a user registers itself and confirms the link in the e-mail, there is an entry in the serendipity_authors table, but the hash is still a md5 hash.
If the user wants to login, the "wrong password" message appears.
if I manually enter an 40 character sha1(?) hash to the table (e.g. copy and paste it from the admin user), the user login works!

Perhaps the event/sidebar plugins are not yet updated to the new login hashing (http://blog.s9y.org/archives/205-Serend ... shing.html).

I wanted to ask if this is a known issue.

Regards,
dietmar

[dietmar-s9y]

Err... are there new versions of the plugins? I installed the following versions via spartacus:

serendipity_plugin_adduser 2.29
serendipity_plugin_loginform 1.09

serendipity_event_adduser 2.30
serendipity_event_loginform 1.03

Perhaps that's the problem.

[garvinhicking]

Hi!

Actually, using old md5 inside the plugin should still work, and be converted to sha1 by the s9y core. When I tested this a few months ago, it did work for me, so I'll try to see if I can reproduce that. It might take me a few days though.

Rgards,
Garvin

[dietmar-s9y]

Hi Garvin!

I tried it again: I deleted the old DB tables, reconfigured s9y, re-installed the plugins... It still didn't work. So I would be glad if you would try to reproduce it.
If necessary, I could send you the blog URL via PN.

Thanks!

[garvinhicking]

Hi!

If you can mail me FTP access to that blog and a phpmyadmin access, yes, that would be great for me to look into.

Regards,
Garvin

[garvinhicking]

Hi!

I just committed an update to the adduser plugin (version 2.31) maybe you can check it out?

Just download the updated file 'common.inc.php' from here:

http://php-blog.cvs.sourceforge.net/vie ... ision=1.24

HTH,
GArvin

[dietmar-s9y]

Hi Garvin!

Sounds great! I will try that next weekend.
Many thanks.

Dietmar

[dietmar-s9y]

This weekend I checked out the new common.inc.php 2.31 and replaced the 2.30 file in my plugins/serendipity_plugin_adduser directory. I've done this on my 1.5-beta1 installation. But this didn't work for me.

Then I checked out the trunk/ folder from http://svn.berlios.de/svnroot/repos/serendipity/ to get the actual development snapshot (isn't it?) of the 1.5-beta2 version which seemed to include the version 2.31 of the plugin. Now the self-registration works! But I don't know why it didn't with beta1.

I've seen that you removed the generation of the password by the serendipity_hash function in the new version of the common.inc.php.

2.30

Code: Select all

        $hash = md5(time());
        if (function_exists('serendipity_hash')) {
            // Serendipity 1.5 style
            $hashpw = serendipity_hash($password);
        } else {
            $hashpw = md5($password);
        }
        serendipity_db_insert('pending_authors', array(
            'username'      => $username,
            'password'      => $hashpw,
            'email'         => $email,
            'userlevel'     => $userlevel,
            'right_publish' => (serendipity_db_bool($right_publish) ? '1' : '0'),
            'no_create'     => (serendipity_db_bool($no_create) ? '1' : '0'),
            'hash'          => $hash
        ));

2.31

Code: Select all

        $hash = md5(time());
        serendipity_db_insert('pending_authors', array(
            'username'      => $username,
            'password'      => md5($password),
            'email'         => $email,
            'userlevel'     => $userlevel,
            'right_publish' => (serendipity_db_bool($right_publish) ? '1' : '0'),
            'no_create'     => (serendipity_db_bool($no_create) ? '1' : '0'),
            'hash'          => $hash
        ));

I didn't really understand the removal because I thought there's a new hashing method...

[garvinhicking]

Hi!

No, it didn't get removed, the serendipity_hash() is what got added.

Regards,
Garvin

[dietmar-s9y]

Oh sorry... my fault....

Thanks!

But another thing I noticed is that the new author gets the activation e-mail two times, if the option "Registered users need admin approval?" is set to true.