[Deprecated] User Management by ReFlar

Kyrne

BotoX SSO isn't meant to be logged in directly, you are supposed to log in with your SSO each time. Example: if I register with GitHub I will need to sign in with GitHub each time. I believe this means this is an issue with Flarum's core rather than user management.

luceos

Kyrne correct, you should use "remember me for two weeks" so your session doesn't expire if you don't want to re-authenticate every time. This is not a shortcoming of Flarum - perhaps a bit of SPA design, but in the end it's called security ?

BotoX

Kyrne Yes, it's definitely not only to blame on user management.
But instead of saving a random password you could set it to a vaild password before the validation check and then change it to "" afterwards.
Also same for the email, use a valid one for the validation then change it to NULL before saving. For this to work the email column needs to be NULLable.
That's what I do right now and it works fine.
Users may choose to switch to native accounts instead of SSO or use both.

For example I require users to sign up with Steam SSO but allow them to specify an email and password after they authenticated with steam:

... authenticate with SSO (Steam) ...

Complete sign up:

You can't log in with an empty password ("") because it will turn into some hash "$2y$10$...." that is not equal the saved empty string ("") in the database.
For changing your E-Mail when no password is set flarum core needs to be modified so that it will return success when the password stored in the DB is an empty string ("").

If interested I can publish my changes.
In production on https://forum.gflclan.ru

Kyrne

BotoX I'm not sure if I follow. User management doesn't change anything about how passwords work when you sign up. Are you suggesting this as a feature?

BotoX

Kyrne I guess this makes more sense as a feature request.
I'm using User management for better SSO in flarum.
Since if you use SSO in native flarum you still need to create an account with email + password...
So I use this for removing the possibility of normal registration completely but still offer the possibility of normal accounts after SSO sign up.
It makes sense for me because I only want people with a steam account to be able to sign up on my forum, but don't want to bother them with using steam for logging in on all their devices.

I'll just maintain my own fork with this I guess, didn't work a lot with PHP so using this as a base definitely helped.

zhoujianwei

BotoX @Kyrne

Cant agree any more,i use a third wechat OAuth2.0
As wechat has not provide email, here using a random string as email,
Then the same scene appeared"Changing your password requires a valid email to send the password reset link to.
Changing your email to a valid email requires knowing your password." looks like a dead loop

Kyrne

Supreme-Leader

Run composer update

0.1.0

Fix for strikes not serving

I am also pulling it out of beta as there haven't been many bugs reported lately.

jordanjay29

screenshot

Links point to null, but they were all served on the same post. As #4 pointed out, nothing stopped me from serving multiple strikes for the same post, even after refresh.

Links are pointing to http://testbed.legendofdevira.com/flarum/d/null when they should point to http://testbed.legendofdevira.com/flarum/d/6-to-split-or-not/9

Also, I'm not sure why Actor is the test user. Shouldn't it be Admin (my user) for serving the strikes?

Kyrne

jordanjay29 Do you mind installing dev-master and then running php flarum migrate? Please let me know if it is fixed.

jordanjay29

Kyrne Just to be clear, the issue I had reported is not fixed in the dev-master version.

The link now points to the correct post (at least those served after your fix, the old ones point to http://testbed.legendofdevira.com/flarum/d/0/6), but the actor is still test (why? the header tells me which user this is, shouldn't the actor be the giver of the strike? otherwise this column seems useless) and I can still serve multiple strikes on the same post, even after it's soft-deleted.

Supreme-Leader

@Kyrne I can confirm it is now working. Thanks for the quick fix.

Kyrne

jordanjay29 so you are saying the actor is the poster and not the striker?

I will make it so you can't do multiple strikes soon.

jordanjay29

Kyrne you can see for yourself on the screenshot. The user in question is at the top, all the strikes were served by the admin account.

Kyrne

jordanjay29 I find it funny that I pull it out of beta and then issues start cropping up XD

0.1.1

Fix for incorrect actor showing
Fix for incorrect links on posts
Remove ability to give multiple strikes on posts
Please run php flarum migrate in Flarum's root dir after upgrading

Supreme-Leader

Kyrne I can still strike people's posts more than once. Is that intended?

jordanjay29

Kyrne sounds like a QA problem. ?

I'll give it a test in a few hours.

jordanjay29

So, removing one strike and then viewing strikes again pops up the "User has a clean record" modal instead of displaying the remaining strikes. This was corrected after a refresh of the user profile page.

I can still serve strikes on the same post without refreshing. The option to do so once the post is soft-deleted is now removed as expected. You may need to look at how Flarum pushes its changes when you delete a post manually to mimic the behavior.

Seems like the links on new strikes are correct now. See http://testbed.legendofdevira.com/flarum/d/12-just-a-test/3 as compared to http://testbed.legendofdevira.com/flarum/d/12/3

The actor is now correctly the strike server instead of the user whose strikes are being viewed.

Good work so far, a few more bugs to go.

Kyrne

Ralkage That would be great, only so much I can do.

jordanjay29

0.1.2

Now hides the post instantly, preventing multiple strikes
Fix an issue that made the "User has a clean record!" message show after removing a strike
Made the viewing strikes modal much more responsive on mobile
Small code cleanup

Ralkage

We'll probably need a QA person down the line so we can give @Kyrne a break. ?

On a positive note aside from the bugs, once I fix up our current server that I use for our website, I plan to fix up a nice testing ground for all of our extensions.

Supreme-Leader

Kyrne Just striked myself and now I can't see the strike.

It looks like this now.

https://puu.sh/vDzUT/590e0d5ab9.png

jordanjay29

Good! I'm having trouble finding bugs now.

Kyrne

Supreme-Leader did you come across any errors? Are you able to reproduce?

« Previous Page Next Page »