Users running a non-download version of Vanilla (pulled from github), on branch release/2019.016 or master from the last 2 weeks should upgrade to release/2019.017 or latest master for security reasons. Downloaded official open sources releases are not affected.

Authentication plugins and database fields (HashMethod, Password)

ddumontddumont ✭✭

Taking a stroll through my user table today I see that everyone has a pw hash set, even those who've logged in via a connector plugin like google/fb/twitter/etc.

Sometimes the hashmethod is NULL, sometimes Random... sometimes Vanilla.
I'm assuming that Vanilla hash methods are native forum logins.

Do you think it would be possible then to key off of this difference and change the behavior of the 'change password' action in the user profile to either be 'set password' or not require the old password if the user has used a plugin to log into the forum?

I assume you would just check for HashMethod != 'Vanilla'...

Would you welcome a patch for this for .18 gold? I'm trying to figure out a good user auth story for my app integration to my forum and this looks like it might do fine as long as users can go set a password if they don't already have one.

The current workaround means they will have to request a pw reset, which kinda makes the instructions a bit more complicated than they should be.


  • ToddTodd Chief Product Officer Vanilla Staff
    I'd love a patch for this. The password stuff is a little messy wrt connect. I think what needs to happen is for connect passwords to be set to "Random" and have that be the criteria for not requiring a password on reset.

    For your information, I think both hash methods of blank and vanilla get hashed by our algorithm. There are also other types of hashes based on other forum imports: vBulletin, phpBB, and django.
  • ddumontddumont ✭✭
    edited June 2011
    Here you go this should work:

    It's fairly straight forward... but I didn't get to thoroughly test it because I haven't upgraded to .18 beta yet... I'll be doing that when you release beta 3
  • @Todd was doing some more review and I found a problem with a condition in the password view. Added a new commit to the pull request to address it.

    Let me know if you would like me to change anything. I'd like to see this in before beta 3 comes out (if you have the time, that is). :)
Sign In or Register to comment.