Users running a non-download version of Vanilla (pulled from github), on branch release/2019.016 or master from the last 2 weeks should upgrade to release/2019.017 or latest master for security reasons. Downloaded official open sources releases are not affected.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Email login only

HI , I Need change username login to email only ,it's possible ?

Sprry for my bad english =)

data66

Comments

  • hgtonighthgtonight ∞ · New Moderator

    You want to require email addresses as the usernames?

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • need people can only login to vanilla forums with their email

  • RiverRiver MVP
    edited August 2016

    Here is the problem you are running into. it first checks for email

    $User = Gdn::userModel()->GetByEmail($Email);

    if it can't find e-mail, it checks username.

    https://github.com/vanilla/vanilla/blob/Vanilla_2.2.1/applications/dashboard/controllers/class.entrycontroller.php#L892

    I don't think there is an easy gyration to modify, short of forking vanilla or rewriting the controller or function and commenting out the user check on the line. So if you fork vanilla, you will be on your own path.
    You could add some js to check for "@" but that might not solve issue if js is off, and not as reliable as checking on server.

    maybe you could file an issue to add a config option for turning off username on signin, but you would probably need to give a legitimate reason for doing so.

    I can guess a few reasons why you might want to do this, but it seems like more of an inconvenience to the user.

    So, it begs the question "WHY"

    Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.

    vrijvlinderdata66
  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    Wrap this in a plugin or in your themehooks file:

        public function entryController_signIn_handler($sender, $args) {
            $sender->Form->validateRule('Email', 'ValidateEmail', t('You can only login by Email'));
        }
    

    If you allow usernames which look like mails, this wouldn't work, but otherwise that's the solution.

    You should also change some translations so that it no longer asks for "Email/Username" but only for "Email". Adding $Definition['Email'] = 'Email'; to your /conf/locale.php might do the trick, but I'm not sure about that.


    data66
  • @River said:

    So, it begs the question "WHY"

    Security. It's harder to get the email and find a way in than it is with a username which is displayed right on the site. At least, that's what I was told by a security person. :) FB does it via email now too. Just a bit more secure.

  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    @data66 said:
    Security. It's harder to get the email and find a way in than it is with a username which is displayed right on the site. At least, that's what I was told by a security person. :) FB does it via email now too. Just a bit more secure.

    If there is some kind of login throttling implemented, it is a good idea to not allow login by username at all. Anybody would be able to lock out even the admin if not...
    I remember times when my colleagues and I regularly locked each others windows account :naughty:


    data66
  • RiverRiver MVP
    edited August 2016

    @data66 said:

    @River said:

    So, it begs the question "WHY"

    Security. It's harder to get the email and find a way in than it is with a username which is displayed right on the site. At least, that's what I was told by a security person. :) FB does it via email now too. Just a bit more secure.

    a bit. not much more than a teeny weensy bit :)

    I've never been a fan of obscurity-security, it just glosses over the underlying issue.

    @R_J said:

    @data66 said:
    Security. It's harder to get the email and find a way in than it is with a username which is displayed right on the site. At least, that's what I was told by a security person. :) FB does it via email now too. Just a bit more secure.

    If there is some kind of login throttling implemented, it is a good idea to not allow login by username at all. Anybody would be able to lock out even the admin if not...
    I remember times when my colleagues and I regularly locked each others windows account :naughty:

    a good thing you didn't know your colleagues e-mail address ;) or you could have done the same thing if it was e-mail only login.

    if you use the above technique you probably want to change the regex for user name validation to block @, if the reason is to test for the actual email field and not to rely on a side effect.

    Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.

Sign In or Register to comment.