Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Indicate that user name is unavailable

oskayoskay New
edited June 2017 in Vanilla 2.0 - 2.8

I encountered an SSO usability issue that I'd like to ask for help on.

This is Vanilla 2.3.1 with Vanilla jsConnect 1.5.3, allowing users to sign into Vanilla when logged into my Wordpress blog. SSO is generally working well, but I encountered an edge case.

Example: I have a wordpress user named Andrew. Andrew clicks over to my Vanilla forum and clicks to log in.

He gets a dialog asking him to choose what name to use to identify him on the site:

Naturally, he selects "Andrew" and then Connect. He is then (as it appears) prompted to enter his password:

He reads the fine print and wonders if "connecting to an existing account" means from Wordpress or something else... but decides to leave the password blank. He chose wrong, and is greeted by a stern error that the password is required:

He then tries again, feeling silly for having read the fine print, and enters his password... and of course still gets the stern error that the password is required.

The problem that occurred is that there was already a forum user named Andrew. And there should be some way to indicate to the person creating an account that a given username is taken.

The software has a "Username already exists" message -- you can get it by typing "Andrew" in the "Other" field, but you would only discover that in the very non-intuitive workflow of not selecting "Andrew", but instead selecting "Other" and typing "Andrew."

What's the best workaround here? Perhaps there is some way to force the "other" option? If this is a bug, where is the best place to report it? I'm not sure if this is a jsConnect issue (it feels like it on the surface), but perhaps the underlying code lies elsewhere.


  • R_JR_J Ex-Fanboy Munich Admin

    The SSO functionality allows two things:
    a) connect an external login to an existing Vanilla user
    b) use external login credentials to create a new Vanilla user

    These are the options that you will have even if you use facebook, google, twitter or any other external login plugin.
    So what you describe is not a bug, but I agree that it is bad usability.

    The file where you could look up the code is the EntryController and that is the exact place:

    Instead of using a default message for a required field, a more informative message should be shown here "Password is required, if you are connecting to an existing account." or even "You have to enter the password of the account that you are trying to connect to."

    The text you see there is translatable but since "ValidateRequired" is a translation string that is used in more than one place, you could not simply solve that problem with a translation.

    It would be great if you report that! The place for reporting bugs and inconsistencies is GitHub.

    By the way: I see no sane way for a workaround here. If you would like to fix this by yourself you would have to change the core. But if you do so, be least invasive! I would change sprintf(t('ValidateRequired'), t('Password')) to t('ValidateConnectPasswordRequired') and create a translation in your /conf folder for that string.
    Even if you would overwrite the entrycontroller in your next Vanilla update, your new text wouldn't be lost. It would only be not visible unless you redo the change in the EntryController. If you change the text directly in the EntryController, you would have to think about the complete text again, since it would be lost.

    Another option would be to give some explanation before the user sends the form without a password. You could add $Definition['Username already exists.'] = 'Username already exists. You have to enter the password of the existing forum account to connect this account with your Wordpress account'.; to your /conf/locale.php.

    The longer I think, the more alternatives I see. You could use the AfterConnectData event to change the view and either give more information in the view or add some logic to it (yes, you don't need to comment on the ;-) ) so that is displays more information if the password is left blank for an existing account

  • oskayoskay New
    edited June 2017

    Thank you -- I'm posting an issue on github and I'll look into the areas that you're suggesting.

Sign In or Register to comment.