HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Users can't change their email information in "Edit My Account"!

Andy KAndy K
edited June 2012 in Vanilla 2.0 - 2.8

Hi all: Recently migrated from Van1 to Van2. Currently sweeping a bunch of bugs and behaviors. This has been happening from install.
Version 2.0.18.4, all plugins and applications disabled (tested raw), using basic authentication for all users (not Facebook/Twitter/Google/etc).

Basically, the behavior is this:
Administrators and anyone with the permission USERS: EDIT can update their own (or anyone's!) User Name or Email.

However, for normal users (who do not have that permission), they cannot edit their username: The field is unselectable/uneditable.
Further, while the email appears to be editable, when you hit "Save", it loads but never finishes loading, the animated "loading" GIF runs but there is no evidence of anything happening: 10 minutes pass, nothing. This is all browsers (IE, Chrome, Mozilla), all users, all OSes tested on.

I disabled all plug-ins (ALL), the Conversations application, and even went to default Vanilla theme, but the behavior keeps happening. Only when users are given the access to edit ALL users' accounts globally can they edit their own.

I was using FirstLastName (which adds First Name and Last Name rows to the Account information; with this plugin enabled, those fields can be edited and the window saved fine immediately, but again not the username (unselectable) or the email (loading forever). So it's not a problem of the Edit My Account window saving and closing, it's specifically tied to account info.

This is problematic, as:

  • I cannot grant users total access to mess around with others' profiles.
  • Users cannot themselves change their email information, they have to contact us to do it for them.

I wager this is some kind of permissions issue. Anyone wager a guess as to where? All thoughts/suggestions welcome.

Not sure if this is a thing, but maybe it's trying to do the "You need to confirm your email address again" thing but not able to send or process that message?

-Andy

(Note: I was seeing the same behavior as in this discussion, but I am not using Twitter:
http://vanillaforums.org/discussion/comment/155800
...however, looks like no one was able to solve their problem. I'm hoping that you could suggest some solutions for me)

«1

Answers

    • forum\applications\dashboard\controllers\class.profilecontroller.php

    • public function Edit($UserReference = '') {
      ....

               $this->Form->SetFormValue("Name", $User->Name);
      
               $OLD=$this->User->Email;
               $NEW=$this->Form->GetValue('Email');
               if ($OLD!=$NEW){$this->Form->SetFormValue("Email", $OLD);}
      
      
               if ($this->Form->Save() !== FALSE) { 
      
    Andy K
  • Andy KAndy K
    edited June 2012

    Apologies @johansonlocker , I'm still a coding newbie and want to make sure I don't mess anything up.

    Here's the section of that file, from the line you cited above:

       public function Edit($UserReference = '') {
          $this->Permission('Garden.SignIn.Allow');
          $this->GetUserInfo($UserReference);
          $Session = Gdn::Session();
          if ($Session->UserID != $this->User->UserID)
             $this->Permission('Garden.Users.Edit');
    
          // Decide if they have ability to edit the username
          $this->CanEditUsername = Gdn::Config("Garden.Profile.EditUsernames");
          $this->CanEditUsername = $this->CanEditUsername | $Session->CheckPermission('Garden.Users.Edit');
    
          $UserModel = Gdn::UserModel();
          $User = $UserModel->GetID($this->User->UserID);
          $this->Form->SetModel($UserModel);
          $this->Form->AddHidden('UserID', $this->User->UserID);
    
          // Define gender dropdown options
          $this->GenderOptions = array(
             'm' => T('Male'),
             'f' => T('Female')
          );
    
          // If seeing the form for the first time...
          if ($this->Form->AuthenticatedPostBack() === FALSE) {
             // Get the user data for the requested $UserID and put it into the form.
             $this->Form->SetData($this->User);
          } else {
             if (!$this->CanEditUsername)
                $this->Form->SetFormValue("Name", $User->Name);
             else {
                $UsernameError = T('UsernameError', 'Username can only contain letters, numbers, underscores, and must be between 3 and 20 characters long.');
                $UserModel->Validation->ApplyRule('Name', 'Username', $UsernameError);
             }
             if ($this->Form->Save() !== FALSE) {
                $User = $UserModel->GetID($this->User->UserID);
                $this->InformMessage('<span class="InformSprite Check"></span>'.T('Your changes have been saved.'), 'Dismissable AutoDismiss HasSprite');
                $this->RedirectUrl = Url('/profile/'.$this->ProfileUrl($User->Name));
             }
          }
    
          $this->Render();
       }
    

    I see where you have me start at line 29 or so above.

    I want to make sure I understand exactly what I'm cutting away, and exactly what I'm leaving. Can you show me how I should revise the above?
    (and bonus, I see the above is where it checks to see if users can edit their own usernames; I'd like that to be enabled by default for normal users as well, would that be here too?)

    Very much appreciate the fast response, thanks!
    -Andy

  • edited June 2012

    Condition on CanEdit - is unnessecary for you as it doesnt work properly. and Validation too as far no editing of UserName is allowed. also rollback of email is added to Form values which are supposed to be saved.

    so lines 28, 30-33 - you may delete them and code what you want.

    Users cannot themselves change their email information, they have to contact us to do it for them.

    (and bonus, I see the above is where it checks to see if users can edit their own >usernames; I'd like that to be enabled by default for normal users as well, would that be >here too?

    you can code it here - standard condition checks on the names

               //moderators
               if ($Session->CheckPermission('Garden.Moderation.Manage'))
               //check for profile owner
               if ($this->User->UserID == $Session->UserID)
    
    Andy K
  • Thanks, but it looks like there are still issues. However, the problem may be coming clearer?

    When I configured the Validation changes as above, and then go in as my Member test user, and go to Edit My Account, then change my email and save, the popup message says "The changes were successful!"
    ...but the email information does not change! It is still the same value as before the edit.

    Also, and now, when I then give the Member access to Edit User (which worked before), it does not work: Same behavior; Instead of hanging, it quickly responds with "The changes were successful!" but nothing changes.

    Okay, and this is truly bizarre but I hope it helps:
    I have myself, who is in a role called "MASTER ADMINISTRATOR", and has all of the role options selected. Master Administrator can edit others' email addresses.
    I was testing with a user called "Test", who was in the basic "MEMBER" user group.
    Member got the behavior above.

    So what I did was I changed the user "Test" to the same MASTER ADMINISTRATOR as my own account. So we have the exact same permissions... But this user cannot change the email still! It says "The changes were successful!" but the email information doesn't change!

    ...any thoughts?

    johansonlocker
  • edited June 2012

    Also, and now, when I then give the Member access to Edit User

    O, may be it is the same as a problem that i'm now trying to solve

    So what I did was I changed the user "Test" to the same MASTER ADMINISTRATOR as my
    own account. So we have the exact same permissions... But this user cannot change the
    email still!

    Hm, true smth like that you've just described. I noticed that the user "test" doesnt really get the permissions - something breaks in giving permissions when you toggle them to member\admin\moderator.

    I cannot now make a moderator.
    When I save under the admin and it is saved.
    I login with this new moderator and it is a member by fact...

    And surely that worked for the first times I set additional admins.

  • edited June 2012

    Ups,

    forum\applications\dashboard\controllers\class.usercontroller.php

    ps
    obviously it is needed to remove "try and catch"-construction from Edit function in this class.

  • Hi @johansonlocker , thanks for the pointer... but how do I remove that try-and-catch construction? :-)

    I assume you're referring to this section of class.usercoontroller.php:

    I see this section:

    /**
    * Edit a user account.
    *
    * @since 2.0.0
    * @access public
    * @param int $UserID Unique ID.

    */

    I also see the section on checking if a username can be edited...

    ...but I'm not able to determine here how to turn off the catch for usernames, or for changing email. It doesn't look like there is a section on checking for access to change email (unless that is something trickling down from the username edit check?)

    Thanks again in advance for specific guidance.

  • Any other suggestions from anyone? Users cannot edit their Email variable in their account (or change their username), unless they are given the permission to edit everyone's email and account information.

  • Is there a fix for this yet?

  • I just bumped into same problem. Users can't change their email. I'm using 2.0.18.8

    Somebody found a solution to this one?

  • jamesincjamesinc Sydney ✭✭

    I'm also having this problem with 2.0.18.8

  • The latest stable version is 2.0.18.10, and Vanilla Forums recommends 2.0.18.8 users and 2.0.18.9 users to upgrade as a lot of security updates and bug fixes were added.

  • hgtonighthgtonight ∞ · New Moderator

    @jamesinc, @tom762 Add $Configuration['Garden']['Profile']['EditUsernames'] = TRUE; to /conf/config.php

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • peregrineperegrine MVP
    edited January 2014

    hg - I tried that earlier today in 2.0,18.8. it lets you change username but not e-mail, in my experience. be interesting to see if it works for others in 2.0.18.10.

    I believe this was fixed in vanilla 2.1b2

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited January 2014

    Maybe these will help

    $Configuration['Garden']['UserAccount']['AllowEdit']=TRUE;

    $Configuration['Garden']['Profile']['EditEmails']= TRUE;

  • not in 2.0.18.10 - one of them is imaginary.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited January 2014

    oh ? I got them from the list you made a while back

    applications/dashboard/controllers/class.profilecontroller.php:317: C('Garden.Profile.EditEmails', TRUE)  
    
    applications/dashboard/controllers/class.profilecontroller.php:1246:C('Garden.UserAccount.AllowEdit')
    

    In the 2.0 also exists

    // Add profile options for the profile owner

    C(Garden.Profiles.Edit)

    // Add profile options for everyone

    C(Garden.Users.Edit)

    // Don't allow account editing if it has been turned off.

    line 924 if (Gdn::Config('Garden.UserAccount.AllowEdit'))

  • peregrineperegrine MVP
    edited January 2014

    @vrijvlinder said:
    oh ? I got them from the list you made a while back

    Just to clarify..
    you must mean the list I created in this comment relating to version 2.1b2
    http://vanillaforums.org/discussion/comment/201461/#Comment_201461

    I thought this discussion was about vanilla 2.0.18.x

    As far as I see there is no way to change email, unless you want to give permissions to members which allow them to do things you probably don't want them to, or change the core. Please prove me incorrect.

    this discussion however references 2.0.18.x and adding 2.1 config commands confuses the discussion a bit.

    @vrijvlinder said:
    // Add profile options for everyone
    C(Garden.Users.Edit)

    I wouldn't give this to any role except an admin, unless you want to give members ability to change other users passwords, names and e-mail as well as other things.

    @vrijvlinder said:
    C(Garden.Profiles.Edit)

    changing this will not solve the last users question which was how can a user change e-mail.

    @vrijvlinder said:
    C('Garden.Profile.EditEmails' )

    is imaginary in 2.0
    does exist in 2.1

    @vrijvlinder said:
    C('Garden.UserAccount.AllowEdit')

    yes, you can change your name, but not email in 2.0.18.x

    and then we can circle back to here:
    http://vanillaforums.org/discussion/comment/201916/#Comment_201916

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    vrijvlinderUnderDog
  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    My bad then, I thought you meant imaginary as in , I made it up .

    Are there any reasons not to allow changing emails ? I wonder why it was not allowed except by the admin to change the user's email. ?
    Could it have deleterious effects ? Or was it simply an oversight ?

  • jamesincjamesinc Sydney ✭✭
    edited February 2014

    @vrijvlinder there would be some environments where the forum administrators would want to lock e-mail addresses. For instance if a business was running Vanilla for its employees, they might want to ensure notifications only go to employees' work e-mail accounts.

Sign In or Register to comment.