Trouble with Authentication Pages

Discuss, research, share, find, and solve bugs

Trouble with Authentication Pages

Postby rrrrob » 4:32pm, Wed 28 Oct, 2009

Greetings

I'm new to phplist and thus to this forum, so I can't post links yet.
I'm using phplist 2.10.10 and I believe I've put all the patches on.

After having the site configured and customized I decided to add password authentication to the user signup and unsubscribe page. I did this with the following settings in the config.php file.

define("ASKFORPASSWORD",1);
define("UNSUBSCRIBE_REQUIRES_PASSWORD",1);

Everything seems to work fine but I'm getting some odd ( g e n e r i c ) pages, and I don't understand why they are ( g e n e r i c ). I would think they would be wrapped with the "Header of public pages" and "Footer of public pages" code like other public pages, but they are not.

Specifically, when one goes to [PREFERENCES] or [UNSUBSCRIBE] one is greeted by ( g e n e r i c ) pages.

Also, and I believe linked to this....

When one goes to (remember I can't enter a url yet) "...web address.../lists/" one gets a page with the welcome text, a link to the only signup page, a link to the unsubscribe page, and the phplist tag all wrapped in the public html code. If one selects the unsubscribe link one is taken to an unsubscribe page where they are asked for their eMail address, this page is also wrapped in the public html code. After submitting an eMail address, found in the system, the user is greeted with yet another unsubscribe page that is now ( g e n e r i c ) (no public formatting) that once again is asking for an eMail address (filled in automatically) and now the password.

So I guess my questions are as follows...

1st) Why aren't the [PREFERENCES] and [UNSUBSCRIBE] pages wrapped in the public html code? And how do I get them formatted with the public code?

2nd) Shouldn't their bee only one unsubscribe page containing all the necessary request information? (eMail address, password, forgot password, etc)

I'm not sure if this is normal behavior or if there is something wrong with the code.

Thanks for reading, please help if you can
Rob
Last edited by rrrrob on 4:41pm, Wed 28 Oct, 2009, edited 1 time in total.
rrrrob
PL Nut
 
Posts: 18
Joined: 11:19pm, Mon 26 Oct, 2009

Re: Trouble with Authentication Pages

Postby rrrrob » 4:37pm, Wed 28 Oct, 2009

Ok I don't get why ***spam*** was injected into my message?

everywhere I used the term ( g e n e r i c )

Rob
rrrrob
PL Nut
 
Posts: 18
Joined: 11:19pm, Mon 26 Oct, 2009

Re: Trouble with Authentication Pages

Postby Dragonrider » 6:35pm, Wed 28 Oct, 2009

rrrrob wrote:Ok I don't get why ***spam*** was injected into my message?

everywhere I used the term ( g e n e r i c )

Rob

Sorry about that, that word is used SO often by spammers offering certain drugs in an attempt to defraud any gullible users of their money.
My sites:- http://wharfedalefestival.co.uk, http://ilkleygardeners.org.uk, http://emergencyaid.net, http://dragonrider.co.uk
Latest phpList version is now 3.0.12 (3 February 2015) and requires a minimum of MySQL 5.0 and PHP 5.3.x
Dragonrider
Moderator
 
Posts: 3460
Joined: 6:58am, Sun 02 Jul, 2006
Location: Ilkley, West Yorkshire, United Kingdom

Re: Trouble with Authentication Pages

Postby rrrrob » 8:57pm, Wed 28 Oct, 2009

After further digging I find,

"...web address.../lists/?p=unsubscribe&uid=XXXXXXXX" gets a ( g e n e r i c ) format every time. No html template information. Plain white page with the unsubscribe form information.

"...web address.../lists/?p=unsubscribe" gets default html template every time.

If I could get the page that is user specific to use the template it wouldn't be so bad.
It woud just look like another step in the process to add the password.

But currently when the user goes from the base unsubscribe page to the user specific unsubscribe page it looks as if your leaving the site. Once the user puts in a correct password it brings the user back to correctly formatted pages.

Thus the real issue is getting user specific unsubscribe pages to use the html template information (header and footer) like the rest of the pages.

How is this accomplished?

From what I can tell it is when the "loginform" is used that the header and footer template info are not being used.
rrrrob
PL Nut
 
Posts: 18
Joined: 11:19pm, Mon 26 Oct, 2009

Re: Trouble with Authentication Pages

Postby rrrrob » 9:15pm, Wed 28 Oct, 2009

Im pretty sure it has to do with this code
Code: Select all
function LoginPage($id,$userid,$email = "",$msg = "") {
  global $data;
  list($attributes,$attributedata) = PageAttributes($data);
  $html = '<title>'.$GLOBALS["strLoginTitle"].'</title>';
  $html .= $data["header"];
  $html .= '<b>'.$GLOBALS["strLoginInfo"].'</b><br/>';
  $html .= $msg;
  if (isset($_REQUEST["email"])) {
    $email = $_REQUEST["email"];
  }
  if (!isset($_POST["password"])) {
    $_POST["password"] = '';
  }

  $html .= formStart('name="loginform"');
  $html .= '<table border=0>';
  $html .= '<tr><td>'.$GLOBALS["strEmail"].'</td><td><input type=text name="email" value="'.$email.'" size="30"></td></tr>';
  $html .= '<tr><td>'.$GLOBALS["strPassword"].'</td><td><input type=password name="password" value="'.$_POST["password"].'" size="30"></td></tr>';
  $html .= '</table>';
   $html .= '<p><input type=submit name="login" value="'.$GLOBALS["strLogin"].'"></p>';
  if (ENCRYPTPASSWORD) {
    $html .= sprintf('<a href="mailto:%s?subject=%s">%s</a>',getConfig("admin_address"),$GLOBALS["strForgotPassword"],$GLOBALS["strForgotPassword"]);
  } else {
    $html .= '<input type=submit name="forgotpassword" value="'.$GLOBALS["strForgotPassword"].'">';
  }
  $html .= '<br/><br/>
    <p><a href="'.getConfig("unsubscribeurl").'&id='.$id.'">'.$GLOBALS["strUnsubscribe"].'</a></p>';
  $html .= '</form>'.$GLOBALS["PoweredBy"];
  $html .= $data["footer"];
  return $html;
}


But I'm not sure where the change needs to be.

this is lines 273 - 303 from the index.php
rrrrob
PL Nut
 
Posts: 18
Joined: 11:19pm, Mon 26 Oct, 2009

Re: Trouble with Authentication Pages

Postby H2B2 » 2:42am, Thu 29 Oct, 2009

rrrrob wrote:Thus the real issue is getting user specific unsubscribe pages to use the html template information (header and footer) like the rest of the pages.


Seems related to docdunning's findings:
docdunning wrote:I wanted to make sure that users have to provide their password when unsubscribing. So I used the config file to set ASKFORPASSWORD and UNSUBSCRIBE_REQUIRES_PASSWORD.

But the process just didn't work properly. I've had to make several mods to index.php to get it to work.

1. The login page HTML was not properly generated. It appeared on a blank page with no styling. This was because the $data variable wasn't being passed into the loginpage function.
2. More seriously, the details for the user were not being found in the database, because the code uses $_GET['email'], and the login form obviously sends in $_POST['email'].

I've corrected this in my copy of index.php, along with removing the "subscribe" option

ref: viewtopic.php?f=17&t=27699#p66503

See also: http://mantis.phplist.com/view.php?id=15300
H2B2
Moderator
 
Posts: 7188
Joined: 1:51am, Wed 15 Mar, 2006

Re: Trouble with Authentication Pages

Postby rrrrob » 9:55pm, Thu 29 Oct, 2009

H2B2...

Your right they do sound similar.... but his message says he did a lot of work to remedy the situation, but doesn't mention any specifics. Thus no real answer to the problem.

I want to focus on the [UNSUBSCRIBE] page because I believe the other problems will be fixed if I can solve this one issue.

docdunning mentions...
1. The login page HTML was not properly generated. It appeared on a blank page with no styling. This was because the $data variable wasn't being passed into the "loginpage" function.
2. More seriously, the details for the user were not being found in the database, because the code uses $_GET['email'], and the login form obviously sends in $_POST['email']


1st) How does one get the $data variable to pass to the "loginpage"? He is right that is the problem but what is the remedy?

2nd) I'm not sure about his second point, which corresponds somewhat to the Mantis bug report, because my pages aren't working as expected yet, thus I don't want to speak out of turn.

My guess is that once the $data starts being passed correctly to the "loginpage"(s) several things may function differently. I'm just not seeing how to make this happen.

I'm still curious if it's just my install that this is happening to, or are all the login pages void of styling? (no custom Header and Footer information being passed) I guess I'm asking if something went wrong with my installation, or is what I'm looking at normal.
rrrrob
PL Nut
 
Posts: 18
Joined: 11:19pm, Mon 26 Oct, 2009

Re: Trouble with Authentication Pages

Postby H2B2 » 2:57am, Fri 30 Oct, 2009

rrrrob wrote:I'm still curious if it's just my install that this is happening to, or are all the login pages void of styling? (no custom Header and Footer information being passed) I guess I'm asking if something went wrong with my installation, or is what I'm looking at normal.
Well, I just enabled both settings on my test install, and I can confirm your findings. Since docdunning never got to filing a bug report, at http://mantis.phplist.com, I wonder if you could?

Hope someone else will come around to help you find a fix. My coding skills are quite basic and I don't have much spare time at the moment. Sorry.

Not sure if this is useful to you, but this was the LoginPage function in v2.10.7, prior to it being changed:
Code: Select all
function LoginPage($id,$userid,$email = "",$msg = "") {
  $data = PageData($id);
  if (isset($data['language_file']) && is_file(dirname(__FILE__).'/texts/'.$data['language_file'])) {
    @include dirname(__FILE__).'/texts/'.$data['language_file'];
  }
  list($attributes,$attributedata) = PageAttributes($data);
  $html = '<title>'.$GLOBALS["strLoginTitle"].'</title>';
  $html .= $data["header"];
  $html .= '<b>'.$GLOBALS["strLoginInfo"].'</b><br/>';
  $html .= $msg;
  if (isset($_REQUEST["email"])) {
    $email = $_REQUEST["email"];
  }
  if (!isset($_POST["password"])) {
    $_POST["password"] = '';
  }

  $html .= formStart('name="loginform"');
  $html .= '<table border=0>';
  $html .= '<tr><td>'.$GLOBALS["strEmail"].'</td><td><input type=text name="email" value="'.$email.'" size="30"></td></tr>';
  $html .= '<tr><td>'.$GLOBALS["strPassword"].'</td><td><input type=password name="password" value="'.$_POST["password"].'" size="30"></td></tr>';
  $html .= '</table>';
   $html .= '<p><input type=submit name="login" value="'.$GLOBALS["strLogin"].'"></p>';
  if (ENCRYPTPASSWORD) {
    $html .= sprintf('<a href="mailto:%s?subject=%s">%s</a>',getConfig("admin_address"),$GLOBALS["strForgotPassword"],$GLOBALS["strForgotPassword"]);
  } else {
    $html .= '<input type=submit name="forgotpassword" value="'.$GLOBALS["strForgotPassword"].'">';
  }
  $html .= '<br/><br/>
    <p><a href="'.getConfig("unsubscribeurl").'&id='.$id.'">'.$GLOBALS["strUnsubscribe"].'</a></p>';
  $html .= '</form>'.$GLOBALS["PoweredBy"];
  $html .= $data["footer"];
  return $html;
}


Thread moved to the 'Bug discussion' section.
H2B2
Moderator
 
Posts: 7188
Joined: 1:51am, Wed 15 Mar, 2006

Re: Trouble with Authentication Pages

Postby rrrrob » 6:47pm, Mon 02 Nov, 2009

H2B2,

Thank you for the help.

Can you confirm that the user-specific unsubscribe page in the previous version (v2.10.7) contained the same formatting as the rest of the pages in the site.

or

Was the user-specific unsubscribe page in the previous version (v2.10.7) ( g e n e r i c ) as well.

The only differences between the two snipits of code I saw are as follows.

v2.10.10
Code: Select all
function LoginPage($id, $userid, $email = "", $msg = "") {

global $data;

list($attributes,$attributedata) = PageAttributes($data);


v2.10.7
Code: Select all
function LoginPage($id, $userid, $email = "", $msg = "") {

$data = PageData($id);

if (isset($data['language_file']) && is_file(dirname(__FILE__).'/texts/'.$data['language_file'])) {
@include dirname(__FILE__).'/texts/'.$data['language_file'];
}

list($attributes,$attributedata) = PageAttributes($data);


Now... Replacing the v2.10.10 copy with the v2.10.7 copy causes the following error when accessing ".../lists/"
Parse error: syntax error, unexpected T_VARIABLE in "/home/site/domains/site.org/public/lists/index.php" on line 286.
Replacing only the data line gets the same error.
Leaving the data line alone and adding the three language lines gets the following error
Parse error: syntax error, unexpected T_IF in " /home/site/domains/site.org/public/lists/index.php" on line 287

And YES I Will fill out a bug report. I'm just trying to gather more information for it before I do, and If I can determine an answer before I do all the better.

Thanks
Rob
rrrrob
PL Nut
 
Posts: 18
Joined: 11:19pm, Mon 26 Oct, 2009

Re: Trouble with Authentication Pages

Postby rrrrob » 12:56am, Tue 03 Nov, 2009

I've now compared the index file of version 2.10.9 and 2.10.10 and I found the following differences. I would like to know if these pages functioned properly in version 2.10.9. These are the only changes I saw between the two and they all seem to pertain to the unsubscribe page and process.

v2.10.10
Code: Select all
1st Not in 2.10.9
005       require_once dirname(__FILE__) .'/admin/commonlib/lib/unregister_globals.php';

2nd diff
206       if (isset($data['language_file']) && is_file(dirname(__FILE__).'/texts/'.basename($data['language_file']))) {
207         @include dirname(__FILE__).'/texts/'.basename($data['language_file']);
208         # Allow customisation per installation
209        if (is_file($_SERVER['DOCUMENT_ROOT'].'/'.basename($data['language_file']))) {
210          include_once $_SERVER['DOCUMENT_ROOT'].'/'.basename($data['language_file']);
211         }

3rd diff
252     if (isset($data['language_file']) && is_file(dirname(__FILE__).'/texts/'.basename($data['language_file']))) {
253       @include dirname(__FILE__).'/texts/'.basename($data['language_file']);

4th diff
594     } else {
595       if (isset($_REQUEST['unsubscribeemail'])) {
596          if (UNSUBSCRIBE_JUMPOFF) {
597             $_POST["unsubscribe"] = 1;
598             $_POST["unsubscribereason"] = '"Jump off" set, reason not requested';
599          }
600          $email = $_REQUEST['unsubscribeemail'];
601       }
602       else {
603          if (isset($_REQUEST['email'])) {
604             if (UNSUBSCRIBE_JUMPOFF) {
605                $_POST["unsubscribe"] = 1;
606                $_POST["unsubscribereason"] = '"Jump off" set, reason not requested';
607             }
608             $email = $_REQUEST['email'];
609          }
610    }

5th diff
623     $unsubscribeemail = (isset($_REQUEST['unsubscribeemail']))?$_REQUEST['unsubscribeemail']:'';
624    
625     if ( is_email($unsubscribeemail) && isset($_POST['unsubscribe']) && (isset($_REQUEST['email']) || isset($_REQUEST['unsubscribeemail'])) && isset($_POST['unsubscribereason'])) {

6th diff
874     if (isset($data['language_file']) && is_file(dirname(__FILE__).'/texts/'.basename($data['language_file']))) {
875       @include dirname(__FILE__).'/texts/'.basename($data['language_file']);


v2.10.9
Code: Select all
2nd diff
209       if (isset($data['language_file']) && is_file(dirname(__FILE__).'/texts/'.$data['language_file'])) {
210         @include dirname(__FILE__).'/texts/'.$data['language_file'];
211       }
212       # Allow customisation per installation
213       if (is_file($_SERVER['DOCUMENT_ROOT'].'/'.$data['language_file'])) {
214         include_once $_SERVER['DOCUMENT_ROOT'].'/'.$data['language_file'];

3rd diff
255     if (isset($data['language_file']) && is_file(dirname(__FILE__).'/texts/'.$data['language_file'])) {
256       @include dirname(__FILE__).'/texts/'.$data['language_file'];

4th diff
597     } else {
598       if (isset($_REQUEST['unsubscribeemail'])) {
599         $email = $_REQUEST['unsubscribeemail'];
600       } else {
601         $email = $_REQUEST['email'];
602       }

5th diff
615     if ( is_email($_REQUEST['unsubscribeemail']) && isset($_POST['unsubscribe']) && (isset($_REQUEST['email']) || isset($_REQUEST['unsubscribeemail'])) &&      isset($_POST['unsubscribereason'])) {

6th diff
864     if (isset($data['language_file']) && is_file(dirname(__FILE__).'/texts/'.$data['language_file'])) {
865       @include dirname(__FILE__).'/texts/'.$data['language_file'];
rrrrob
PL Nut
 
Posts: 18
Joined: 11:19pm, Mon 26 Oct, 2009

Re: Trouble with Authentication Pages

Postby rrrrob » 4:17pm, Fri 06 Nov, 2009

Sense this was a new installation and I was seeing several odd things happening I cleared everything and reinstalled v2.10.10.

I installed all the patches from H2B2s message "http://forums.phplist.com/viewtopic.php?f=17&t=28062"

I also made sure I set the config.php language to english as well as the pull down in the admin section. I believe I had some interface issues due to the fact that the first time I had set the config.php file to usa.inc and there is no usa choice in the admin pull down. I know I could have set it to all english in the config.php, but I wanted to try the usa.inc. Later I noticed that some information was being pulled from each file and I found it confusing.

A few settings in my configuration to be aware of are as follows:
define("ASKFORPASSWORD",1);
define("UNSUBSCRIBE_REQUIRES_PASSWORD",1);
define("UNSUBSCRIBE_JUMPOFF",0);

Now that I have a clean install I am still having issues with the unsubscribe function and it's not just with the appearance of the interface. The user experience goes as follows.

User goes to "http://somesite/lists/ " and is greeted with a page that offers two choices "sign up" and "unsubscribe"

The user proceeds to the signup page, every thing looks fine, makes their choices and submits the request, pre-confirmation page pops up and pre-confirmation message is sent. User selects to confirm in e-mail message and is taken to final confirmation page, and is now confirmed in the db. Final confirmation message is sent.

Now once confirmed as a user there are two ways to unsubscribe, by clicking on link in the e-mail message and by going to the "http://somesite/lists/ " page and choosing to unsubscribe. Neither process seems to be working correctly.

I'll start with the link within the email message. When the user clicks on it they are taken to a format free (g e n e r i c) page where their email address is filled in and they are being asked for their password. Once the correct password is submitted they are taken to a page where they are asked if they want to unsubscribe and they are asked for a reason why. The user does not have to give a reason, they can leave it blank and confirm the un-subscription. Once they have, a message is sent and the user is black listed.

The page asking for the password does not have the proper formatting that all the rest of the pages seem to have.

Now for the "http://somesite/lists/ " page and choosing to unsubscribe method. When the user chooses the unsubscribe link from this page they are taken to a page that has proper formating where they are asked for their email address. Once an email address is accepted by the db they are taken to the format free (g e n e r i c) page where their email address is filled in and they are being asked for their password. It doesn't make a difference what is put into the pass word field, it can even be left blank, when the user clicks on the "Login" button in the user password verification page they are taken to the final unsubscribe page. Where they are greeted with their email address and the "Why are you leaving" message. When the user selects the Unsubscribe button they are taken back to the format free (g e n e r i c) page where their email address is filled in and they are being asked for their password once again. This becomes a big loop.

Just like the first process the password page has no formatting. Best of all the process goes into a loop which doesn't allow the user to unsubscribe.

The update your preferences page seems to work fine except the login page is also the format free (g e n e r i c) page where their email address is filled in and they are being asked for their password.

I see this as a significant bug. User interface doesn't retain the proper formatting giving the feel that the site may have been hijacked to the user. Best of all, the web based unsubscribe doesn't allow the user to unsubscribe.

Frustrating.............. OH YES!
rrrrob
PL Nut
 
Posts: 18
Joined: 11:19pm, Mon 26 Oct, 2009

Re: Trouble with Authentication Pages

Postby rrrrob » 2:01pm, Thu 12 Nov, 2009

rrrrob
PL Nut
 
Posts: 18
Joined: 11:19pm, Mon 26 Oct, 2009

Re: Trouble with Authentication Pages

Postby neffets » 4:55pm, Fri 13 Nov, 2009

The problem is not in function LoginPage,
because parameter "data" is not initialized before.

The error came from the lists/index.php by itself, in 2.10.10. branch at line 201
the "data" structure is only initialized in the "else" (when a listid is known), but not in the generic then-branch.

You can:
1) generate preferences-Links by yourself which contains a listid
or
2) patch index.php
at line 201 (cannot attach because .diff or .txt is not allowed)

Code: Select all
--- phplist-2.10.10.denied/public_html/lists/index.php   2009-05-05 15:13:14.000000000 +0200
+++ phplist/public_html/lists/index.php   2009-11-11 18:05:35.065632639 +0100
@@ -199,6 +199,7 @@
 }
 
 if ($login_required && empty($_SESSION["userloggedin"]) && !$canlogin) {
+  $data = PageData(0);
   print LoginPage($id,$userid,$emailcheck,$msg);
 } elseif (isset($_GET['p']) && preg_match("/(\w+)/",$_GET["p"],$regs)) {
   if ($id) {
neffets
phpList newbie
 
Posts: 1
Joined: 4:45pm, Fri 13 Nov, 2009

Re: Trouble with Authentication Pages

Postby rrrrob » 2:40am, Sat 14 Nov, 2009

Noticed another report similar to this one
http://mantis.phplist.com/view.php?id=15320

Our needs for the current situation call for an immediate answer that will work smoothly and look professional for the customer and user. Stepping back and rethinking the process has driven the following.

The individual that wants to unsubscribe is one whom is receiving the messages. If one is not getting the messages why would one be needing to unsubscribe. These very same messages have a link to the unsubscribe page which passes threw the validation page and works. Thus why have an unsubscribe link on the sign up page. Instead remove the unsubscribe link, which does not work, and simply redirect the user to the unsubscribe link in the messages they are already getting that do work.

So...
index.php approximately line 273
Code: Select all
  # printf('<br/><br/><p><a href="./?p=unsubscribe">%s</a></p>',$strUnsubscribeTitle);  # Bug Fix remove unsubscribe link
  print $strUnsubscribeMsg;


language file (english.inc) added new line 31
Code: Select all
$strUnsubscribeMsg      = 'If you would like to unsubscribe from the message system please use the unsubscribe link at the bottom of one of you messages.<br/><br/>';


The only bug left is the password validation page that does not use the page formatting all the rest of the pages do.
rrrrob
PL Nut
 
Posts: 18
Joined: 11:19pm, Mon 26 Oct, 2009

Re: Trouble with Authentication Pages

Postby Shivari » 1:05am, Thu 31 Dec, 2009

neffets wrote:The problem is not in function LoginPage,
because parameter "data" is not initialized before.

The error came from the lists/index.php by itself, in 2.10.10. branch at line 201
the "data" structure is only initialized in the "else" (when a listid is known), but not in the generic then-branch.

You can:
1) generate preferences-Links by yourself which contains a listid
or
2) patch index.php
at line 201 (cannot attach because .diff or .txt is not allowed)

Code: Select all
--- phplist-2.10.10.denied/public_html/lists/index.php   2009-05-05 15:13:14.000000000 +0200
+++ phplist/public_html/lists/index.php   2009-11-11 18:05:35.065632639 +0100
@@ -199,6 +199,7 @@
 }
 
 if ($login_required && empty($_SESSION["userloggedin"]) && !$canlogin) {
+  $data = PageData(0);
   print LoginPage($id,$userid,$emailcheck,$msg);
 } elseif (isset($_GET['p']) && preg_match("/(\w+)/",$_GET["p"],$regs)) {
   if ($id) {


When I tried this change, I received a blank page in both Opera & Safari (worked in IE though.) Worked ok when I reverted. Perhaps coincidence or something else (I'm a novice struggling to configure it all!) - but someone who's an expert might like to check it out.
Shivari
phpList newbie
 
Posts: 1
Joined: 12:58am, Thu 31 Dec, 2009


Return to Bug Discussion

Who is online

Users browsing this forum: No registered users and 1 guest