New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added ajax Username & Email checks #11516
Conversation
@@ -10,7 +10,7 @@ | |||
defined('_JEXEC') or die; | |||
?> | |||
|
|||
<form action="<?php echo JRoute::_('index.php?option=com_cache&view=purge'); ?>" method="post" name="adminForm" id="adminForm"> | |||
<form action="<?php echo JRoute::_('index.php?option=com_cache'); ?>" method="post" name="adminForm" id="adminForm"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what does this change have to to with username and email checks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I pulled the Issue 9943 and this was maybe in there. I didn't changed anything in this .php File. Shall I remove this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mxkmp29 there are a lot of unrelated changes in this PR |
@@ -34,6 +34,8 @@ COM_USERS_CONFIG_FIELD_CAPTCHA_DESC="Select the captcha plugin that will be used | |||
COM_USERS_CONFIG_FIELD_CAPTCHA_LABEL="Captcha" | |||
COM_USERS_CONFIG_FIELD_CHANGEUSERNAME_DESC="Allow users to change their Login name when editing their profile." | |||
COM_USERS_CONFIG_FIELD_CHANGEUSERNAME_LABEL="Change Login Name" | |||
COM_USERS_CONFIG_FIELD_EMAIL_REGEX_LABEL="Forbidden email endings" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean forbidden domains?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, sorry I formulate it false.
Closing for now until the branch is fixed This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11516. |
@@ -34,6 +34,8 @@ COM_USERS_CONFIG_FIELD_CAPTCHA_DESC="Select the captcha plugin that will be used | |||
COM_USERS_CONFIG_FIELD_CAPTCHA_LABEL="Captcha" | |||
COM_USERS_CONFIG_FIELD_CHANGEUSERNAME_DESC="Allow users to change their Login name when editing their profile." | |||
COM_USERS_CONFIG_FIELD_CHANGEUSERNAME_LABEL="Change Login Name" | |||
COM_USERS_CONFIG_FIELD_EMAIL_REGEX_LABEL="Forbidden domains" | |||
COM_USERS_CONFIG_FIELD_EMAIL_REGEX_DESC="Expression for forbidden email adress endings. Example: Forbid all email addresses from example.com. Input:<br /> example.com<br />For many entries add a new line after every entry. <br />Input: <br />example.com<br />example2.com" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we simplify this to
List of forbidden domain names. Place each domain name on a new line
return regex.test(value); | ||
}); | ||
//check if username is already in database | ||
jQuery('#jform_username').change(function(){ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is com_users specific code it should not be here in validate.js,
and I do not see a reason why you need change the validate.js at all
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought this should be placed there where the validation of the fields is. Where should I place it that I can integrate it perfectly ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you can make separated file and place it under /media/com_users/js/validate-user.js
or in the layout where the form is rendered
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we try to use vanilla js please and not jquery specific if at all possible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Fedik @dgt41 Can we have some help here on how to turn an AJAX call to vanilla JS and also the .change() functions like jQuery('#jform_username').change(function(){
I don't know how to do that and we need to make sure it supports IE8.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i have used one here... https://github.com/joomla/joomla-cms/pull/8545/files#diff-5a22fd5c5d43e73f7858a435aa497b18R30
but may be @Fedik @dgt41 have a better way? (add vannila js ajax calls in core.js?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think https://github.com/joomla-projects/media-manager-improvement/blob/b60da9fb9aa9a5893852c4e0926191f86a9479a8/media/plg_media-editor_imagefilters/js/caman-init.js
is a good starting point. There is a polyfill for IE8/9 that might needed as well here.
Check this article for references: http://danielstrunk.me/blog/2015/03/18/polyfills-for-ie8-support/
ATM I haven't check the current code, will do when I'll get some free time
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
then we need to think about general AJAX method in core.js
,
Joomla.request = function(options){ ... }
// do request
Joomla.request({
url: '/some/url',
onSuccess: function(){alert('works!')},
onError: function(){alert('not works!')},
})
Also we need the events handling.
About IE8, there change
does not work, but there can try to use onpropertychange
instead change
This require a bit more coding 😉
so for now I would leave it with jQuery. Just move the code from validate.js
.
ps. when I will get some time, later will try to prepare the pull request for Joomla ajax and events.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Fedik I had a Skype chat with @dgt41 today and we came to the exact same conclusion. So I guess we are all on the same page. Also the student has very limited time, so rather have this complete as it is and we can refactor to native JS once we have all our "own" methods in place. Rather I use jQuery now and later move everything to the J! way than everybody copy-pasting possible solutions from all over the net.
cols="50" | ||
filter="string" | ||
> | ||
</field> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a showon param here so this is only shown when custom is selected - then you can also simplify the language string
eg
showon="allowed_chars_username_preset:1,2,3"
and then the string you can delete "If other than 'CUSTOM' is selected, this text box is not operational."
@@ -43,6 +42,10 @@ public function display($tpl = null) | |||
$this->state = $this->get('State'); | |||
$this->params = $this->state->get('params'); | |||
|
|||
JText::script('COM_USERS_PROFILE_EMAIL2_MESSAGE'); | |||
JText::script('COM_USERS_FIELD_RESET_PASSWORD1_MESSAGE'); | |||
JHtml::_('script', 'com_users/validate-user.js', false, true); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please move it to the layout components/com_users/views/registration/tmpl/default.php
Avoid adding a script/style in the view class.
And as it depend from jQuery
you also need to call JHtml::_('jquery.framework');
@@ -67,10 +69,28 @@ COM_USERS_CONFIG_FIELD_USERACTIVATION_DESC="If set to None the user will be regi | |||
COM_USERS_CONFIG_FIELD_USERACTIVATION_LABEL="New User Account Activation" | |||
COM_USERS_CONFIG_FIELD_USERACTIVATION_OPTION_ADMINACTIVATION="Administrator" | |||
COM_USERS_CONFIG_FIELD_USERACTIVATION_OPTION_SELFACTIVATION="Self" | |||
COM_USERS_CONFIG_FIELD_USERNAME_CHARSPRESET_LABEL="Character Preset" | |||
COM_USERS_CONFIG_FIELD_USERNAME_CHARSPRESET_DESC="Specify from the select list if you want disable this check or allow/forbid CUSTOM character filling the CUSTOM text box. You can also select some of the specified character presettings: alphanumeric, latin, email,..." | |||
COM_USERS_CONFIG_FIELD_USERNAME_MINNUMCHARS_LABEL="Min. number of character" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please change to
Min. number of characters
COM_USERS_CONFIG_FIELD_USERNAME_CHARSPRESET_LABEL="Character Preset" | ||
COM_USERS_CONFIG_FIELD_USERNAME_CHARSPRESET_DESC="Specify from the select list if you want disable this check or allow/forbid CUSTOM character filling the CUSTOM text box. You can also select some of the specified character presettings: alphanumeric, latin, email,..." | ||
COM_USERS_CONFIG_FIELD_USERNAME_MINNUMCHARS_LABEL="Min. number of character" | ||
COM_USERS_CONFIG_FIELD_USERNAME_MINNUMCHARS_DESC="Minimum number of character required for username field." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please change to
Minimum number of characters required for the username.
COM_USERS_CONFIG_FIELD_USERNAME_CHARSPRESET_DESC="Specify from the select list if you want disable this check or allow/forbid CUSTOM character filling the CUSTOM text box. You can also select some of the specified character presettings: alphanumeric, latin, email,..." | ||
COM_USERS_CONFIG_FIELD_USERNAME_MINNUMCHARS_LABEL="Min. number of character" | ||
COM_USERS_CONFIG_FIELD_USERNAME_MINNUMCHARS_DESC="Minimum number of character required for username field." | ||
COM_USERS_CONFIG_FIELD_USERNAME_MAXNUMCHARS_LABEL="Max. number of character" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please change to
Max. number of characters
COM_USERS_CONFIG_FIELD_USERNAME_MINNUMCHARS_LABEL="Min. number of character" | ||
COM_USERS_CONFIG_FIELD_USERNAME_MINNUMCHARS_DESC="Minimum number of character required for username field." | ||
COM_USERS_CONFIG_FIELD_USERNAME_MAXNUMCHARS_LABEL="Max. number of character" | ||
COM_USERS_CONFIG_FIELD_USERNAME_MAXNUMCHARS_DESC="Maximum number of character required for username field. Zero indicates no limit." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please change to
Maximum number of characters required for the username. Zero indicates no limit."
COM_USERS_CONFIG_IMPORT_FAILED="An error was encountered while importing the configuration: %s." | ||
COM_USERS_CONFIG_PASSWORD_OPTIONS="Password Options" | ||
COM_USERS_CONFIG_SAVE_FAILED="An error was encountered while saving the configuration: %s." | ||
COM_USERS_CONFIG_PASSWORD_OPTIONS="Password Options" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are you adding this string. It already exists on line 89
@brianteeman the comments from @roland-d & @mbabker are corrected. The comment was on the wrong fields in the code. Under "Username Options" the changes are visible and working, which were discussed in this comment. |
$result = false; | ||
} | ||
|
||
/* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do we have commented code here? maybe it should be removed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This commented code ist form the PR before me. I think I can remove this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the syntax for an Identifier stated in UAX31-D1. I thought it is too restrictive for Joomla username, and because of that I comment the implementation, but left it just in case smart people think it is needed.
I'm willing to retest once the comment zero-24 mentioned is either addressed or explained. |
I have tested this item ✅ successfully on 6046009 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/11516. |
@brianteeman How does it look now (in terms of the requirements you've mentioned)? After the recent change it's working great on my end. |
I dont see the correction that @mbabker says to make in https://github.com/joomla/joomla-cms/pull/11516/files#r75477191 are you saying thats not correct? |
Surely it is not correct that I can set the minimum number of characters to be greater than the maximum number of characters This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/11516. |
This happens because the ajax calls only checks usernames or emails in the database, not the validation. The validation was implemented by @framontb in the username.php and contains only checks via php. There is no ajax validation, which checks the the rules from the admin-backend. |
Seems daft to me to only do ajax on "if exists" and not on "if valid" kind of defeats the object of the code to me |
Also if this is the case that it only checks "if exists" and not "if valid" then the error message is incorrect
|
@brianteeman |
Well I dont see any point in only having half the job as ajax |
There is a possible issue that needs to be considered in that with the ajax checking of existing usernames and email addresses i can quite quickly gather a list of all the users on the site This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/11516. |
The username and email usage check is a user enumeration attack vector from a security perspective. Yes, we have this check during the current registration process too, but this one can at least be protected using a captcha, that's not possible for the AJAX request. So, I would suggest to remove the "is username or email" already used check in this PR. This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/11516. |
You can enter and save a lower number of "Max. number of characters" then "Min. number of characters" This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/11516. |
@mxkmp29 is this PR for testing? |
@mbabker can I ask the JSST decision/opinion about this PR that may include potential security issues? |
This is not ready for a review, it still has outstanding change requests from several months ago and just through scanning a couple of files there are miscellaneous whitespace changes littered in the PR. From a security perspective, the concept is "controversial" and this is introducing a "convenience over security" workflow by making it easier to ascertain whether a username exists on a website. Considering this is triggered by JavaScript based on typing into a field, the implementation needs to ensure that there isn't a way to turn this into a DoS attack on a site. |
Hey, best regards |
Pull Request for Issue #9943
I continued the great work of @framontb at @icampus
Summary of Changes
Testing Instructions