Go Back   vb.org Archive > vBulletin 5 Connect Discussion > vB5 Programming Discussions

Reply
 
Thread Tools Display Modes
  #1  
Old 08-28-2019, 11:43 PM
doc55 doc55 is offline
 
Join Date: Aug 2019
Posts: 32
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Custom Profile Update

Hi,
I'm trying to make a custom form for users to update their profile. I have the following code, which I thought it should work.
PHP Code:
//init the vBulletin system
require_once( '/forum/includes/vb5/autoloader.php' );
vB5_Autoloader::register'/forum' );
vB5_Frontend_Application::init'config.php' );

// Get logged in user ID
$vb_userid=vB::getUserContext()->fetchUserId();

//get user info
$username $this->data['username'];
$email $this->data['email'];
$password $this->data['new_password'];
$data = array(
  
'userid' => $vb_userid,
  
'password' => $password,
  
'user' => array( 'username' => $username'email' => $email ),
  array(),
  array(),
  
'userfield' => false,
  array(),
  
'',
  array()
);
$response $api->callApi'user''save'$datafalsetrue); 
But I'm getting the following error message:
Your submission could not be processed because a security token was missing.
If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.


And I see the following error at the top of the page:
Notice: Undefined index: usefiles in /home/myserver/mysite.com/forum/includes/vb5/template/stylesheet.php on line 70 Notice: Undefined index: usefiles in /home/myserver/mysite.com/forum/includes/vb5/template/stylesheet.php on line 70

I appreciate if someone could help me with fixing this code.
Thanks
Reply With Quote
  #2  
Old 09-02-2019, 01:40 AM
doc55 doc55 is offline
 
Join Date: Aug 2019
Posts: 32
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I made some progress, but the code is still not working correctly.
Here is what I have:
PHP Code:
// Check vBulletin user ID to make sure they are logged in and it exists. 
$user_id = isset( $_COOKIE'bbuserid' ] ) ? ( int )$_COOKIE'bbuserid' ] : null;
if ( 
$user_id === null ) {
  throw new 
Exception'Unable to find user id from vBulletin.' );
}

//init the vBulletin system
require_once( '/forum/core/vb/vb.php' );
vB::init();
define"CSRF_PROTECTION"false );
require_once( 
'/forum/includes/vb5/autoloader.php' );
vB5_Autoloader::register'/forum' );
vB5_Frontend_Application::init'config.php' );

//get user info
$current_password $_POST'form' ][ 'current_password' ];
$new_password $_POST'form' ][ 'new_password' ];
$email $_POST'form' ][ 'email' ];
$username $_POST'form' ][ 'username' ];

//Update user information
$api Api_InterfaceAbstract::instance();
$response $api->callApi'user''save', array(
  
'userid' => $user_id,
  
'password' => '',
  
'user' => array( 'email' => $email'username' => $username ),
  
'options' => array(),
  
'adminoptions' => array(),
  
'userfield' => array(),
  
'notificationOptions' => array(),
  
'hvinput' => array(),
  
'extra' => array(
    
'password' => $current_password,
    
'newpass' => $new_password,
    
'email' => $email
    
'username' => $username
  
),
) );
vB::getDbAssertor()->update'user', array( 'username' => $username ), array( "userid" => $user_id ) ); 
Couple issues with this code are:
1- It is not updating the email address
2- You can enter wrong current password and it still runs without throwing an error.
3- Can I update the user email, password and username without the need to enter the current user?

I appreciate anyone that could help with this.
Reply With Quote
  #3  
Old 09-02-2019, 10:10 AM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You must pass 'acnt_settings' => true to the 'extra' array. Based on the code that allows you to edit the email/password as a regular user and also includes current password verification.

You need to extract the userid from the current session returned by vBulletin and not from a cookie because I can just simply use a cookie editor to edit my bbuserid cookie to the userid of an administrator and then hijack the account.
Reply With Quote
  #4  
Old 09-02-2019, 01:04 PM
In Omnibus's Avatar
In Omnibus In Omnibus is offline
 
Join Date: Apr 2010
Location: Inside A Blade Server
Posts: 840
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dave View Post
You must pass 'acnt_settings' => true to the 'extra' array. Based on the code that allows you to edit the email/password as a regular user and also includes current password verification.

You need to extract the userid from the current session returned by vBulletin and not from a cookie because I can just simply use a cookie editor to edit my bbuserid cookie to the userid of an administrator and then hijack the account.
I'd like and quote this a million times if I could. There seems to be a growing trend of vBulletin customers hacking their software without any regard for security.
Reply With Quote
  #5  
Old 09-02-2019, 02:37 PM
doc55 doc55 is offline
 
Join Date: Aug 2019
Posts: 32
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thank you both for your valuable feedback. I'm not a programmer and I had someone do this for me. That's why I shared it here to make sure we are doing things correctly and improve it.

I really appreciate your advice.
Reply With Quote
  #6  
Old 09-03-2019, 08:14 PM
doc55 doc55 is offline
 
Join Date: Aug 2019
Posts: 32
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

After reading the vB API documentation, it looks like the acnt_setting should be set to 1.
So, I changed the code as you advised and I'm getting the userid from vB fetchUserinfo instead of cookies.

However, my code still not working. It is not updating the username. Also it is not verifying the current password.
What am I missing?

PHP Code:
//init the vBulletin system
require_once( '/forum/core/vb/vb.php' );
vB::init();
define"CSRF_PROTECTION"false );
require_once( 
'/forum/includes/vb5/autoloader.php' );
vB5_Autoloader::register'/forum' );
vB5_Frontend_Application::init'config.php' );
$vb_userInfo vB_Api::instance'user' )->fetchUserinfo();

//get user info
$vb_userid $vb_userInfo'userid' ];
$current_password $_POST'form' ][ 'current_password' ];
$new_password $_POST'form' ][ 'new_password' ];
$email $_POST'form' ][ 'email' ];
$username $_POST'form' ][ 'username' ];

//Update user information
$api Api_InterfaceAbstract::instance();
$response $api->callApi'user''save', array(
  
'userid' => $vb_userid,
  
'password' => '',
  
'user' => array( 'email' => $email'username' => $username ),
  
'options' => array(),
  
'adminoptions' => array(),
  
'userfield' => array(),
  
'notificationOptions' => array(),
  
'hvinput' => array(),
  
'extra' => array(
    
'password' => $current_password,
    
'newpass' => $new_password,
    
'email' => $email
    
'username' => $username,
    
'acnt_setting' => 1
  
),
) );
vB::getDbAssertor()->update'user', array( 'username' => $username ), array( "userid" => $vb_userid ) ); 
I appreciate any feedback.
Reply With Quote
  #7  
Old 09-03-2019, 08:36 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

var_dump($response); to see what that is showing. If nothing happens, dump the variables one by one to make sure everything is still working as expected.
Reply With Quote
  #8  
Old 09-03-2019, 09:53 PM
doc55 doc55 is offline
 
Join Date: Aug 2019
Posts: 32
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thank you Dave.
It appeared that actually my code worked (partially).
When I enter the wrong current password, it doesn't update anything, appropriately. But It is not showing any errors to the user.
the var_dump($response); showed the following:
PHP Code:
array(2) { ["errors"]=> array(1) { [0]=> array(2) { [0]=> string(11"badpassword" [1]=> string(40"https://mydomain.com/forum/lostpw" } } ["userid"]=> string(2"19" 
I know this is the error message, but I'm not sure how can I write the if statement that if there is an error, then show a message. Meaning, how can I capture this error in the php script?

The other problem is that even when I enter the correct current password, it only updates the email and password and DOES NOT update the username. I'm not sure why.
Reply With Quote
  #9  
Old 09-03-2019, 10:13 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Does the new password save properly? You might have to set the 'password' key to the new password in the array.

As for showing errors, just iterate over the errors array if it's set.
Something like
PHP Code:
if(isset($response['errors'])){
   foreach(
$response['errors'] as $key=>$error){
      echo 
$error[0] . '<br>';
   }

Reply With Quote
  #10  
Old 09-03-2019, 10:32 PM
doc55 doc55 is offline
 
Join Date: Aug 2019
Posts: 32
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Dave,
Thanks again for your reply.
That took care of the error message. Great.
The password is updating appropriately.
However, the username is still not saving at all. Any idea why?
Also, I noticed just now that the last line is actually not needed. I ran the code without the vB::getDbAssertor and it is working exactly the same. Do you know if I need this line?

PHP Code:
vB::getDbAssertor()->update'user', array( 'username' => $username ), array( "userid" => $vb_userid ) ); 
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:05 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.12589 seconds
  • Memory Usage 2,297KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (6)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete