Bug: Social Login Edit Account

[LaocheXe]

Few sites I'm working on use the Social Login only. When a user tired to edit their profile they are forced to add an email address (I dont know why it is forced) but when doing so, they get taken to a page to enter their password (which doesn't work for Social Login users).

Please validate the changes by re-entering your password: ^^ Shouldn't need it for Social Login accounts

I have in Users > Options > Force user to update settings set to no (is the code ignoring it?)

[LaocheXe]

Seems to be User Settings issue, I have enable Avatar, but cant even browse for one. With Social Login, I allow it to update the avatar every time a user logs in - but it's not working.

Cant add an email address, requires a password. Cant add a signature, or photograph because it requires a password. Cant browse a image for avatar.

Admin account can edit their or other profiles. So I don't know whats going on at the moment. New site setup from Github on 03-29-2020

[CaMer0n]

@LaocheXe Is this a new issue, or could it have existed prior to the hybridAuth upgrade?

[LaocheXe]

I believe it happen after the hybirdAuth upgrade

[Deltik]

This bug was not caused by the Hybridauth upgrade. The required email is hard-coded here, caused by commit 30f75611c31ab5c8f5fd9fa91559d8ac4864f3b8 on 27 November 2016.

[Deltik]

@CaMer0n: I think this issue can be fixed by doing these things:

• Making the email address field not required in the {EMAIL} shortcode.
• Skip the password prompt if the email address is changed and the user is logged in through a social login provider.

Maybe it'd be even better to add:

• When the email address is changed, send an activation email to confirm the change.

[LaocheXe]

Well all I know is, before the update - could edit profile without needing the email, login in avatars worked. but now they don't. I think it's the password required to update profile is blocking the avatars.

[CaMer0n]

@LaocheXe What are your signup preferences set to? Is email address "required"?

[LaocheXe]

Set as Displayed.

[CaMer0n]

okay, thanks ! :+1:

[CaMer0n]

@Deltik It might be worth checking if the scope of requiring an email was in the earlier version of how HybridAuth was set up inside e107.

I suggest having "email required" as the default scope in the social login setup, otherwise the admin has no way of contacting the user via PM, Notifications etc. (which will no doubt manifest in the form of github issues about notifications not working :/ )

[Deltik]

@CaMer0n: The old social plugin code from v2.2.1 did indeed default to having an email OAuth2 scope for some social login providers: https://github.com/e107inc/e107/blob/v2.2.1/e107_plugins/social/admin_config.php#L155

The new behavior just shows input field placeholders for the known scopes built into the Hybridauth Provider.

For adding a new provider, you could add those scopes by default by setting a value on the field around here.

[LaocheXe]

Well the issue is being able to edit their account without having to put in a password, since it is a social account.

[CaMer0n]

@LaocheXe Understood. I'll take a look. The email address should be locked though. If they want to change email, they should do it on their social account.

[LaocheXe]

Well, it's weird - social you can set scopes, but if you don't then by default there is no email account added. If a scope for email is added, then every time they login it should update the email address, like how Steam we have the option to update the user avatar every time they login. What should be locked for social, is user_loginname. Which I believe is, unless your an admin with the perms to edit.

Before the update to new version of hybirdAuth, users who login with Steam were able to update their accounts without having the put a password in, it would also apply their avatar. Now they need to put a password in, and it wont apply any avatar.

[Deltik]

27dd9ab287d3de5c93aa02c4ed3dcf7eb234bc1b restores the intended behavior of:

• Social » Preferences » Login » Update User Display Name
• Social » Preferences » Login » Update User Avatar

Previously, the updated display name and avatar were being ignored.

[Deltik]

2c733cd3f12e193077c47ad1380455f7c8ac6a67 makes the email field required only if the disable_emailcheck pref is set to 0 ("Required") here:

[LaocheXe]

Alright, user avatar, and user real name get updated - but when they go to edit their profile, and try to add an email, it still request a password to make the change.

Setting email required - when they login, avatar isn't loaded (or updated), and it doesn't add their email.

Best method I think is to check if user_xup is empty/null or not - if it isn't, then dont require password to update their account. This gives the user a chance to add an email address if they would like to sign up for news letters or not.

[Deltik]

I am not sure how to reconcile the current behavior with the password prompt. There is no way for a social login user to update their email address after it has been set once. @CaMer0n, what is the intended flow for a social login user who wants to set their email address for the first time and subsequent times?

Current Behavior

If the user has a social login but has no email address, make the email field editable. If the user has a social login and there is already an email address, make the email field read-only. (Source)

If the user has a social login but has no email address, sync it from the social login provider. If the user has a social login and there is already an email address, never update it. (Source)

[LaocheXe]

Some social logins don't provide an email address for security reasons. Steam for example provides a steamid, real name, avatar, profile url, and country code.