Cannot update member password when email fails to send in live mode

[atbarb]

Updated report

When email hasn't been properly configured, it's not possible to change a users password in live mode only, while it is still possible to change the users password in dev or test mode

Original report

Silverstripe Version: 5.0

Cannot update member password when running in live mode.

Note: I reported this on the forum and was asked to add a ticket with some extra debug info. I'm currently out of the country on holiday and so am just pasting in the info from my forum post. I'll add more info once I get back.

I have recently upgraded and old Silverstripe v3 site to v4.13 and then to v5.0. The upgrade seemed to have gone smoothly, but this week the client reported that they could not update a user’s password. I tried this myself on the production server and was able to recreate the issue. I then tried to recreate it on the staging website (running in test mode) and my local environment (running in dev mode) and found that I was able to update the password without issue. All environments are running PHP8.1.

Putting the local environment into live mode resulted in the password not updating and an error being flagged. By adding ?isDev=1 to the itemEditForm call and resending the request, I got back the error:

Array to string conversion in /var/www/html/vendor/silverstripe/framework/src/Security/Confirmation/Storage.php on line 271

Thinking that the error might be due to the extension I have added to Member. I set up a clean install of Silverstripe 5.1 and was able to replicate the issue on that . I.e The password updates without issue when the environment is set to dev or test but errors when set to live.

Acceptance criteria

• Failure to send an email to the user doesn't prevent the password from being updated.

Note

This issue might be related to this: https://docs.silverstripe.org/en/5/developer_guides/email/#administrator-emails

PRs

• https://github.com/silverstripe/silverstripe-framework/pull/11094
• https://github.com/silverstripe/developer-docs/pull/421

[emteknetnz]

I cannot reproduce locally using a fresh install of 5.1. I can change a users password in live mode.

I think the issue you got with ?isDev=1 is a red herring because /Security/Confirmation/Storage.php looks as though it's only used by ConfirmationMiddleware.php, which is used to "confirm" potentially dangerous actions on /dev/ urls. I did a quick debug and look as though ConfirmationMiddleware.rules includes "names" (presumably querystring keys) isDev, isTest, and flush as well as the "path" dev/build/ - so that's probably how you ended up there when you added isDev to the querystring, rather than because a user password was getting changed.

Do you have access to the server logs of the users production server and can you see the error there?

Are you able to update the password on your fresh install in live mode without adding ?isDev=1

If so, are you also able to replicate this on fresh installs of 5.0 or 4.13?

[atbarb]

Thanks for your response Steve. I'm back at my desk now and so hopefully can add extra detail as required.

We are seeing this issue on 3 sites at the moment. The first is the aforementioned upgrade that went from 3.x to 4.13 to 5.0. I am also seeing it on a site we are in the process of upgrading from 4.13 to 5.0. Finally the v5.1 clean install mentioned above.

For the first site mentioned above, I am seeing this behaviour locally (Docker), on staging (Cloudways LAMP stack) and in production (DataCentre LAMP stack) when SS_ENVIRONMENT is set to live. All work OK when set to "dev" or "test".

Just to clarify my ?IsDev use. I am seeing the issue regardless of whether this was used or not. I was only using it as the ItemEditForm call was returning "There has been an error" when in live mode. (see screenshot) Usually I'd just put this in dev mode to see the error, but the password update works OK when I do that and so I used the ?isDev in order to try and get an error message.

I'm not seeing any entries in the server apache error log, although I am seeing a 500 in the access log: 94.192.36.67 - - [30/Oct/2023:09:51:49 +0000] "POST /admin/security/users/EditForm/field/users/item/41/ItemEditForm/ HTTP/1.0" 500 3027 https://www.clientname-staging.afltest.co.uk/admin/security/users/EditForm/field/users/item/41/edit/ "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0"

I'll try to set this up on a clean v5.0 install later today and let you know the outcome.

[atbarb]

I've done a clean install of v5.0 and see the same issue.

I've added SilverStripe logging and now can see the following error being thrown when running in live mode:

[2023-11-01T17:34:39.215786+00:00] error-log.ERROR: Uncaught Exception Symfony\Component\Mailer\Exception\TransportException: "Connection to "process /usr/sbin/sendmail -bs" has been closed unexpectedly." at /var/www/html/vendor/symfony/mailer/Transport/Smtp/Stream/AbstractStream.php line 84 {"exception":"[object] (Symfony\Component\Mailer\Exception\TransportException(code: 0): Connection to \"process /usr/sbin/sendmail -bs\" has been closed unexpectedly. at /var/www/html/vendor/symfony/mailer/Transport/Smtp/Stream/AbstractStream.php:84)"} []

When I swap back to dev or test mode, this error is not thrown.

[atbarb]

It looks like this is probably an admin email being sent out on password update and I haven't configured it correctly.

[emteknetnz]

OK thanks that very helpful information. I've updated the title of this issue and added some context to the description.

[atbarb]

I installed the following:

• "symfony/mailgun-mailer": "^6.3",

• "symfony/http-client": "^6.3"

  And configured the dsn in app.yml and can confirm that the password is now being updated in live mode.

[emteknetnz]

Linked PR has been merged and tagged as 5.1.9