Changes in Contao 4.8 break registration

terminal42 / contao-mailusername

MIT License

7 stars 5 forks source link

Changes in Contao 4.8 break registration #17

Closed ben-eSM closed 4 years ago

ben-eSM commented 4 years ago

Due to the change in https://github.com/contao/contao/commit/a9d5000a89d93ab6f5ee79f83fe43f6c4f6a2f9f to use the Symfony security encoder, the Contao registration module throws an empty password exception if used with the contao-mailusername extension due to the following validation. https://github.com/contao/contao/blob/c9e195891d08bdb26504c394775cf956f23bf719/core-bundle/src/Resources/contao/modules/ModuleRegistration.php#L225 The username post variable is empty because the module will set the email address as username afterwards.

How to reproduce Install the extension terminal42/contao-mailusername in a Contao 4.8 system and implement a registration form with password and email fields.

fritzmg commented 4 years ago

But the same validation has already been there before, just with password_verify: https://github.com/contao/contao/blob/539347c7a03579400812f6977c1630560a780fe9/core-bundle/src/Resources/contao/modules/ModuleRegistration.php#L224-L228

// Check whether the password matches the username
if ($objWidget instanceof FormPassword && password_verify(\Input::post('username'), $varValue))
{
    $objWidget->addError($GLOBALS['TL_LANG']['ERR']['passwordName']);
}

aschempp commented 4 years ago

@richardhj can you have a look at this? I think we can set the username POST-value to the email in the onload callback, if FORM_SUBMIT is set? That would possibly even eliminate the need to set the username later.

ben-eSM commented 4 years ago

But the same validation has already been there before, just with password_verify: https://github.com/contao/contao/blob/539347c7a03579400812f6977c1630560a780fe9/core-bundle/src/Resources/contao/modules/ModuleRegistration.php#L224-L228
// Check whether the password matches the username
if ($objWidget instanceof FormPassword && password_verify(\Input::post('username'), $varValue))
{
    $objWidget->addError($GLOBALS['TL_LANG']['ERR']['passwordName']);
}

I assume password_verify seemed not to bother if the password value was empty. However, the Symfony security encoder ist throwing an exception.

fritzmg commented 4 years ago

Oh I see, so the Symfony Security Encoder is throwing an exception, not the registration module.

Imho this should be changed within Contao.

richardhj commented 4 years ago

I set the email as post value as proposed by @aschempp. This re-adds the validation "Your username and password must not be the same!".