Josh Bond Posted May 16, 2012 Share Posted May 16, 2012 They could get any forum software to give them the password, if the original owner loses his email. Bottom Line: Modifying your module to merge member records when the email exists already does not introduce any security breach that is not already inherent in email based forum or content management software, such as IPBoard, vBulletin, Drupal, Joomla, Wordpress, and virutally every other one I can think of. :smile: Link to comment Share on other sites More sharing options...
Marcher Technologies Posted May 16, 2012 Share Posted May 16, 2012 They could get any forum software to give them the password, if the original owner loses his email. Bottom Line: Modifying your module to merge member records when the email exists already does not introduce any security breach that is not already inherent in email based accounts, such as IPBoard, vBulletin, Drupal, Joomla, Wordpress, and virutally every other one I can think of. :smile: Except it makes the assumption you allow email logins at all. I stated do as you please.... for good mehal I provide a full-fledged api, for all it matters, one can do what they wish with it, up to and including pulling data from a users account/apps when they are offline. I am simply being responsible with what I produce from it regarding proper practices. Link to comment Share on other sites More sharing options...
Josh Bond Posted May 16, 2012 Share Posted May 16, 2012 Allow email logins? You mean, disable the password reset functionality in IPBoard so that if someone loses their gmail account, and a new person gets it, that new person can't reset the old person's IPBoard password? That's what your saying can happen now, right? Link to comment Share on other sites More sharing options...
Marcher Technologies Posted May 16, 2012 Share Posted May 16, 2012 Allow email logins? You mean, disable the password reset functionality in IPBoard so that if someone loses their gmail account, and a new person gets it, that new person can't reset the old person's IPBoard password? That's what your saying can happen now, right? I am saying that me allowing the email to have keys to login regardless directly violates several settings already in existence in the first place regarding whether to force login through username and whether to allow email login at all, and directly violates the whole point of a separate login module from email-based login, we are not authenticating an email, we are authenticating the google account. Link to comment Share on other sites More sharing options...
Josh Bond Posted May 16, 2012 Share Posted May 16, 2012 Thanks, Marcher. If anyone wants the modification to prevent existing users from creating a brand new account (as opposed to using their existing account) when they use this Google sign-in add-on, just let me know via PM and I'll send it to you. Link to comment Share on other sites More sharing options...
Marcher Technologies Posted May 16, 2012 Share Posted May 16, 2012 Thanks, Marcher. If anyone wants the modification to prevent existing users from creating a brand new account (as opposed to using their existing account) when they use this Google sign-in add-on, just let me know via PM and I'll send it to you. .... nutz on it.. I highly doubt said code actually updates the user properly with the info from google anyway. in further news, I discovered a bug due to not specifying members_created_remote='1' both are fixed, enjoy. also... may want to run this query:UPDATE members SET members_created_remote = '1' WHERE google_uid IS NOT NULL; what would occur without that is disastrous, the user could not change their password from the UCP, and in essence, would need a pass reset.... I missed a vital line in my create call. >_< Said query will resolve that for the users that have freshly registered since 1.0.5... I am unable to think of a cleaner query frankly.... that will hit all users that either registered or linked since 1.0.5.0 :unsure: Link to comment Share on other sites More sharing options...
Marcher Technologies Posted May 16, 2012 Share Posted May 16, 2012 also... sadly... i missed a 1-liner which is why you just saw the file updated again. is a source file patch, simply re-upload. Link to comment Share on other sites More sharing options...
Dmacleo Posted May 16, 2012 Share Posted May 16, 2012 I'll update tonight. will it allow me to hijack a board? :) :) :D :P Link to comment Share on other sites More sharing options...
Marcher Technologies Posted May 16, 2012 Share Posted May 16, 2012 Beyond truly caring, too many hoops for them by far, too many yelps from yall, too much to deal with. as a note, it checks the google_uid FIRST. then tries email as a fall-back. therefore a linked account with a different email will trump an unlinked account with the gmail. And you still gotta make it past google's login there Dave, GL with that :ph34r: . Link to comment Share on other sites More sharing options...
Dmacleo Posted May 16, 2012 Share Posted May 16, 2012 :) update went smooth and as an aside it also corrected a steam login (based on this mod if I understand right) issue I had. Link to comment Share on other sites More sharing options...
Marcher Technologies Posted May 16, 2012 Share Posted May 16, 2012 :smile: update went smooth and as an aside it also corrected a steam login (based on this mod if I understand right) issue I had. him and i could factually never reproduce that, not for any lack of trying.... glad somehow got sorted out. Link to comment Share on other sites More sharing options...
Dmacleo Posted May 16, 2012 Share Posted May 16, 2012 I could not figure it out either, seemed to be the oddest damn thing, but it did work still which made it harder to nail down. was thinking something in the order of install may have been key (did google first then steam few days later) but never did try that on test board. ah well its all magic anyways and the spell worked this time :D Link to comment Share on other sites More sharing options...
Josh Bond Posted May 16, 2012 Share Posted May 16, 2012 I'll update tonight. will it allow me to hijack a board? :smile: :smile: :D :tongue: Only if IPBoard's email password recovery is enabled.Then someone who lost their gmail and someone else registered it, they could recover a user's password through IPBoard's email recovery system...or so I've heard (w00t) Link to comment Share on other sites More sharing options...
LeeGrant Posted May 16, 2012 Share Posted May 16, 2012 Most sites are now email verification - to say that if someone get's hold of their gmail is very weak. The same would be true of hotmail or even gmail or even fredsmith.com email address using the regular email login. So not to include it for this app is daft and pointless. Link to comment Share on other sites More sharing options...
knaleffect Posted May 18, 2012 Share Posted May 18, 2012 I don't get it. I have done everything but nottings changings. It's all the time this error: "The redirect URI in the request: http://jorum.nl/interface/board/google.php did not match a registered redirect URI" .. Link to comment Share on other sites More sharing options...
Marcher Technologies Posted May 18, 2012 Share Posted May 18, 2012 I don't get it. I have done everything but nottings changings. It's all the time this error: "The redirect URI in the request: http://jorum.nl/inte...oard/google.php did not match a registered redirect URI" .. http://community.invisionpower.com/topic/361879-download-sign-in-through-google/#entry2261537 did you go to the API Console, add a web application and add the 2 redirect URI's for this Modification to function? Link to comment Share on other sites More sharing options...
Graeme S. Posted May 22, 2012 Share Posted May 22, 2012 First of all, fantastic work! EDIT: Managed to do what I wanted. Now this is just a feedback post saying how great this hook is! Link to comment Share on other sites More sharing options...
PersonalMode Posted May 24, 2012 Share Posted May 24, 2012 I don't get it. I have done everything but nottings changings. It's all the time this error: "The redirect URI in the request: http://jorum.nl/inte...oard/google.php did not match a registered redirect URI" .. Me toohttp://community.inv...e/#entry2261537 did you go to the API Console, add a web application and add the 2 redirect URI's for this Modification to function? I already read this and check, but error still there Link to comment Share on other sites More sharing options...
Dmacleo Posted May 24, 2012 Share Posted May 24, 2012 your not using https for signin are you? if so need to add the https url also. I cheated, I added both http and https for each of them. Link to comment Share on other sites More sharing options...
Marcher Technologies Posted May 24, 2012 Share Posted May 24, 2012 Me too I already read this and check, but error still there do me this favor, both of you... paste me the Redirect URI Lines from your google API console, and your board url after ensuring the client_id and client_secret match between the system settings and the API console.... in code tags please and thank you. Link to comment Share on other sites More sharing options...
Dmacleo Posted May 24, 2012 Share Posted May 24, 2012 these are mine, mine works finehttps://www.davemacleod.net/forums/interface/board/google.php https://www.davemacleod.net/forums/interface/board/linkgoogle.php http://www.davemacleod.net/forums/interface/board/linkgoogle.php http://www.davemacleod.net/forums/interface/board/google.php board url is http://www.davemacleod.net/forums/ and sign in is https://www.davemacleod.net/forums/index.php?app=core&module=global§ion=login Link to comment Share on other sites More sharing options...
PersonalMode Posted May 25, 2012 Share Posted May 25, 2012 Redirect URIs https://www.depeche-mode.be/oauth2callback Javascript origins https://www.depeche-mode.be/ IPs http://www.depeche-mode.be/forums/interface/board/google.php http://www.depeche-mode.be/forums/interface/board/linkgoogle.php https://www.depeche-mode.be/forums/interface/board/google.php https://www.depeche-mode.be/forums/interface/board/linkgoogle.php I add the Client ID and the Client Secret in my ACP But, what about API key ? Link to comment Share on other sites More sharing options...
Marcher Technologies Posted May 25, 2012 Share Posted May 25, 2012 Redirect URIs https://www.depeche-mode.be/oauth2callback Javascript origins https://www.depeche-mode.be/ IPs http://www.depeche-mode.be/forums/interface/board/google.php http://www.depeche-mode.be/forums/interface/board/linkgoogle.php https://www.depeche-mode.be/forums/interface/board/google.php https://www.depeche-mode.be/forums/interface/board/linkgoogle.php I add the Client ID and the Client Secret in my ACP But, what about API key ? Facepalm.. theres your problem. Redirect URIs http://www.depeche-mode.be/forums/interface/board/google.php http://www.depeche-mode.be/forums/interface/board/linkgoogle.php https://www.depeche-mode.be/forums/interface/board/google.php https://www.depeche-mode.be/forums/interface/board/linkgoogle.php Link to comment Share on other sites More sharing options...
PersonalMode Posted May 27, 2012 Share Posted May 27, 2012 I understand now. Ok, thank you very much MT Link to comment Share on other sites More sharing options...
odox Posted June 27, 2012 Share Posted June 27, 2012 Just want to say amazing mod. I've been waiting for this for a while and it's great to see something so perfectly executed. Bravo! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.