Notifications

Clear all

wpForo 1.x.x [Closed] Reset password error

How-to and Troubleshooting

Last Post by Mistral 6 years ago

5 Posts

3 Users

0 Reactions

2,315 Views

RSS

Posts: 23

Mistral

Topic starter

Dec 06, 2018 1:24 pm

(@mistral)

Eminent Member

Joined: 6 years ago

Hi Guys

2 requests or queries

When resetting a password and using a non matching username/email the error shown is 'invalidcombo'.

This is not great for 2 reasons

1. The message is not user friendly, can it be changed? I do not see it listed in the 'Front-end Phrases'

2. It is bad practise to advise users if they were or were not using a valid username/email as it allows email harvesting. The message should be generic regardless of the validity 'If a matching username or email was found, you will receive an email to reset your password.' I appreciate this is not the best UX but is the best security model.

Ideally there would be a setting to allow choice, to show errors or a generic response.

Thanks

Mistral

4 Replies

Posts: 1602

Anonymous20

Dec 06, 2018 1:51 pm

(@anonymous20)

Noble Member

Joined: 9 years ago

Since wpForo doesn't provide any login/registration functions but only a "form" for it, that error comes from Wordpress core or some other plugin you use.

Posts: 23

Mistral

Topic starter

Dec 06, 2018 4:23 pm

(@mistral)

Eminent Member

Joined: 6 years ago

Please try and reset the password on this very forum and see the error yourself.

I agree this is originating in Wordpress core, but you should be processing it. In the wp-login.php for example they do this;

$errors->add('invalidcombo', __('<strong>ERROR</strong>: Invalid username or email.'));

Invalidcombo is the error type not the message....

Regards

Mistral

Posts: 10587

Robert

Admin

Dec 09, 2018 6:07 pm

(@robert)

Support Team

Joined: 9 years ago

@mistral,

This error doesn't come from wpForo. There is no such error message in wpForo.I searched in whole code of wpForo plugin and didn't find. This is not wpForo code. Please let me know where you found this code. What is the file and directory name?

Some plugin uses WP hooks and adds its error on Password Reset process. wpForo only provides forms and pages but the error message come from other plugins.

In case you want to say thank you !)
We'd really appreciate and be thankful if you leave a good review on plugin page. This is the best way to say thank you to this project and support team.

Posts: 23

Mistral

Topic starter

Dec 09, 2018 7:46 pm

(@mistral)

Eminent Member

Joined: 6 years ago

@robert

I'm not sure you have read my response. In any case I will try and provide some more feedback.

Yes, the error is coming from Wordpress core. For some reason that particular error will not return a nice error string. So in wpforo you have this line, the bold bit actually returns null.

Line 1944 wpf-hooks.php

WPF()->notice->add(join( ',', $errors->get_error_codes()), 'error');

In the standard wp-login.php around line 335 they check if there is no error code and add a new error to fix this.

if ( $errors->get_error_code() )
   return $errors;

if ( !$user_data ) {
   $errors->add('invalidcombo', __('<strong>ERROR</strong>: Invalid username or email.'));
   return $errors;
}

With a small bit of refactoring you can also take measures to see if the get_error_codes() returns null and add this error.

Hope that helps

Mistral