I think wpForo just offers a "visual interface" for login/signup etc and Wordpress does all that. Email with the verification also.
Hi Massi
If that is true it begs two questions :-
- Why was it working perfectly fine on 1.4.9 but not after updating wpforo to 1.4.10 or the sudden quick releases of 1.4.11 & 1.13.12. I had not installed anything else in the meantime.
- The free third party plugin "profile builder" I've now installed to handle client reg, login and reset, I believe also uses the wp backend, that's working fine.
So I have to ask myself what is wpforo doing to A) cause the key to appear invalid B) and now after 1.4.12 to do nothing with the key.
All very odd, to be honest I probably won't now go back to wpforo handling the registration, login or password reset functions now. It would be nice however to have some answers as to why this all went pear shaped for some of us.
Hi there,
In fact so is this form wpforo.com! I just registered on it, the link it sends takes me to this site, a message pops up saying the key is invalid. I had to click lost password in order to be able to set a password and login.
Hi everybody!
While testing wpforo, I've registered a new user on my site and registered on this (wpforo) site as well.
I did receive the confirmation mails after registrations.
However, the same issue is on both sites - mine and on this (wpforo) site: when I try to log in after a registration, a message pops up saying the key is invalid. After that I have to reset my password which does the login trick, finally. Ufff...
I'm just writing the facts. wpForo doesn't handle all that (if i'm wrong please someone correct me).
I'm not saying you are imagining things, maybe there is come conflict.
Robert could help more on this.
I've identified the issue and it's something everyone is likely experiencing if they are using wpForo to manage the user registration since it has it's own functions for dealing with this stuff, though it ties into existing WP functions for some of it.
It's an issue within this file:
/wp-content/plugins/wpforo/wpf-includes/wpf-hooks.php
First off, line 1923 in the wpforo_redirect_to_custom_password_reset function the key is sanitized in the check_password_reset_key function of WP. However it should be safe to remove that line since it's seemingly unnecessary.
Line 1924 is the real issue. It sets $_REQUEST['key'] to an attempt to sanitize $_REQUEST['login'] which it should actually use the sanitize_user function for anyway, though I'm not completely certain that value is actually used anywhere or not, but it does seem to at least check if it's empty. It should really be setting $_REQUEST['login'] instead of $_REQUEST['key'] or perhaps better yet pass the values directly to the check_password_reset_key function below.
In fact I would be inclined to change that entire section from:
// Verify key / login combo $_REQUEST['key'] = sanitize_textarea_field($_REQUEST['key']); $_REQUEST['key'] = sanitize_textarea_field($_REQUEST['login']); $user = check_password_reset_key( $_REQUEST['key'], $_REQUEST['login'] ); if ( ! $user || is_wp_error( $user ) ) { if ( $user && $user->get_error_code() === 'expired_key' ) { WPF()->notice->add('The key is expired', 'error'); } else { WPF()->notice->add('The key is invalid', 'error'); } wp_redirect( wpforo_login_url() ); exit; }
To:
// Verify key / login combo $user = check_password_reset_key( $_REQUEST['key'], sanitize_user($_REQUEST['login']) ); if ( is_wp_error( $user ) ) { WPF()->notice->add($user->get_error_message(), 'error'); wp_redirect( wpforo_login_url() ); exit; }
It will now properly validate the key and redirect the user to the password reset form.
Also note that there is a similar block of code in futher on in that file within the wpforo_do_password_reset function, though it uses it's own variables properly there. This is at line 1975 or 1969 after the above modification.
I wish the code was published somewhere like GitHub so people could more easily contribute and submit pull requests and whatnot.