Password Recovery

[Emanuele Ziglioli]

Hi,

I'm trying to understand how Password Recovery works.
I'm trying with a user of level 'User'. I enter an e-mail and receive
a message with a url of type (http://....com/_ah/changePassword?
key=9bf50bac10c...1de).
But when I enter that address I'm redirected to / and nothing happens.
Isn't that url supposed to log the user in and send it to /cms/
#profile?


Anyway, that procedure wouldn't work for users of level 'SiteUser'
anyway, according to: http://groups.google.com/group/vosao-cms-development/msg/7040078b27e9fe91

So, how can I use the Register Plugin instead? can I change the
ForgotPassword Servlet to redirect user to a form that works for
everyone, including SiteUsers?

Thanks,
Emanuele

[suczy...@gmail.com]

I have now exactly the same problem. Does somebody solve it and can share here own experience?

[Morski Morświn]

Basically I found that problem is that after click on recovery url (url from email) on the page is not allowed access to Vosao.jsonrpc.userService, so looks like session is not created. It is interested because java code investigation shows that it should works, http session  is created and has set proper attribute. I have to debug this stuff...
Sad is that nobody want help me :( just enough will be to check how it works on your sites. Do you never recover password?

[Emanuele Ziglioli]

In our fork, I've extracted userService and made it available for all users, with some restrictions: https://github.com/Sirtrack/blenke-vosao/tree/siena-async

[Morski Morświn]

Hey,
Thanks Emanuele for your help but I have fixed my problem in another way.
Instead of manipulate in userService I just added new method "ServiceResponse changePassword(String newPassword);" to org.vosao.service.front.LoginService.
LoginService is available for all users (even not logged in) but the method works only for users with active token which is generated by password reset (link from email).
I had to change a bit also org.vosao.servlet.ForgotPasswordServlet to redirect www page to /password url intead of /cms/#profile (why site user whould have access to /cms/ pages? sic!) so now cms administartor decide how page to recover password looks. Of course after log in to cms user should use userService.save funtion to change his password in normal way. LoginService.changePassword works only for recovery. If somebody is interested I can show the code changes.
Btw. I would like to also deliver Polish (PL) translation of cms but it in another thread ;)

Ups. Very important think. Why appengine-web.xml doesn't have config entry for session? <sessions-enabled>true</sessions-enabled>. I had to add it as well.

[Emanuele Ziglioli]

Hi Morski

I'm glad you solved it and in a different way.

You probably find that's hard to change vosao's rpc api.

That's why I'd love to look into replacing it with Google Cloud Endpoints.

For sessions, I believe they were enabled at a certain point, not sure whether they're needed or not

[Lucio Piccoli]

hi Morski

> Instead of manipulate in userService I just added new method
> "ServiceResponse changePassword(String newPassword);" to
> org.vosao.service.front.LoginService.
> LoginService is available for all users (even not logged in) but the method
> works only for users with active token which is generated by password reset
> (link from email).
> I had to change a bit also org.vosao.servlet.ForgotPasswordServlet to
> redirect www page to /password url intead of /cms/#profile (why site user
> whould have access to /cms/ pages? sic!) so now cms administartor decide how
> page to recover password looks. Of course after log in to cms user should
> use userService.save funtion to change his password in normal way.
> LoginService.changePassword works only for recovery. If somebody is
> interested I can show the code changes.

these changes need to be captured in the code repos.

> Ups. Very important think. Why appengine-web.xml doesn't have config entry
> for session? <sessions-enabled>true</sessions-enabled>. I had to add it as
> well.

ouch. never noticed that.

can u post me a svn patch file for the changes and i will add them to trunk.

thanks

--
regards

Lucio Piccoli

[Morski Morświn]

Emanuele,
That's right. Vosao rpc api is hard to understand. I'm not get fully yet it. UserService is not available to site users and shouldn'd because it gives 'admin' functions.
I'm thinking about add new front service (i.e. UserFrontService) or just extend a bit LoginFrontService on couple additionals metodhs like changePasswordByToken(newPassword), changePassword(oldPassword, newPassword), getUserinfo() etc.

Lucio,
I don't have yet my changes in public repository so I cannot share it but when I finish what I mentioned above then let you know. Before submition to trunk do code review first :) I don't have a lot of free time so maybe I will do that during this weekend.

Do you think that is good approach and awaited solution? I think such things should be available in vosao without additonal plugins...

Thanks guys,
Looks like vasao development is reactivated ;)

[Morski Morświn]

Hi guys,
I found some spare time and finalized promissed changes. You can find it here:
http://code.google.com/p/suczymoron-vosao/

Log message of revision 3:

* password recovery is working for site-users now.
* added password recovery url to cms page configuration.
* added couple of additional methods to loginFrontService which are available for site-users (passwordRecovery, changePassword, getUserInfo)
* fixed build-js.bat (was broken and main.min.js file was not generated)

That's right, http session is not necessary becuase vosao keep all vosao-session data in cookie.
Lucio, if you want and decide that code is ok you can add it to vosao trunk. Don't hesitate :)

Thanks a lot!

[Emanuele Ziglioli]

Hi Morski,

sorry for the late reply, I was travelling around the world...

I've published my solution too, had never got around to do it.

It's a bit different, all server side. I've defined a limited user service and I add use that if a user is not logged in or SITE_USER

https://github.com/Sirtrack/blenke-vosao/commit/3d5ee33b0321fce71bfbeb674fe85aed8719448f

[Morski Morświn]

Emanuele,
Good job! Looks ok but I have some doubts. First one regarding

LimitedUserServiceImpl.select()

This method allows to retrieve all users from CMS rquested by site users and maybe even for not logged. This looks like high security issue. I'm not sure what are requirements for your web site (portal) but better lock this possibility and only logged user shall select only own information. That is my opinion.
Second one is that you have hardcoded "/passwordchangeerror" in ForgotPasswordServlet. It should be configured for web site administrator.

[Emanuele Ziglioli]

On Sunday, 17 November 2013 18:51:22 UTC+2, Morski Morświn wrote:

Emanuele,
Good job! Looks ok but I have some doubts. First one regarding

LimitedUserServiceImpl.select()

This method allows to retrieve all users from CMS rquested by site users and maybe even for not logged. This looks like high security issue. I'm not sure what are requirements for your web site (portal) but better lock this possibility and only logged user shall select only own information. That is my opinion.

Good point on select but you know half of the story.
We've added an extra authorisation level to Groups. Users can be READ, WRITE, ADMIN for a Group (just an extra field for UserGroupEntity). In that context, it makes sense for some users to be able to use select(). My select is customised based on a User right per project.
I haven't published this change but we can discuss it if other people are interested.

Taking about security, a Vosao User level is quite powerful and I'm pretty sure they can see all users. Have you changed that?

 

Second one is that you have hardcoded "/passwordchangeerror" in ForgotPasswordServlet. It should be configured for web site administrator.

oops!

[Emilio Sanchez]

Hello dear old streetcar ;-)

As I used it to solve another issue, I'm going to upload this build-js.bat fixed version in vosao repo.

[Emilio Sanchez]

...Morski