Login Security feature request – independent Password Reset enable/disable option

Home Forums BulletProof Security Free Login Security feature request – independent Password Reset enable/disable option

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • July 21, 2014 at 4:13 am #16357
    Csaba
    Participant

    One of my subscribers wrote to me, that she can’t change her forgotten password, because the site is returning “Password reset is not allowed for this user” error. After selectively disabling plug-ins and rechecking on an other wordpress site it became obvious that the Login Security Password Reset feature was causing the problem.

    The interesting part is that the Password Reset was on Enable and the error still came up. After some trial and error I figured out that if the Login Security Feature is Turned Off then the Password Reset option is reverting to disabled. This shouldn’t be the desired behaviour for those who don’t want to use the Login Security part. If I turn the Login Security On, than the Password Reset feature is working again as expected.

    The switch statment, in the includes/login-security.php file should probably be reformulated so that to take into account the case when Login Security is Turned Off and Password Reset to remain enabled.

    July 21, 2014 at 6:25 am #16360
    AITpro Admin
    Keymaster

    We will review this request shortly.  Thank you.

    July 21, 2014 at 8:11 am #16361
    AITpro Admin
    Keymaster

    The best/correct approach would be to add an additional option under Turn On/Turn Off:

    Turn On Login Security
    Turn Off Login Security
    Turn Off Login Security/Allow Independent Password Reset Capability

    This seems like an option that will pass approval.  Typically new options go through a 1 month development testing period before they are added to production version releases.

    July 21, 2014 at 8:20 am #16362
    Csaba
    Participant

    Thank you.

    July 22, 2014 at 12:24 am #16365
    b-cat
    Participant

    [Topic merged into this relevant topic]

    On my site, when BPS Login Security is turned ON and “Enable Password Reset” is also turned on, the “Lost your password” link appears properly on the site’s login page.

    However, when BPS Login Security is turned OFF (and the “Enable Password Reset” function was left unchanged), the “Lost your password” link suddently disappears from the site login page.

    When I deactivate BPS entirely, the “Lost your password” link reappears on the login page, so this appears to be something that BPS is blocking by default.

    Is there a way to have BPS activated but turn off BPS Login Security and still allow the “Lost your password” link to appear on the login page?

    July 22, 2014 at 7:55 am #16370
    AITpro Admin
    Keymaster

    @ b-cat – this will be added as a new option in a future version of BPS/BPS Pro.

    July 22, 2014 at 2:59 pm #16373
    b-cat
    Participant

    Great…glad to hear that! Thanks.

    July 31, 2014 at 9:55 am #16486
    WayneM
    Participant

    I’d like to request an escalation to get this option included ASAP. I love the free BPS, but consider this issue to be a “bug fix” not a new option. I’m pretty sure this is a new issue, unless it’s been a problem since the time that Login Security was added to the free version. I have users telling me that they can not get new passwords – which means there are most likely dozens more users who this is a problem for.

    As always, thanks for the great plugin 🙂

    July 31, 2014 at 11:36 am #16487
    AITpro Admin
    Keymaster

    Actually there are 2 things that are going on.

    1.  After more testing there is a bug where the filters in the switch code are being applied even though the condition says only apply the filters if Login Security is turned On.  So even if Login Security is turned Off then the password reset link is not being displayed.

    2.  A new independent password reset link option will be added in the next version of BPS that will allow someone to independently enable or disable the password reset link from displaying on the Login page whether Login Security is On or Off.

    To fix the bug issue that is occuring now with the password reset link you can edit the /bulletproof-security/includes/login-security.php file at code lines:  596 to 670 and add the code below that is highlighted in yellow.  You are adding an additional condition that if Login Security is NOT Off then proceed to process the switch code.  If Login Security is Off then the script will halt and not process the switch code:

    if ( $BPSoptions['bps_login_security_OnOff'] != 'Off' ) {

switch ( $BPSoptions['bps_login_security_OnOff'] == 'On' ) {
    case $BPSoptions['bps_login_security_pw_reset'] == 'disableFrontend':
		
		if ( !is_admin() ) {
		
		function bpspro_disable_password_reset() { 
			return false; 
		}
		add_filter( 'allow_password_reset', 'bpspro_disable_password_reset' );

		function bpspro_show_password_fields() { 
			return false; 
		}
		add_filter( 'show_password_fields', 'bpspro_show_password_fields' );

		function bpspro_remove_pw_text($text) {
			return str_replace( array('Lost your password?', 'Lost your password'), '', trim($text, '?') ); 
		}
		add_filter( 'gettext', 'bpspro_remove_pw_text' ); 

		// Replace invalidcombo error - valid user account / invalid user account same exact result 
		function bpspro_login_error_invalidcombo($text) { 
			return str_replace( 'ERROR: Invalid username or e-mail.', 'Password reset is not allowed for this user', $text ); 
		}
		add_filter ( 'login_errors', 'bpspro_login_error_invalidcombo');

		// Replace invalid_email error - valid email / invalid email same exact result
		function bpspro_login_error_invalid_email($text) { 
			return str_replace( 'ERROR: There is no user registered with that email address.', 'Password reset is not allowed for this user', $text );
		}
		add_filter ( 'login_errors', 'bpspro_login_error_invalid_email');

		// Removes WP Shake It so that no indication is given of good/bad value/entry
		function bpspro_remove_shake() {
			remove_action( 'login_head', 'wp_shake_js', 12 );	
		}
		add_filter ( 'shake_error_codes', 'bpspro_remove_shake');	
		}	
		break;
    case $BPSoptions['bps_login_security_pw_reset'] == 'disable':
		
		function bpspro_disable_password_reset() { 
			return false; 
		}
		add_filter( 'allow_password_reset', 'bpspro_disable_password_reset' );

		function bpspro_show_password_fields() { 
			return false; 
		}
		add_filter( 'show_password_fields', 'bpspro_show_password_fields' );

		function bpspro_remove_pw_text($text) {
			return str_replace( array('Lost your password?', 'Lost your password'), '', trim($text, '?') ); 
		}
		add_filter( 'gettext', 'bpspro_remove_pw_text' ); 

		// Replace invalidcombo error - valid user account / invalid user account same exact result 
		function bpspro_login_error_invalidcombo($text) { 
			return str_replace( 'ERROR: Invalid username or e-mail.', 'Password reset is not allowed for this user', $text ); 
		}
		add_filter ( 'login_errors', 'bpspro_login_error_invalidcombo');

		// Replace invalid_email error - valid email / invalid email same exact result
		function bpspro_login_error_invalid_email($text) { 
			return str_replace( 'ERROR: There is no user registered with that email address.', 'Password reset is not allowed for this user', $text );
		}
		add_filter ( 'login_errors', 'bpspro_login_error_invalid_email');

		// Removes WP Shake It so that no indication is given of good/bad value/entry
		function bpspro_remove_shake() {
			remove_action( 'login_head', 'wp_shake_js', 12 );	
		}
		add_filter ( 'shake_error_codes', 'bpspro_remove_shake');
		break;
 	}
}
    July 31, 2014 at 11:56 am #16489
    WayneM
    Participant

    Wow! You are good.
    Modified login-security.php file as indicated above – users can now access the password reset feature.
    And, the rest of my site still works as before 🙂
    Awesome. Thanks for such great and fast support.

  • Author
    Posts
Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.