Register_XH
Moderator: Tata
Register_XH
Hello Community,
I've just released Register_XH 1.4rc1.
Register was developed in 2007 by Carsten Heinelt. In 2010 he gave permission to Gert Ebersbach to adapt it to CMSimple_XH and to further improve it. The plugin was then distributed as Register_mod_XH. In 2012 Gert Ebersbach discontinued the developement, and gave me the permission to maintain and distribute the plugin. Many thanks to Carsten Heinelt and Gert Ebersbach for their good work and the permission to further maintain the plugin!
If you have Register_mod_XH 1.2.3 or 1.3 up and running, there's probably no need to update. But of course I'm interested in feedback from testing, and particularly about the removal of the possibility to switch to admin mode (did anybody use this?).
Christoph
I've just released Register_XH 1.4rc1.
Register was developed in 2007 by Carsten Heinelt. In 2010 he gave permission to Gert Ebersbach to adapt it to CMSimple_XH and to further improve it. The plugin was then distributed as Register_mod_XH. In 2012 Gert Ebersbach discontinued the developement, and gave me the permission to maintain and distribute the plugin. Many thanks to Carsten Heinelt and Gert Ebersbach for their good work and the permission to further maintain the plugin!
If you have Register_mod_XH 1.2.3 or 1.3 up and running, there's probably no need to update. But of course I'm interested in feedback from testing, and particularly about the removal of the possibility to switch to admin mode (did anybody use this?).
Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Re: Register_XH
Hello Community,
I've just released Register_XH 1.4rc2.
Besides fixing some minor issues, adding a system check, adding Danish and Russian translations (thanks to maeg resp. Old for contributing them), I've removed the passwords from all emails (except, of course, the password reminder email, which is not sent to the admin any more). So if you stick with the encrypted passwords, the password privacy of your members will be respected.
Christoph
I've just released Register_XH 1.4rc2.
Besides fixing some minor issues, adding a system check, adding Danish and Russian translations (thanks to maeg resp. Old for contributing them), I've removed the passwords from all emails (except, of course, the password reminder email, which is not sent to the admin any more). So if you stick with the encrypted passwords, the password privacy of your members will be respected.
Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Re: Register_XH
Hello Community,
I've just released Register_XH 1.4rc3.
I've added a config option (fix_mail_headers), which is only necessary to fix the behavior of some buggy mail transfer agents (such as the one on my webspace). These MTAs don't handle RFC 2822 well regarding line endings. This results in some header information being displayed in the body of the email, and in the worst case, the mail will not be received.
And I'm proud to announce, that Register_XH now has a Czech user manual! Kudos to oldnema
Christoph
I've just released Register_XH 1.4rc3.
I've added a config option (fix_mail_headers), which is only necessary to fix the behavior of some buggy mail transfer agents (such as the one on my webspace). These MTAs don't handle RFC 2822 well regarding line endings. This results in some header information being displayed in the body of the email, and in the worst case, the mail will not be received.
And I'm proud to announce, that Register_XH now has a Czech user manual! Kudos to oldnema
Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Re: Register_XH
Hello Community,
today I received an email with my Register_XH account settings from my domain, but I had not requested them! What had happened? Somebody had clicked the "password forgotten" link, and submitted the form with my email address! It's no problem, that this mail was sent to me, but as I have password encryption enabled (what I strongly recommend generally), the password was automatically reset to a new one! But of course nobody should be able to reset any user's password, if he's not authorized.
So I have enhanced the "password forgotten" functionality. If password encryption is enabled, submitting the "password forgotten" form sends the email with the account settings without changing the password. But in the email there's additionally a link, which has to be clicked to reset the password (similar to the activation link). Then a second email will be sent including the new password.
So I've just released Register_XH 1.4rc4.
Any feedback is welcome!
Christoph
today I received an email with my Register_XH account settings from my domain, but I had not requested them! What had happened? Somebody had clicked the "password forgotten" link, and submitted the form with my email address! It's no problem, that this mail was sent to me, but as I have password encryption enabled (what I strongly recommend generally), the password was automatically reset to a new one! But of course nobody should be able to reset any user's password, if he's not authorized.
So I have enhanced the "password forgotten" functionality. If password encryption is enabled, submitting the "password forgotten" form sends the email with the account settings without changing the password. But in the email there's additionally a link, which has to be clicked to reset the password (similar to the activation link). Then a second email will be sent including the new password.
So I've just released Register_XH 1.4rc4.
Any feedback is welcome!
Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Re: Register_XH
Hello Community,
I've just released Register_XH 1.4rc5.
I've fixed an arbitrary code execution vulnerability. Upgrading is strongly recommended.
Christoph
I've just released Register_XH 1.4rc5.
I've fixed an arbitrary code execution vulnerability. Upgrading is strongly recommended.
Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Re: Register_XH
Hello Community,
I've just released Register_XH 1.4.
Nothing has changed since the latest RC (besides the version number and the warning in the help file).
Christoph
I've just released Register_XH 1.4.
Nothing has changed since the latest RC (besides the version number and the warning in the help file).
Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Re: Register_XH
Hello Community,
I've just released Register_XH 1.5beta1.
This is a beta version with an improved user administration.
Christoph
I've just released Register_XH 1.5beta1.
This is a beta version with an improved user administration.
Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Re: Register_XH
Hello Community,
I've just released Register_XH 1.5beta2.
Any further comments, suggestions and other feedback is welcome.
Christoph
I've just released Register_XH 1.5beta2.
- The user administration now uses a selectbox for the state, a button to change the password, and has a feature to send an ad-hoc email to a user (requires a properly configured email client).
- There's a new config option to disable the "password forgotten" link.
- The "special pages" of Register_XH are now documented.
Any further comments, suggestions and other feedback is welcome.
Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Re: Register_XH
Hello Community,
I've just released Register_XH 1.4pl1 and 1.5beta3. Updating is strongly recommended.
kmsmei reported, that he was able to log in to a user account by using a password similar to the required one. I found out, that the password hashing algorithm of Register is indeed very weak, so I decided to change it to use the same algorithm as CMSimple_XH > 1.5.4.
Note that this renders all former passwords invalid!
Regarding 1.5: I have not yet implemented several of the latest suggestions as I considered a fast security fix more important. The only real improvement is the individual login page for each user group. So, if you don't run 1.5beta2 or earlier in a production environment (I'm sure you don't ) and don't need the new feature, you might just skip the update and wait for 1.5beta4.
Christoph
I've just released Register_XH 1.4pl1 and 1.5beta3. Updating is strongly recommended.
kmsmei reported, that he was able to log in to a user account by using a password similar to the required one. I found out, that the password hashing algorithm of Register is indeed very weak, so I decided to change it to use the same algorithm as CMSimple_XH > 1.5.4.
Note that this renders all former passwords invalid!
Regarding 1.5: I have not yet implemented several of the latest suggestions as I considered a fast security fix more important. The only real improvement is the individual login page for each user group. So, if you don't run 1.5beta2 or earlier in a production environment (I'm sure you don't ) and don't need the new feature, you might just skip the update and wait for 1.5beta4.
Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Re: Register_XH
Hello Community,
as the upgrade to the latest versions of Register might be too hard a burden (as the password hash algorithm has changed), I've developed and released the RegisterPasswordMigrator 1.
Christoph
as the upgrade to the latest versions of Register might be too hard a burden (as the password hash algorithm has changed), I've developed and released the RegisterPasswordMigrator 1.
Christoph
Christoph M. Becker – Plugins for CMSimple_XH