"Forget Your Password?" function not working in OJS 3.0.1

Hi

When I click on forget your password to reset a password for any user. The system says:

No user exists with the specified email address.

Regards

Hi @Abd_El-Nasser_Gharee,

Ensure that you’ve entered your email address exactly how it was entered upon registration, including capitalization.

Regards,
Alec Smecher
Public Knowledge Project Team

So, case sensitive email address are technically possible, but do we know of any systems which actually support that? I’d be tempted to add a default case insensitive match on the PKPUser::getUserByEmail()

Most default mysql installs will already index this field with a case-insensitive criteria.

Hi @ctgraham,

For what it’s worth, we haven’t confirmed that this is what the original poster was encountering.

I’m tempted to leave this as is – this is (potentially) the first report of a problem with the case-sensitivity, and as far as I’m aware we’re operating within spec. That said, I would entertain a PR that changed the current behavior.

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher @ctgraham

I entered the email address as it entered in registration process.

Regards

Hi @Abd_El-Nasser_Gharee,

What happens if you try to register again with that email address?

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher

Nothing…I can register with the same email address as a new user.

Regards

Hi @Abd_El-Nasser_Gharee,

Then it’s likely that this user was deleted from your installation – it appears that they actually don’t exist, thus the “forgot your password” function isn’t available.

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher

Happy new Year

I am so sorry…I am talking about creating a new reviewer… I failed to create it in submission but I can register for this reviewer and then select it as reviewer to the submission…When I tried to use “forget your password” for a registered user I faced the mentioned error before and if I tried to register by using his/her email I have the error "this email already exists:

Hi @Abd_El-Nasser_Gharee,

Have you tried looking for the user in the users table of your database? Check the email column to ensure that the user is entered exactly as you’d expect.

I’m still not sure I’m following the problem exactly – some screenshots or something might help. But let’s start by checking the database.

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher

Please check the following two images…I tried to retain the password for the red lined user but failed:

Regards

Hi @Abd_El-Nasser_Gharee,

Beware that you’ve exposed usernames and password hashes for some of your users – you should reset those accounts’ passwords immediately. Please don’t expose private data here.

I wonder whether an extra character – perhaps something to do with RTL/LTR encodings – has snuck into your email field. Try executing in your database…

SELECT LENGTH(email), CHAR_LENGTH(email) FROM users WHERE email='email here';

…replacing email here with the appropriate email address.

Regards,
Alec Smecher
Public Knowledge Project Team

I’m also having this exact issue where “Forgot your password?” doesn’t recognize a registered email address. We’re using Version 3.0.0.

When I tried using
SELECT LENGTH(email), CHAR_LENGTH(email) FROM users WHERE email=‘email here’;
it returned the correct length for the email in the database.

Would you like me to start my own post?

Thanks,

Jonathan

Hi @strmtrpr83,

Since it looks like you’re handy with SQL, I’d suggest working with the debug option. When turned on, it’ll dump all queries executed by the system to the browser. Using that you should be able to spot the query that OJS is using to attempt to locate the user during the reset process; this may provide some clues as to why it’s not matching. (Beware that the debug feature will expose SQL queries to all users, and that it will be disruptive to AJAX requests, so use it briefly and potentially with a tool like Firebug that allows you to inspect and replay individual subrequests.

Regards,
Alec Smecher
Public Knowledge Project Team

Hi Alec,

Thanks for the response. So I temporarily turned on the debug option and some of the other additional debug settings. It appears the form isn’t using the value from the form. After clicking “Reset Password” I received quite a few Strict Standards warnings and regular warnings sprinkled in the mysql. The big mysql thing that sticks out was:

(mysql): SELECT * FROM users WHERE email = NULL

When I used Firebug, and looked at the Post parameters after submission, there was no parameter for login-email.

Here’s an image with only the warnings. Full paths have been redacted. These warnings only show up when the extra Debug Settings on.

Hi @strmtrpr83,

The strict standards warnings are noise and can be ignored – many of those are already corrected in the github repo for release with the next OJS, but are purely cosmetic. What theme are you using?

Regards,
Alec Smecher
Public Knowledge Project Team

Ok, I found out what the issue was! But now there’s a different one

You are right, it was theme related.

We are using the Bootstrap 3 Base Theme, which looks like it was a theme plugin. The issue was that the email field in /plugins/themes/bootstrap3/templates/frontend/pages/userLostPassword.tpl
line 34 did not have name=“email” in the input field.

I updated the line to include name="email"
<input name="email" type="email" class="form-control" id="login-email" placeholder="{translate key='user.login.registeredEmail'}" value="{$email|escape}" maxlenght="32" required>
and the password reset form now works.

The new issue is that the password reset functionality doesn’t tell me what the new password is.
I receive the Password Reset Confirmation email, I click the link in the email to reset the password which says:

A confirmation has been sent to your email address. Please follow the instructions in the email to reset your password.

I receive another email saying

Your password has been successfully reset for use with the web site. Please retain this username and password, as it is necessary for all work with the journal.

Your username: [my username here]

But then it doesn’t let me know what the new password is. I’ve verified in PHPMyAdmin that the hashed password has in fact changed.

Thoughts?

Thanks,

Jonathan

Hi @strmtrpr83,

FYI, the first issue you described is over here: Error for email reste with bootstrap3-v1.0 theme · Issue #35 · NateWr/bootstrap3 · GitHub
See [OJS] "Forgot password" doesn't deliver reset password · Issue #1469 · pkp/pkp-lib · GitHub
for the second.

Regards,
Alec Smecher
Public Knowledge Project Team

Hi Alec,

Thanks! That fixes all my issues. Have a great day!

  • Jonathan

For what it’s worth, we haven’t confirmed that this is what the original poster was encountering.

We do have problems with case sensitivity for the email address in password reset, and users have reported problems (OJS 3.1.1-2, Postgres and PHP 5.6).

In PKPUser::getUserByEmail(), if I replace the line

'SELECT * FROM users WHERE email = ?' . ($allowDisabled?'':' AND disabled = 0')

with

'SELECT * FROM users WHERE LOWER(email) = LOWER(?)' . ($allowDisabled?'':' AND disabled = 0')

the problem disappears.