Disable Lost Password On Admin Accounts

Discussion in 'Setting-up protection' started by shape5llc, Jan 22, 2014.

  1. shape5llc

    shape5llc aMember Pro Customer

    Joined:
    Mar 16, 2009
    Messages:
    7
    Hello,

    Is there any way to disable the lost password feature for specific accounts? Someone keeps trying to submit a lost password request for one of our site admin accounts. I realize that the email comes to us so they never get the link to reset it, but I still don't like that they can submit it in the first place. So is there any way to modify the send password files so that it ignores let's say the username "admin" and maybe others?
  2. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    1,669
    There is not such standard option. You can alter this behaviour in code directly. Please edit file amember/application/default/controllers/AdminAuthController.php and in method sendSecurityCode as the first line add the following code:
    Code:
    if ($admin->login == 'admin') return;
  3. shape5llc

    shape5llc aMember Pro Customer

    Joined:
    Mar 16, 2009
    Messages:
    7
    Hello,

    Unfortunately, that's not working. I have the first few lines of the method like this:

    private function sendSecurityCode(Admin $admin)
    {
    if ($admin->login == 'admin') return;
    $security_code = $this->getDi()->app->generateRandomString(16);
    $securitycode_expire = sqlTime(time() + self::EXPIRATION_PERIOD * 60 * 60);


    And when submitting a lost password for "admin" the email is still sent.
  4. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    1,669
    Do you tried to restore password for admin with login 'admin'? It should works for sure.
    Please contact us in helpdesk I will help you to troubleshoot it.
  5. shape5llc

    shape5llc aMember Pro Customer

    Joined:
    Mar 16, 2009
    Messages:
    7
    Hello,

    I didn't test that, I was looking for a way to avoid the email going out altogether. Is there no way to block that?
  6. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    1,669
    Do you want to disable this feature for all admins?
    In this case replace
    if ($admin->login == 'admin') return;
    with
    return;
  7. shape5llc

    shape5llc aMember Pro Customer

    Joined:
    Mar 16, 2009
    Messages:
    7
    Hello,

    No, I want to do it for specific usernames, I don't want any email to go out or be able to reset the password through amember for these users. Your fix is just blocking it from being reset, but how do we also prevent the email from being sent?
  8. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    1,669
    If you add this code email will not be sent. How do you test it?
  9. shape5llc

    shape5llc aMember Pro Customer

    Joined:
    Mar 16, 2009
    Messages:
    7
    Hello,

    I stated above exactly how and where I entered the code, and how I tested it.

    1. I entered the code that you gave me in the location that you gave me like this:

    private function sendSecurityCode(Admin $admin)
    {
    if ($admin->login == 'admin') return;
    $security_code = $this->getDi()->app->generateRandomString(16);
    $securitycode_expire = sqlTime(time() + self::EXPIRATION_PERIOD * 60 * 60);

    2. I then when to the lost password page and submitted the username "admin"

    3. I still receive an email saying that a lost password request was submitted.


    So that code is not stopping the email from being sent.
  10. shape5llc

    shape5llc aMember Pro Customer

    Joined:
    Mar 16, 2009
    Messages:
    7
    Hello,

    Can I have an update on this?
  11. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    1,669
    It should works properly if you applied code to correct place. Please contact us in helpdesk with this issue. I will check what can be wrong.
  12. shape5llc

    shape5llc aMember Pro Customer

    Joined:
    Mar 16, 2009
    Messages:
    7
    Hello,

    It does NOT work. I have detailed exactly what I've done above. I wouldn't be posting if the code you provide worked. Our server is very locked down, and I cannot provide ftp access. Here is the entire function:


    private function sendSecurityCode(Admin $admin)
    {
    if ($admin->login == 'admin') return;
    $security_code = $this->getDi()->app->generateRandomString(16);
    $securitycode_expire = sqlTime(time() + self::EXPIRATION_PERIOD * 60 * 60);

    $et = Am_Mail_Template::load('send_security_code_admin', null, true);
    $et->setUser($admin);
    $et->setUrl(sprintf('%s/admin-auth/change-pass/?s=%s',
    $this->getDi()->config->get('root_url'),
    $security_code)
    );
    $et->setHours(self::EXPIRATION_PERIOD);
    $et->send($admin);
    $this->getDi()->store->set(
    self::SECURITY_CODE_STORE_PREFIX . $security_code,
    $admin->pk(),
    $securitycode_expire
    );
    }
  13. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    1,669
    As you can see aMember send email ($et->send($admin)) below line
    if ($admin->login == 'admin') return;
    but if condition is true code below this line is not executed (email is not send).

    I tested it on my local install and it works for me. Please contact us in helpdesk if you want that we troubleshoot it.

Share This Page