OK - it was $encrypted - I changed it to $password and everything is now working.

I tested it adding a new userID, changed the permissions on an existing userID and everything seems to be working correctly !

Whew !! Next Step?
---------------------
donm

Whew! I'm glad we got that worked out.

Scroll up this page until you find what I posted at 07:19 PM PST yesterday. Make those changes and test out the lookup, get_email, change_email and change_password routines (if you're using them).

After that, you can actually use the new permission.


------------------
JPD

ok.... those all work GREAT!

Now to actually implementing the new permission. Next?

Gosh aren't you up awfully late? :-)
--------------------------
donm

Yeah I'm up late. I'm about ready to go to bed. But first....

I started writing all of this in a separate file so I'll have it -- corrected -- and I realized that there is one more little step before you use this new permission. We need to adjust your current .pass file. I think it's important that this little script is tested out before we continue.

At this point, you are ready to do some work with your real .pass file. You will have to go through and manually change the "member" permission through the admin display, but first you need to add another field to the password file. Save your "real" password file to the directory you've been working in.

Save the script below to the same directory, with the name fixpass.cgi.

Note that you may need to change the first line of the script to match your path to Perl and, if your .pass file is not called "default.pass," you'll have to change the name of the file as well.

You will also need to copy sub cgierr from db.cgi into this script.


I haven't tested this to see if it works, but it doesn't have any syntax errors in it.

Upload the script (in ASCII mode) and set the permission to 755. Run it from your browser, using "fixpass.cgi."

After it's finished, log on to DBMan, using one of the username/password combinations that you know is in the file. Create a new user and try out all of the functions. Change one of the current users to "member" status and try out all the functions. (You may need to change a password so you'll be able to log in, but that's okay. You're not going to be using this file anyway when you're all done.)

Test everything before you go on. Test it again. Test it a third time and then once more for good measure. Try to think of anything that might be a problem.

After this, we'll be ready to use this new permission. Think of what you want to do with it.




------------------
JPD

ok.... will do! I am at work now - so I won't be able to test any of this until later - I am going to begin work on it between 5-6pm EST tonight.

So, go get some sleep !! :-) Again, I thank you for all of your help. I'll let you know later how things are going.
----------------------

donm

[This message has been edited by donm (edited April 11, 2000).]

Well that went rather easy - the script worked great !

I have tested and tested and retested adding a new user, changing the permissions, changing the email, changing the password... and everything is working great.

Now, what I am wanting to do is this: I have a two-level membership database -

First level are those who have registered their info and should be able to add a record, modify their own record, and view only the short view of other members who are registered. They will NOT be able to view the long view of other members records.

Second level are those who have upgraded to membership and they can add a record, modify their own record, and view the short and long view of other members records in the database.

Gosh, I have been wanting to get this going for over a year. It may finally come to pass thanks to you JPD !!! :-)
------------------------
donm

Whew! I was really sweatin' that script.

Okay. Now to use all this.

In sub html_record, where you have your short display, you now have something like:


to use your membership permission, change the above to


That will prevent the link to the long display from showing up for non-members.

In sub html_view_success, you currently have


Change that to


That should do it. (Such a little bit of code for such a lo-o-o-ong discussion! )


------------------
JPD

Well - for some reason I can't figure out what I am doing wrong here. I can't get my short view to display. I am having problems of knowing exactly where to place the permission. Here is my code for the line for the short view:
any ideas? :-)

----------------
donm

Try this in your short display:


------------------
JPD

ok - now I am getting NO matching records no matter what I do - and I know that there are at least 500 records in the DB

-------------------------
donm

DOH !!!!! I apologize it was MY mistake - I uploaded the wrong database. There were NO records in the one I uploaded.

Everything is working !!!!! Whoooo hooo !

I owe you BIG TIME JPD !!!!
---------------------------
donm

I'm just pleased to know I'm not the only one who makes those kinds of mistakes.

Now you need to transfer your auth.pl, db.cgi and html.pl file over to your "real" database. Also save the fixpass.cgi script to your other directory and run it again. Be sure to only run it once and then delete it from your directory.

After that, you have the fun of changing the status of your users.


------------------
JPD

 LOL - did you think there was a problem? The permission is working great and I really appreciate your help JPD !

Read your email - something important for you there ! :-)

-----------------
donm

Carol - The new level of permissions is still working great however there is one slight problem.

It seems that since we added this new level of permissions now when someone forgets or loses their password and tries to get a new one issued through the "Secure password lookup" the password is issued and emailed to the user - however it does not really work when the user tries to use it to login.

Any ideas on how to correct this?

----------------
donm

You mean that the password does not allow them to log in or that the permission is not there?

JPD
http://www.jpdeni.com/dbman/

The password does not allow them to login - however this only happens when someone has lost their password and uses the Secure Password Lookup to have a new password issued.

The password is sent via email - but when trying to use the password that was sent - it does not allow them to login.

BTW - the Secure Password Lookup worked before adding the new permission.

-----------------
donm

I guess I didn't think about testing that out when we were working on it.

I'll have to see your sub lookup to be able to tell you anything.

JPD
http://www.jpdeni.com/dbman/

Carol-

Here is the sub lookup from the db.cgi:

sub lookup {
# --------------------------------------------------------
# This subroutine added for the secure_password_lookup mod

my ($message, $userid, $pw, $view, $add, $del, $mod, $mem, $admin, $email, $password, $found, $output);

# Check to make sure email is ok
unless ($in{'email'} =~ /.+\@.+\..+/) {
&html_lookup_form ("Invalid email address format: '$in{'email'}'.");
return;
}
open (PASSWD, "<$auth_pw_file") || &cgierr("unable to open password file. Reason: $!\n");
@passwds = <PASSWD>;
close PASSWD;
$found = '';
foreach $pass (@passwds) { # Go through each pass and see if we match.
chomp ($pass);
if ($pass =~ /$in{'email'}/) {
$found = $pass;
}
else {
$output .= $pass . "\n";
}
}
if (!$found) {
&html_lookup_form ("The email address you entered was not found in the file.");
return;
}
else {
open (PASS, ">$auth_pw_file") or &cgierr ("unable to open: $auth_pw_file.\nReason: $!");
if ($db_use_flock) {
flock(PASS, 2) or &cgierr("unable to get exclusive lock on $auth_pw_file.\nReason: $!");
}
print PASS $output;
close PASS;

($userid, $pw, $view, $add, $del, $mod, $mem, $admin, $email) = split (/:/, $found);
$password = &generate_password;
srand( time() ^ ($$ + ($$ << 15)) ); # Seed Random Number
my @salt_chars = ('A' .. 'Z', 0 .. 9, 'a' .. 'z', '.', '/');
my $salt = join '', @salt_chars[rand 64, rand 64];
my $encrypted = crypt($password, $salt);

# Add the userid into the file with default permissions.
open (PASSWD, ">>$auth_pw_file") or &cgierr ("unable to open: $auth_pw_file.\nReason: $!");
if ($db_use_flock) {
flock(PASSWD, 2) or &cgierr("unable to get exclusive lock on $auth_pw_file.\nReason: $!");
}
print PASSWD "$userid:$encrypted:$view:$add:$del:$mod:$mem:$admin:$email\n";
close PASSWD;

open (MAIL, "$mailprog") || &cgierr("Can't start mail program");

print MAIL "To: $in{'email'}\n";
print MAIL "From: $admin_email\n";
print MAIL "Subject: $html_title New Password\n\n";

print MAIL "-" x 75 . "\n\n";

print MAIL "Here is your new $html_title password.\n\n";

print MAIL "Your $html_title User ID is: $userid\n";
print MAIL "Your $html_title password is: $password\n\n";

print MAIL "Please keep this email for future reference.\n\n";

print MAIL "To log on, go to\n\n";
print MAIL "$db_script_url?db=$db_setup\n";
print MAIL "and enter your User ID and password.\n\n";

print MAIL "Please contact $html_title support at: $admin_email\n";
print MAIL "if you have any questions.\n\n";

close (MAIL);

&html_lookup_success;
}
}

As always thanks for your help !
-----------------
donm

I don't see anything wrong with it.

Is it just that the password doesn't work or is it that the username is no longer in the file?

I may need to check this for myself, just to see what's going on.


JPD
http://www.jpdeni.com/dbman/

Everything appears to be working as it should - the only difference is that the password that is generated and then sent via email does not work for the users.

The password that is generated upon signup works fine - its only when someone uses the lookup when they have lost their password. The password that is generated at that time does not work.

-----------------
donm

It just doesn't make any sense. The code for encrypting the password is the same in both sub signup and sub lookup. The variables are a little different, but the code is identical.

Is the new password encrypted in the .pass file?




JPD
http://www.jpdeni.com/dbman/

Carol,

I do not know exactly what the problem was - but I also had a problem with my ISP today on a different matter but related to files within the cgi directory. Once my ISP resolved the problem with our cgi directory everything seems to be working properly now - including the Secure Password Lookup and new permissions.

Thanks again for your time !
----------------------------
donm