MyBB Community Forums

This is my first MyBB plugin so I'm not expecting everything to be done properly or fully working.

This plugin allows an admin to force a certain user to change their password. From the ACP the admin types in the username of the user and then the next time that user is logged in and accesses a page they will be forcefully re-directed to the MyBB change password form until they change their password. It's compatible with 1.6 only.

There shouldn't be any security issues because this plugin never actually handles a password, it just hooks into the existing system for changing a password.

The only issue I can think of is that if someone is in the middle of typing a post and then before they hit Post the admin forces them to change password, that post will be lost. I'd be grateful if people tested this scenario. The work-arounds for this issue are only redirect users from index.php and hope they eventually land on it, or detect when a user is in the middle of posting something and don't redirect them at that point. Both are possible, but I'd like to hear what you guys think would be best.

I'd like a few people to test it for me before I submit it to the mods site. Please don't test on a live forum, or at least only do it on a user that you created. I also wouldn't do it to the super-admin account while it's in beta, just in case.

Attached is the ZIP file with instructions for installation and stuff, it's fairly self-explanatory.

UPDATED: I've just fixed a bug which would've caused the plugin to fail on forums not installed in a sub-directory. I have also added detection for $mybb->request_method == post as suggested by Aquilez. So it shouldn't redirect the user if they are submitting data anywhere.

Nice! I will try it in localhost...

Another workarond would be to redirect the user only if $mybb->request_method != post.
That way, if the user is creating a thread/post, changing a setting in his UCP or whatever, he won't loose anything.

Ah thanks, hadn't come across that variable before, I'll give it a go. Is there a list of all the $mybb variables?

print_r($mybb);

--

I don't know if there is a list with a description of each var, but that works. btw, almost all vars are self-explanative(?).

I've just discovered a fairly idiotic bug which will cause the plugin to fail unless the forum is installed in a sub directory of the main domain.

So, http://myforum.com/forum/ will work. But, http://myforum.com/ won't. I have just fixed it though and updated the first post with the new files.

---

Has anyone else tested this? I'd really like some feedback so I can know whether it's ready to release yet.

Thanks.

I just finished testing the plugin. It works like a charm, but i found a few.... not-so-cool-way-of-doing-things (?).

- Why you have a "fpc_enabled" field?
When you deactivate the plugin, the file (forcepwchange.php) won't be included in MyBB. Checking if the plugin isn't active is not required.

- You don't have the need to make another query to get the forcepwchange field. Just use $mybb->user['forcepwchange'].

- You can access any MyBB section using ?action=password. Obviously you can't do much (you can't use ?action for anything else), but it can be prevented.

---

Here is the forcepwchange_check_changed() function with a few changes I made (a lot simpler, right? :p)

function forcepwchange_check_changed() {
	global $mybb;
	
	if(!$mybb->user['uid'] || !$mybb->user['forcepwchange'])
	{
		return FALSE;
	}
	
	if(THIS_SCRIPT == 'usercp.php' && $mybb->input['action'] == 'password')
	{
		return FALSE;
	}
	
	$url = "usercp.php?action=password";
	$message = "The Administrator is forcing you to change your password.";
	redirect($url, $message);
}

You also could add a alert (like when you have a new pm) above the "change password" table. Just in case someone dosn't see the redirection page (or if they are deactivated).
I think a lang file would be better too.

Oh, I almost forget: please configure your editor to use tabs, no spaces

Thanks so much for your feedback. Most of what you've said is because I'm new to this, the changes you've made have revealed things I didn't know I could do lol.

How would I go about adding the alert on that page? Using flash_message? Or do I need to make changes to a template or something?

Finally, my editor is setup to use tabs, 4 of them by default. I'll make the changes you suggested tomorrow, it's midnight here and if I do it now I'll make mistakes.

No problem, everyone starts somewhere

---

Flash_message is for the ACP only. You will need to add a var in the template and use the usercp_password hook.

$plugins->add_hook('usercp_password', 'some_function_name');

function some_function_name()
{
global $mybb, $templates, $forcepwalert;

if(!$mybb->user['forcepwchange'])
{
return false;
}

eval("\$forcepwalert.= \"".$templates->get("forcepwchange_alert")."\";");
}

Congrats for your plugin

I've made all those changes and I've now submitted it to the mods site. Thanks for all your help again!