AAC Allowing multiple accounts per email.

Arkemis · Sep 8, 2021

Using latest ZnoteAAC

I want players to be able to use 1 email account for multiple accounts, and on this note, does this create any vulnerabilities I should be aware of? I dug through some of the php code (still learning), and I found a line in 'register.php' that seems to be related.

PHP:

if (user_email_exist($_POST['email']) === true) {
            $errors[] = 'That email address is already in use.';
        }

I dont know PHP (yet!) but I understand some programming languages. I believe this only controls the text-feedback to the user. I don't see anything that looks like its preventing the registration in these lines. So am I looking for that variable 'user_email_exist'? Admittedly I wouldn't know what to do with it if I found it lol.

I'm know im posting in support daily, but im trying to become proficient enough to be able to contribute as soon as possible. I'm really trying not to be a leech.

Boy67 · Sep 8, 2021

Firstly, check for a config file. Znote may already have a configuration in place for multiple accounts per 1 email.

Secondly, that code only adds an error to an array. Somewhere later in the code it will check if $errors is empty and will only continue if so. user_email_exists is a function, you could either find it and remove the code or just remove the function from the main block. There could be several instances of this though.

I have never seen the code so I am only speculating, I'm sure @Znote will be able to help you more with this.

Arkemis · Sep 8, 2021

Boy67 said:
Firstly, check for a config file. Znote may already have a configuration in place for multiple accounts per 1 email.

Secondly, that code only adds an error to an array. Somewhere later in the code it will check if $errors is empty and will only continue if so. user_email_exists is a function, you could either find it and remove the code or just remove the function from the main block. There could be several instances of this though.

I have never seen the code so I am only speculating, I'm sure @Znote will be able to help you more with this.

Thank you for such a speedy response, this community is great! Your potatoes will be hearty and your cucumbers firm!
That should give me enough to go on and figure it out for myself. I'll definitely take advice from @Znote if he gets here before I figure it out. If I do, ill come back and post exact solution.

zbizu · Sep 8, 2021

if you're on windows, you can install visual studio code, open znoteaac folder (in editor), open the file in it and right click -> go to definition (may require PHP extension, the editor may ask you for it)

removing the line that inserts the error to array should do the trick though, see:

ZnoteAAC/register.php at ec55497c5abcad662489e6616d726e749a9e1bb3 · Znote/ZnoteAAC

Developement repository for the Znote AAC project. A website portal to represent and manage your Open Tibia server. - Znote/ZnoteAAC

github.com

Pox · Sep 8, 2021

Arkemis said:
Using latest ZnoteAAC

I want players to be able to use 1 email account for multiple accounts, and on this note, does this create any vulnerabilities I should be aware of? I dug through some of the php code (still learning), and I found a line in 'register.php' that seems to be related.

PHP:

if (user_email_exist($_POST['email']) === true) { $errors[] = 'That email address is already in use.'; }

I dont know PHP (yet!) but I understand some programming languages. I believe this only controls the text-feedback to the user. I don't see anything that looks like its preventing the registration in these lines. So am I looking for that variable 'user_email_exist'? Admittedly I wouldn't know what to do with it if I found it lol.

I'm know im posting in support daily, but im trying to become proficient enough to be able to contribute as soon as possible. I'm really trying not to be a leech.

Lets break it down a bit.

The code you posted is the correct snippet to remove
This code insert error message to $errors table.

If user with email exist, insert ot $errors.

PHP:

if (user_email_exist($_POST['email']) === true) {
            $errors[] = 'That email address is already in use.';
}

Further down you have this piece of code.
If $errors is empty = Create account, else display $errors

PHP:

    if (empty($_POST) === false && empty($errors) === true) {
        if ($config['log_ip']) {
            znote_visitor_insert_detailed_data(1);
        }

        //Register
        if ($config['ServerEngine'] !== 'OTHIRE') {
            $register_data = array(
                'name'        =>    $_POST['username'],
                'password'    =>    $_POST['password'],
                'email'        =>    $_POST['email'],
                'created'    =>    time(),
                'ip'        =>    getIPLong(),
                'flag'        =>     $_POST['flag']
            );
        } else {
            $register_data = array(
                'id'        =>    $_POST['username'],
                'password'    =>    $_POST['password'],
                'email'        =>    $_POST['email'],
                'created'    =>    time(),
                'ip'        =>    getIPLong(),
                'flag'        =>     $_POST['flag']
            );           
        }   

        user_create_account($register_data, $config['mailserver']);
        if (!$config['mailserver']['debug']) header('Location: register.php?success');
        exit();
        //End register

    } else if (empty($errors) === false){
        echo '<font color="red"><b>';
        echo output_errors($errors);
        echo '</b></font>';
    }

So, if remove the piece of code you posted it will never insert an error if email exists and it will just register

Arkemis · Sep 8, 2021

zbizu said:
if you're on windows, you can install visual studio code, open znoteaac folder (in editor), open the file in it and right click -> go to definition (may require PHP extension, the editor may ask you for it)

removing the line that inserts the error to array should do the trick though, see:

ZnoteAAC/register.php at ec55497c5abcad662489e6616d726e749a9e1bb3 · Znote/ZnoteAAC

Developement repository for the Znote AAC project. A website portal to represent and manage your Open Tibia server. - Znote/ZnoteAAC

github.com

This son of a shepherd thanks you! A thousand roosters for your home!

Post automatically merged: Sep 8, 2021

Pox said:

Lets break it down a bit.

The code you posted is the correct snippet to remove
This code insert error message to $errors table.

If user with email exist, insert ot $errors.

PHP:

if (user_email_exist($_POST['email']) === true) {
            $errors[] = 'That email address is already in use.';
}

Further down you have this piece of code.
If $errors is empty = Create account, else display $errors

PHP:

    if (empty($_POST) === false && empty($errors) === true) {
        if ($config['log_ip']) {
            znote_visitor_insert_detailed_data(1);
        }

        //Register
        if ($config['ServerEngine'] !== 'OTHIRE') {
            $register_data = array(
                'name'        =>    $_POST['username'],
                'password'    =>    $_POST['password'],
                'email'        =>    $_POST['email'],
                'created'    =>    time(),
                'ip'        =>    getIPLong(),
                'flag'        =>     $_POST['flag']
            );
        } else {
            $register_data = array(
                'id'        =>    $_POST['username'],
                'password'    =>    $_POST['password'],
                'email'        =>    $_POST['email'],
                'created'    =>    time(),
                'ip'        =>    getIPLong(),
                'flag'        =>     $_POST['flag']
            );        
        }

        user_create_account($register_data, $config['mailserver']);
        if (!$config['mailserver']['debug']) header('Location: register.php?success');
        exit();
        //End register

    } else if (empty($errors) === false){
        echo '<font color="red"><b>';
        echo output_errors($errors);
        echo '</b></font>';
    }

So, if remove the piece of code you posted it will never insert an error if email exists and it will just register

The soil is pleased with this water! Thank you for taking the extra time to break it down. I will master this before the cows come home.

Evil Puncker · Sep 8, 2021

how are you going to handle account recovery?

Arkemis · Sep 8, 2021

Evil Puncker said:
how are you going to handle account recovery?

Tbh I haven't gotten to that bridge yet. I'm still very new to this but I have thought about it.

The server I play on allows for multiple accounts per email, and I can still request a recovery key.

So my current understanding is that it's possible. If you are willing to school me on this further I would greatly appreciate it. Otherwise I'm sure I'll eventually figure it out.

Pox · Sep 8, 2021

Arkemis said:
Tbh I haven't gotten to that bridge yet. I'm still very new to this but I have thought about it.

The server I play on allows for multiple accounts per email, and I can still request a recovery key.

So my current understanding is that it's possible. If you are willing to school me on this further I would greatly appreciate it. Otherwise I'm sure I'll eventually figure it out.

Well... Usually its password recovery, here theres no problem since you enter the account + email and you only get to reset password for selected account. Here it doesnt matter if theres 100 accounts on 1 email.

But if you lose the account name then you need something unique to each account, like a recovery key.

Arkemis · Sep 8, 2021

Pox said:
Well... Usually its password recovery, here theres no problem since you enter the account + email and you only get to reset password for selected account. Here it doesnt matter if theres 100 accounts on 1 email.

But if you lose the account name then you need something unique to each account, like a recovery key.

My apologies but i think im having trouble following what you're telling me. Am I correct in what follows;
If users can register multiple accounts per email, then they can provide email and 1 of their specific acc names to recover/reset password for that acc name. However if they lose one of their acc names, they will still be able to use the recovery key attached to that acc name if they generated one. So they would still be able to recover account no? It would appear to me that after enabling multiple acc's per email that all account recovery options are intact. Is there something im missing?

Pox · Sep 8, 2021

Arkemis said:
My apologies but i think im having trouble following what you're telling me. Am I correct in what follows;
If users can register multiple accounts per email, then they can provide email and 1 of their specific acc names to recover/reset password for that acc name. However if they lose one of their acc names, they will still be able to use the recovery key attached to that acc name if they generated one. So they would still be able to recover account no? It would appear to me that after enabling multiple acc's per email that all account recovery options are intact. Is there something im missing?

Im a bit tired atm, but I’m on the same line, I can’t think of any major issue regarding recovery.

AAC Allowing multiple accounts per email.

Arkemis

Well-Known Member

zbizu

ZnoteAAC/register.php at ec55497c5abcad662489e6616d726e749a9e1bb3 · Znote/ZnoteAAC

Boy67

Guest

Arkemis

Well-Known Member

zbizu

Legendary OT User

ZnoteAAC/register.php at ec55497c5abcad662489e6616d726e749a9e1bb3 · Znote/ZnoteAAC

Pox

Advanced OT User

Arkemis

Well-Known Member

ZnoteAAC/register.php at ec55497c5abcad662489e6616d726e749a9e1bb3 · Znote/ZnoteAAC

Evil Puncker

Guest

Arkemis

Well-Known Member

Pox

Advanced OT User

Arkemis

Well-Known Member

Pox

Advanced OT User

Similar threads