Member able to login and post as someone else?


(Lea-Ann McGregor) #1

I had a member be able to login and post under another members username and password. Somehow it autopopulated because they certainly don’t know who or what their password is. And, the logout button doesn’t log them out either. How do I troubleshoot this?? I have SSO installed.


(Simon Cossar) #2

Do you know if the user was logged into the correct account on your WordPress site before they logged into your forum? If so, then the problem may be due to your recent changes that you mention here: Revisioning community - customer flow?.

If knittingtoday.com is not the same WordPress site as was used for clubknit.knittingtoday.com, then you are going to have to login to the rails console of your Discourse site and run the command:

SingleSignOnRecord.destroy_all

Let me know if this doesn’t make sense, or if you have trouble getting it done.


(Lea-Ann McGregor) #3

She said she had requested a password reset. I’m thinking no, she was not logged into the account beforehand. clubknit and knittingtoday each ran their own wordpress install. To run the command, do i just go the SSH console? do I change to discourse directory or anything?


(Simon Cossar) #4

This is probably the issue. Discourse users are associated with WordPress users based on the WordPress user_id. If your new site is using a different database than your previous site, the user ids will be different.

The command you need to run to fix this is run from the Rails server of your Discourse installation. First ssh into your server, then run:

cd /var/discourse

then run

./launcher enter app

then run

rails c

This should bring you to the rails console. You’ll know you are there when you see a prompt that looks like this:

>

At that prompt, enter:

SingleSignOnRecord.destroy_all


(Lea-Ann McGregor) #5

How do I know if its done? There is a blinking : but it only looks like it did a few records.


(Simon Cossar) #6

First make sure that you are actually in the Rails console. (I’ve edited my instructions in the previous post.)

To check if you have deleted all the SingleSignOnRecords run the command:

SingleSignOnRecord.all

It should return something like this: []. If instead it returns some records with data, you will know they haven’t been deleted.

While you are in the Rails console, you should probably also log out all of your users by running this command:

UserAuthToken.destroy_all

When this has been done, SSO should work correctly for you.


(Lea-Ann McGregor) #7

Yep. When I didn’t get the >, I did a little searching on some past messages and saw the rails login needed.


(Lea-Ann McGregor) #8

Just to wrap this up. Looks like everything worked just fine. Appreciate the help, as always @Simon_Cossar.


(Joshua Rosenfeld) #9

This topic was automatically closed after 21 hours. New replies are no longer allowed.