IMPLEMENTING THE EMAILONAPPROVED PLUGIN AND A MANDATORY PASSWORD CHANGE ON FIRST LOGIN - Jul 7th, 2020


Website Membership Plugin Required https://www.interactivetools.com/plugins/website-membership/

When a prospective member filled out the membership application, I wanted their application to be approved manually. I
wanted an e-mail to be sent stating that their application had been received and that as soon as it was processed they
would get a second “welcome” e-mail with their username and a temporary password.

As password encryption became the norm, it became more difficult and then impossible to retrieve a password from the
database and send it to a member.

To get around this obstacle, here’s an approach to send members a generic password ands force them to change their
password the first time they log in.

NOTE: Because of security measures implemented on your server, you might have to change your admin email to a valid
email address on your hosting account, or use an SMTP server email account (set in the Admin > General tab) for emails
to automatically be sent by CMS Builder.

1) If you don’t have it already, you’ll need to download the emailOnApproved plugin from:

http://www.thecmsbcookbook.com/downloads/emailOnApproved.zip

2) in emailOnApproved.php search for $message=<<< __TEXT__

remove the {$_REQUEST['password']} and replace it with a generic password that you’ll also enter into your user-signup
form in step 6

3) You’ll also need to download and install the latest version of the Website Membership plugin.

4) Create 2 new check boxes in the ‘account’ section of your CMS, an ‘Approved’ check box and a ‘First Time
Login’ check box. Change the checked value to NO and the unchecked value to YES in the First Time Login field.

5) In websiteMembership.php search for return $CURRENT_USER;

add this code just before that line:


if (@$_REQUEST['action'] == 'login') {if (@$CURRENT_USER && (@$CURRENT_USER['first_time_login'] ==
'0'||@$CURRENT_USER['first_time_login'] == "")){ redirectBrowserToURL("cp.php");exit;} // if first time login redirect
to change password page
else; }


7) In the USER_SIGNUP Email template (you’ll find the templates at the bottom of the ADMIN menu group), delete the
username, password and login reference and insert the text that’s appropriate for your site.

For a membership site, it could be:

“Thanks for signing up.

We’ll review your application and email your login credentials to you as soon as your application is approved.”

6) In your user-signup form, search for: $colsToValues['password'] = $passwordHash;

Delete that code and replace it with: $colsToValues['password'] = ‘YourGenericPassword’; (replacing
YourGenericPassword with the one you used in step 2. Keep the single quotes before and after YourGenericPassword.)

7) In your user-signup form, change this:


$errorsAndAlerts = "Thanks, We've created an account for you and emailed you your password.\n";
$errorsAndAlerts .= "If you don't receive an email from us within a few minutes check your spam filter for messages from
{$fromEmail}\n";

to something like this:

$errorsAndAlerts = "Thanks, we've created an account for you. As soon as you're approved we'll email you your
password.\n";
$errorsAndAlerts .= "If you don't receive an email from us within a reasonable time your spam filter for messages from
{$fromEmail}\n";

Create a web page named cp.php with the following code and upload to your server in the website root directory:

At the top of your page:


<?php $GLOBALS['SEP_DISABLED'] = 1; ?>
<?php header('Content-type: text/html; charset=utf-8'); ?>
<?php
// load viewer library
$libraryPath = 'cmsAdmin/lib/viewer_functions.php';
$dirsToCheck = array('path_to_your_server/','','../','../../','../../../');
foreach (
$dirsToCheck as $dir) { if (@include_once("$dir$libraryPath")) { break; }}
if (!
function_exists('getRecords')) { die("Couldn't load viewer library, check filepath in sourcecode."); }
?>
<?php $GLOBALS['WEBSITE_MEMBERSHIP_PROFILE_PAGE'] = true; // prevent redirect loops for users missing fields listed in
$GLOBALS['WEBSITE_LOGIN_REQUIRED_FIELDS'] ?>
<?php # Developer Notes: To add "Agree to Terms of Service" checkbox (or similar checkbox field), just add it to the
accounts menu in the CMS and un-comment agree_tos lines

//
$useUsernames = true; // Set this to false to disallow usernames, email will be used as username instead

// error checking
$errorsAndAlerts = "";
if (@
$_REQUEST['missing_fields']) { $errorsAndAlerts = "Please fill out all of the following fields to continue.\n"; }
// if (!$CURRENT_USER) { websiteLogin_redirectToLogin(); }


### Update User Profile
if (@$_POST['save']) {
// update user
if (!$errorsAndAlerts) {
$colsToValues = array();
// ... add more form fields here by copying the above line!
$colsToValues['first_time_login'] = '1';
$colsToValues['updatedByUserNum'] = $CURRENT_USER['num'];
$colsToValues['updatedDate='] = 'NOW()';
mysql_update(accountsTable(), $CURRENT_USER['num'], null, $colsToValues);

// on success
websiteLogin_setLoginTo( $colsToValues['username'], $CURRENT_USER['password'] ); // update login session username
in case use has changed it.
$errorsAndAlerts = "Thanks, we've updated your password.\n";
}
}


### Change Password
if (@$_POST['changePassword']) {
//update fields
$colsToValues = array();
$colsToValues['first_time_login'] = '1';
$colsToValues['updatedByUserNum'] = $CURRENT_USER['num'];
$colsToValues['updatedDate='] = 'NOW()';
mysql_update(accountsTable(), $CURRENT_USER['num'], null, $colsToValues);
// change passwords
$encryptPasswords = @$SETTINGS['advanced']['encryptPasswords'];

// error checking
$_REQUEST['oldPassword'] = preg_replace("/^\s+|\s+$/s", '', @$_REQUEST['oldPassword']); // v1.10 remove leading and
trailing whitespace
$oldPasswordHash = $encryptPasswords ? getPasswordDigest(@$_REQUEST['oldPassword']) : @$_REQUEST['oldPassword'];
if (!@
$_REQUEST['oldPassword']) { $errorsAndAlerts .= "Please enter your current
password\n"; }
elseif (
$oldPasswordHash != $CURRENT_USER['password']) { $errorsAndAlerts .= "Current password isn't
correct!\n"; }
$newPasswordErrors = getNewPasswordErrors(@$_REQUEST['newPassword1'], @$_REQUEST['newPassword2'],
$CURRENT_USER['username']); // v2.52
$errorsAndAlerts .= nl2br(htmlencode($newPasswordErrors));

// change password
if (!$errorsAndAlerts) {
$passwordHash = $encryptPasswords ? getPasswordDigest($_REQUEST['newPassword2']) : $_REQUEST['newPassword2'];
mysql_update( accountsTable(), $CURRENT_USER['num'], null, array('password' => $passwordHash)); // update password
websiteLogin_setLoginTo( $CURRENT_USER['username'], $_REQUEST['newPassword2'] ); // update current
login session
unset($_REQUEST['oldPassword'], $_REQUEST['newPassword1'], $_REQUEST['newPassword2']); // clear form
password fields
$errorsAndAlerts = "Thanks, we've updated your password!\n";
redirectBrowserToURL("members-only.php");
}
}
### END: Change Password


// prepopulate form with current user values
//foreach ($CURRENT_USER as $name => $value) {
// if (array_key_exists($name, $_REQUEST)) { continue; }
// $_REQUEST[$name] = $value;
// }

?>


And in the body (NOTE: You can style your page to match your site design):


<?php if (@$errorsAndAlerts): ?>
<div align="left" class="your_class" style="color:#F00">
<?php echo $errorsAndAlerts; ?>
</div>
<?php endif ?>
<div style="width:90%" align="left">
<div class="your_class" align="center">PLEASE CHANGE YOUR PASSWORD</div>


<span class="your_class"><b>Welcome <?php echo $CURRENT_USER['first_name'] ?>,

Since this is the first time you've logged in, we ask that you
change your password to protect your privacy.

NOTE: Once you've changed your password, you'll no longer be logged in,
and you'll have to </b> </span><a class="your_class" href="member_login.php">LOGIN AGAIN</a> <span
class="your_class"><b>with your new credentials.</b>


<!-- CHANGE PASSWORD FORM -->
<div > <b>Change your Login Password - (Don't forget to write down the new one!)</b>
<form method="post" action="?">
<input type="hidden" name="changePassword" value="1" />
<p>
<table border="0" cellspacing="0" cellpadding="1">
<tr>
<td>Enter Your Current Password</td>
<td><input type="password" name="oldPassword" value="<?php echo htmlencode(@$_REQUEST['oldPassword']);
?>" size="40" /></td>
</tr>
<tr>
<td> Enter Your New Password</td>
<td><input type="password" name="newPassword1" value="<?php echo htmlencode(@$_REQUEST['newPassword1']);
?>" size="40" /></td>
</tr>
<tr>
<td> Enter Your New Password (again)</td>
<td><input type="password" name="newPassword2" value="<?php echo htmlencode(@$_REQUEST['newPassword2']);
?>" size="40" /></td>
</tr>
<tr>
<td >&nbsp;</td>
<td align="center">
<input class="button" type="submit" name="submit" value="Change Password &gt;&gt;" /></td>
</tr>
</table>
</form>
</div>

<!-- /CHANGE PASSWORD -->
<?php if (@$errorsAndAlerts): ?>
<div class="your_class" style="color:#F00">
<?php echo $errorsAndAlerts; ?>

</div>
<?php endif ?>


7) If you're implementing the mandatory password change on an existing site, you might want to change all the First Time
Login check boxes to checked so that existing users won't get a reset your password message the next time they log in.
To change all the check boxes with one click, you can use the Field Resetter Plugin that you can download from
http://www.thecmsbcookbook.com/downloads/fieldResetter.zip

8) TEST TO MAKE SURE EVERYTHING WORKS AS PLANNED!!!

__________________________________________________________________________________________________

NOTE: THE STEPS OUTLINED IN THE (LEGACY) RECIPE BELOW WILL ALLOW THIS PLUGIN TO WORK CORRECTLY WITH ENCRYPTED PASSWORDS
(CMSB VERSION 2.08+ AND THE WEBSITE MEMBERSHIP PLUGIN V1.05+ (BUT NOT WITH V1.09 or later (SEE ABOVE).

***V 1.10 OF THE MEMBERSHIP PLUGIN IS HIGHLY RECOMMENDED***

NOTE: Thanks to Steve from MustBeOnLine.com for discovering a coding error in the zipped plugin (now fixed). He
discovered that there was a double $errors = in the line of code:


$errors = $errors=mail($_REQUEST['email'],"Your membership has been approve!",$message,$headers);,


It should be:


$errors = mail($_REQUEST['email'],"Your membership has been approve!",$message,$headers);,


Download and install the emailOnApproved plugin. Do a search on the forum for the latest version, or you can download my
modified (and corrected) version from here:

http://www.thecmsbcookbook.com/downloads/emailOnApproved.zip

This modified plugin will allow you to set up a manual approval process and send an e-mail to your new members when they
are approved.

Before encrypted passwords it was easier to email login credentials to a member after their account had been manually
approved. (Their application was approved, their payment had been verified, etc.)

Since the implementation of encrypted passwords, the process became a bit more involved.


Here’s are the steps necessary:

First, create a visible password text field in the “Accounts” section (I call it visible_password in this recipe)
and an "approved" check box

Then have your signup form automatically fill the visible_password field with the automatically generated password
before it’s encrypted.

You’ll need to comment out (or remove) the send email instructions in the signup form

You’ll also want to change the “show thanks” message that is presented on a successful signup.

Then in the emailOnApproved plugin, you’ll want to change the ‘password’ field to ‘visible_password’

Here are the specifics:

First add a text field called "visible_password" to your “accounts” section. (You can call it anything you want to,
but be consistent)

Next add a check box field called "approved"

Then open your signup form and somewhere in the mysql_query("INSERT INTO `{$TABLE_PREFIX}accounts` SET code insert the
following code as a separate line:


visible_password = '$password',


it doesn’t matter where in the series you insert the line, as long as it’s a separate line.

Next search for // send message and comment out the entire section with a after the section:





Just under that section of code you should find the section called // show thanks

You’ll want to modify that message to something like:


// show thanks
$errorsAndAlerts = "Thanks, We've created an account for you. As soon as you're approved we'll email you your
password.\n";
$errorsAndAlerts .= "If you don't receive an email from us within a few minutes check your spam filter for
messages from {$SETTINGS['adminEmail']}.\n";
// $errorsAndAlerts .= "<a href='{$GLOBALS['WEBSITE_LOGIN_LOGIN_FORM_URL']}'>Click here to login</a>.";


Notice that I’ve removed the reference to {$emailHeaders['from']} in the “spam filter” text and replaced it with
{$SETTINGS['adminEmail']} (you’ll get an error if you don’t because you removed the original variable in the
previous step) , and commented out the login URL line with a double forward slash (you can remove this line if you’d
prefer).

Now save your signup form and open the emailOn Approved plugin.

The instructions on how to implement this plugin are below.

Search for ‘password’ and replace this with ‘visible_password’ (unless you called your field something else)

That’s it.

LEGACY INFORMATION


BACKGROUND
When I first activated the original emailOnApproved plugin, I was getting Undefined index errors reported on saving a
record until I added this line suggested by Dave Edis to the error checking section of the code:


if ($Table name != 'accounts') { return; }


So now the error checking section looks like


// error checking
if ($tableName != 'accounts') { return; }
if (!array_key_exists($fieldname, $CURRENT_USER)) {
die(__FUNCTION__ .": You must create an accounts fields called '$fieldname'!");
}



And there are no more Undefined index errors.

I decided that it would make more sense to include the new member’s username, temporary password and a login URL in
this email, so I modified the original:


// send email
$wasChecked = intval(!$oldRecord[$fieldname] && $_REQUEST[$fieldname]);
$wasUnchecked = intval($oldRecord[$fieldname] && !$_REQUEST[$fieldname]);

if ($wasChecked) {
$errors = sendMessage(array(
'from' => $SETTINGS['adminEmail'],
'to' => $_REQUEST['email'],
'subject' => "You have been approved!",
'text' => "Congradulations!

You have been approved for our website.
Your password is: {$_REQUEST['password']}

See you soon!
",
));
if ($errors) { die($errors); }
}

}

?>


To this:

NOTE: Make sure that there are no spaces after the $message=<<< __TEXT__ and that the __TEXT__; is flush against the
left margin or you’ll generate errors.


// send email
$wasChecked = intval(!$oldRecord[$fieldname] && $_REQUEST[$fieldname]);
$wasUnchecked = intval($oldRecord[$fieldname] && !$_REQUEST[$fieldname]);

$message=<<< __TEXT__
Congratulations!

Your subscription has been processed successfully and you now have access to the "Members Only" area of our web site.
Your user name is: {$_REQUEST['username']}
and your temporary password is: {$_REQUEST['password']}.
Once you have successfully logged in, you can change your password and update your profile information.


<a href="http://www.your_web_site_URL.com{$GLOBALS['WEBSITE_LOGIN_LOGIN_FORM_URL']}">Click here to login</a>

Best,

The Subscription Committee
__TEXT__;

$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .="FROM:". $SETTINGS['adminEmail'];

if ($wasChecked) {
$errors = $errors=mail($_REQUEST['email'],"Your membership has been processed!",$message,$headers);
if ($errors!=1) { die("Mail Error: $php_errormsg"); }
}
}
?>



The materials on this web site have been created for use with CMS Builder content management software. CMS Builder software is published and licensed for use by InteractiveTools.com. Please contact Interactive Tools for information on the downloading of the software or the purchasing of licenses.


Terms of Service