Related to #3691

Thanks @jms2win for this, as it may be useful for people upgrading soon with 2.5.x EOL.

Please provide test instructions so that we can commit this soon hopefully!

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/3688.

How does this help? I am confused?

From conversation with @jms2win previously he said this was to enable a
user to authenticate in all versions of joomla at the same time. If that is
correct then it wont have any effect or benefit for people upgrading

On 4 November 2014 22:36, Hervé Boinnard notifications@github.com wrote:

Thanks @jms2win https://github.com/jms2win for this, as it may be
useful for people upgrading soon with 2.5.x EOL.

Please provide test instructions so that we can commit this soon hopefully!

This comment was created with the J!Tracker Application
https://github.com/joomla/jissues at issues.joomla.org/joomla-cms/3688
http://issues.joomla.org/tracker/joomla-cms/3688.

—
Reply to this email directly or view it on GitHub
#3688 (comment).

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

It doesn't matter for people upgrading. Joomla 3 is capable of handling the old passwords from Joomla 2.5.

This proposal goes the other way around and wants to deal with J3 passwords in J2.5.

Personally I disagree with that. It's a wrong approach to try to support data from later releases in old versions. If you need to validate users against a different Joomla (or whatever) database, you should look into creating a custom authentication plugin.

Agree. As far as I can tell this is only to support users of jms multisites.
On 5 Nov 2014 07:04, "Thomas Hunziker" notifications@github.com wrote:

It doesn't matter for people upgrading. Joomla 3 is capable of handling
the old passwords from Joomla 2.5.

This proposal goes the other way around and wants to deal with J3
passwords in J2.5.

Personally I disagree with that. It's a wrong approach to try to support
data from later releases in old versions. If you need to validate users
against a different Joomla (or whatever) database, you should look into
creating a custom authentication plugin.

—
Reply to this email directly or view it on GitHub
#3688 (comment).

This is not really for Jms Multisites but for the Legacy extension for Joomla that allow several Joomla version working together (J1.5 with J2.5 & J3.x but also J2.5 with J3.x).
In some cases, some popular extension does not exists under J3.x and people also want to upgrade to the lastest version of Joomla.
In this case, they can not do it - just because some extension are not available in J3.x.
With the legacy extension, it is possible to make several Joomla version working together but to be able sharing the session and the user information, it is required to use the same authentication algorithm.

Our proposal is to make the J3.3 algorithm also available under J2.5 to allow the legacy working and would avoid that we distribute this patch inside the legacy extension for joomla.

Sorry but I really do not see why the core of joomla should support this.
On 5 Nov 2014 10:33, "jms2win" notifications@github.com wrote:

This is not really for Jms Multisites but for the Legacy extension for
Joomla that allow several Joomla version working together (J1.5 with J2.5 &
J3.x but also J2.5 with J3.x).
In some cases, some popular extension does not exists under J3.x and
people also want to upgrade to the lastest version of Joomla.
In this case, they can not do it - just because some extension are not
available in J3.x.
With the legacy extension, it is possible to make several Joomla version
working together but to be able sharing the session and the user
information, it is required to use the same authentication algorithm.

Our proposal is to make the J3.3 algorithm also available under J2.5 to
allow the legacy working and would avoid that we distribute this patch
inside the legacy extension for joomla.

—
Reply to this email directly or view it on GitHub
#3688 (comment).

Here it is the test procedure.

• Unzip J3.3.6 into /j336
• Unzip J2.5.27 into /j2527
• Joomla Web Installer - J3.3.6 => Just install the minimum - no data required
• Remove the /j336/installation directory
• Copy the /j2527/templates/beez_20 into /j336/templates to have a common template working between J2.5 and J3.x

• In J3.3.6 - back-end,

  Go in extension manager / Discover the template beez_20 and install it inside J3.3.6 to have a template that is common between J2.5 and J3.x
  Set beez_20 as default template

• Copy the /j336/configuration.php into the /j2527 root directory to share the same DB between the different Joomla version

• Remove the /j2527/installation Directory (as the configuration.php is copied from J3.x)

• Go in J2.5.27 front-end and try to login inside the login module
  => It should fails because the admin that you created with J3.3.6 has the algorithm for J3.x
  Remark: You will also see other SQL error in the home page but that are not related to the login

• Install Pull Request
  #3688 => libraries/joomla/crypt/crypt.php
  #3691 => libraries/joomla/user/helper.php
  #3695 => copy /j336/libraries/compat into /j2525/libraries

• Retry to login in the J2.5.27 and it works now.
  So now, you have 2 different Joomla version able to login into the same DB because the authentication algorithm is identical

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/3688.

I understand what you're trying to do, but don't agree that this is something should support.
It also opens the door for all sort of requests and issues.

@Bakual , for your info, we don't try to do it.
We already doing that for several month and this is the result of request from our users that are sometimes blocked in J2.5 because some extensions are not compatible with J3.x.

So the "legacy for joomla" extension exists and already includes such patches.
We just try to avoid patching the Joomla core and in the same time, increase the security level as proposed by joomla when people adopt the J3.3 version.

I did not understood it properly the first sorry. @Bakual and @brianteeman are right, this will not benefit people upgrading from Joomla 2.5 to Joomla 3 as I first thought.

It is typically a Joomla extension that may handle this, not the core, for the Legacy extension that you mentioned (it was in Joomla 1.5 for 1.0 sites as far as I remember).

@rvbgnu , the "legacy for joomla" extension that I am referencing is another one than the plugin that was present in J1.5 to allow running J1.0 under J1.5

The new "Legacy for Joomla" extension allows several Joomla version working together and is able to share some content like the joomla users between different Joomla versions. So that, people can partially migrate a website when some extensions can not be upgraded.

If you want to see the concept and how the new "Legacy for joomla" extension is working, see www.ajmool2win.com website.
It is still in french and contains the video of the first presentation that we did at the "Joomla Day Paris 2014" concerning the new legacy extension.
The Powerpoint Slide show is also available in english.

You can also find a slide that summarize the principles of the legacy in the presentation that we did at the JAB2014
See page 8 in the slide show available at https://www.jms2win.com/en/documentation/j-and-beyond-2014

What about using a custom authentication plugin for your extension?
Imho that should be possible and would be a better solution.

@Bakual , Your proposal is to fork the current Joomla authentication to clone it and implement the J3.3 security upgrade.
Our idea was to keep only one version of the code and not discard the joomla one to allow everybody benefit of the new J3.3 user algorithm inside the J2.5.
We didn't evaluate the impact to rename the core classes or register overide to allow keeping the compatibility with 3rd parties extensions that may potentially derive some classes like JCrypt and JUserHelper.

In addition, once our legacy extension is executed, there is almost no PHP code executed to make the legacy working except when making Joomla 1.5 working with J2.5 or J3.x due to the timezone data that is different (one is numeric and the other one are alphanumeric).
Otherwise, the idea is that there is no PHP code required to make the legacy working and everything is managed inside MySQL that is in charge of the processing.
The reason that we don't have any PHP code is due to the incompatibilities of the Joomla libraries and parameters that are not necessary compatible between different joomla version.
So we solved the legacy at MySQL level without modifying Joomla itself except with J1.5 for which we created a fork that contain the security fixes and new password algorithm to be compatible with J2.5 and J3.x.

The point is, that change would only help users of your extension. It doesn't help all other users since Joomla 2.5 by itself will never generate those passwords.

If there is a solution which can be done on an extension level. I would prefer that over core modifications.
Especially in a place where we fucked up big time a year ago...

@Bakual As we mentioned, we already included those patches inside our legacy extension.
So in our case, we are not blocked with that as this is already available for our customers.

We have just proposed to allow the Joomla 2.5 users also benefit of the J3.3 new algorithm based on JCrypt when this is possible.

If Joomla do it, this will allow us removing the patch in our extension as this is the only patches that we need to apply to make J2.5 working with J3.x.
The benefit for us is to have the legacy extension that would not perform any patches in Joomla when doing the legacy between J2.5 and J3.x

@jms2win I've looked at your website in French, no worries, I'm French (immigré en Irlande 8-)

I understand well your point now, and with my limited knowledge of the Joomla code (much less than Thomas), I do agree with him, and I don't want to introduced security problems in J2.5, especially for its last months!!

I'm sure that if you have your own authentication plugin, the only thing that the end-user should do is to enable it and to disable the default joomla plugin. You don't have to discard it.

Then you can use different helpers and extend others classes for your extensions.

@rvbgnu The objective is not to introduce a security problem in J2.5 or that would mean that current J3.3 authentication is less secure than the J2.5 one.
This is the reverse.

In addition, the sources that must be modified are present in the core libraries of joomla and not in the authentication plugins.
As already mentioned, our objective is not to clone the sources to improve the security but make everybody benefit of that.
In our legacy extension, we have adopted to patch the sources in the core library as presented in the pull request.

So, create an extension to improve the authentication under J2.5 for the persons who don't use our legacy extension does not make sense for us if Joomla does not want to improve the security under J2.5.
Our customers already benefit of these patches under J2.5.

I asked in our PLT chat for feedback and got promptly reminded that we don't accept new features for J2.5 anyway.
Sorry that I forgot about that.

I'm closing this PR because we don't accept new features for this branch.
Thanks for the contribution even if it wasn't accepted!