Unable to update user password via API?

Tj Griffin · October 2008

Hey folks,

It appears that you can't update user passwords via the API (presumably because you can't "get" the password, and you can only update fields that are "gettable"). quick question:

1) is this true

2) any workarounds that don't involve sending the user to the convio profile page (ie can you send someone to the change password page without them landing on the convio profile after they modify their password)

All input is welcome.

Sally Heaven · October 2008

I'll let others address 1) and other workarounds, but if you have to send people to the change password page, you could presumably use the NEXTURL parameter to send them to another landing page besides the Convio profile page, right?

Tj Griffin · October 2008

Sally Heaven:
I'll let others address 1) and other workarounds, but if you have to send people to the change password page, you could presumably use the NEXTURL parameter to send them to another landing page besides the Convio profile page, right?

Hey Sally,

I did indeed presume that very thing. Turns out though, that the NEXTURL parameter doesn't work on the change password form unless I'm not using it correctly, which is a distinct possibility -- i'm using this:

.convio.net/site/ConsProfileUser?op.dispConsPasswd=&NEXTURL=

In all cases I am returned to the ConsProfileUser page when i submit the change password page.

Sally Heaven · October 2008

TJGriffin :
Hey Sally,

I did indeed presume that very thing. Turns out though, that the NEXTURL parameter doesn't work on the change password form unless I'm not using it correctly, which is a distinct possibility -- i'm using this:

.convio.net/site/ConsProfileUser?op.dispConsPasswd=&NEXTURL=

In all cases I am returned to the ConsProfileUser page when i submit the change password page.

Hm, I think that the syntax is ?NEXTURL= instead of &NEXTURL=, but I just tested it and was also returned to the ConsProfile page instead of the NEXTURL that I specified.

I'll have to defer to someone who knows more than I, sorry!

Tj Griffin · October 2008

Sally Heaven:
Hm, I think that the syntax is ?NEXTURL= instead of &NEXTURL=, but I just tested it and was also returned to the ConsProfile page instead of the NEXTURL that I specified.

I'll have to defer to someone who knows more than I, sorry!

Hey Sally,

Thanks for checking into it...i'll ping you if there are other solutions!

Jeff Mills · October 2008

Updating the password is specifically disallowed by the API for security reasons. It was determined that to set a new password value the existing password should also be required, just like when changing it on a web page. To do that, a new API method should be created instead of using the 'update' method. This new API method hasn't been added, yet.

Lindsi Gish · June 2009

TJ, did you ever get this figured out? I'm a little confused about where the thread was left... and the last comment from Jeff. Users do have to enter in their old passwords... but I don't know much about the API so it's probably just that I don't understand.

We, too, are trying to avoid the user profile page, particularly because Convio does not allow us to change it.

We're using this page to have constituents create their profile: http://www.2harvest.org/site/PageServer?pagename=myprofile

But in order to give them the option to change their password, the link will send them to the user profile page by Convio - when I want to send them to a page I dictate.

Any help/further clarification would be great!

Lindsi Gish · June 2009

One more thing: I figured out one workaround. If you're an advanced admin, you should be able to access Customize Standard Pages > Customize Constituent Profile Page (User Update) under "Setup."

If you put a redirect link in the "Customize Page Header" section, you can send them to whatever page you want... whenever they land on the user profile page. So for us to redirect back to our homepage, I entered <meta http-equiv="REFRESH" content="0;url=http://www.2harvest.org"></HEAD>

JeremyGP · August 2009

My workaround for this, which may be a bit much for some, is to:

1. never log people in via Convio

2. ignore what's in the password field in the constituent record,

3. and authenticate people via my own site and database,

4. and then allow access to member-only pages on Convio after logging them in with the SSO (Single Sign-On) API.

Prior to this, I had a member database and login system already set up. I understand the security reasons, but hey, if you're going to have an API to access constituent information and control their accounts, then you'll have to "trust" the programmers with access to the most important parts of a user/password login scheme.

Perhaps Convio could allow only the password hash to be set, eliminating the cleartext password being sent through the API.

conviojames · August 2009

Hi all,

There is a new method, which will be documented fully as early as next week that will allow this to happen. Stay tuned.

Tj Griffin · September 2009

conviojames :
Hi all,

There is a new method, which will be documented fully as early as next week that will allow this to happen. Stay tuned.

Hey James,

Did this document ever get produced?

Michael · September 2009

So... looks to me like NEXTURL sort of does work, but in a really cracked way. First, you have to be logged in to get to the change password form in the first place. Here's the process I went though:

1. Logged in

2. When to my User Profile

3. Clicked Change Password

4. Inserted &NEXTURL=http://www.google.com/ into the URL string and hit enter

5. "changed" my password using the same password in current, new and confirm fields and the same hint I already had... and hit Save.

6. I was dropped a back on the user profile page in read-only mode and there was a Done button at the bottom

7. When I click Done................. I went to www.google.com.

crazy.

Either way, since you have to already be logged in to update your password, that right there is probably enough to make password updates via some sort of remote method (either Convio API or just some sort of form scrap n' post) hard if not impossible. The only way around that I can think of might be to create a Registered User-Only PageBuilder page to host the web app... but that isn't always possible.

--> Doesn't look like the Open site has any mention of a new method, is there any ETA on this? It'd be very interested in seeing this as well.

Jeff Mills · September 2009

TJGriffin :
Hey James,

Did this document ever get produced?

We've developed a new system of documentation that generates doc's from various inputs from developers and writers, which should help keep information up to date. I expect it to be ready to publish very soon, but I don't know of a committed date. My guess is that the focus on building this, which will replace the current documentation, is why the existing published doc's haven't been updated recently. Here is some information about this API method that I copied from an internal draft of the new system:

-->

changePassword

Used to change a user's password in the Convio constituent database.

Client ServletServer ServletHTTP Methods SupportedRequires AuthenticationTrusted IP Address OnlyCRConsAPISRConsAPIPOST method only.Yes.Server.

Client API Syntax

https://secure2.convio.net/organization/site/CRConsAPI?method=changePassword & api_key =value & v =value & old_password =value & user_password =value & retype_password =value & reminder_hint =value &sso_auth_token=value

Server API Syntax

https://secure2.convio.net/organization/site/SRConsAPI?method=changePassword & api_key =value & v =value & login_name =value & login_password =value & old_password =value & user_password =value & retype_password =value & reminder_hint =value

-->

Client API Parameters

method

Required. The name of this method. Must be "changePassword"

api_key

Required. An arbitrary value that must be passed when invoking the Convio Client and Server APIs. The value passed by the caller must match the value in the CONVIO_API_KEY site configuration parameter, which is unique for each Convio site.

Type xsd:string.

response_format

Optional. Used to specify either XML or JSON formatting for the response.

Type xsd:string.

Default is xml.

Options are:

xml
json

v

Required. API version to invoke. Must be "1.0".

Type xsd:string.

suppress_response_codes

Optional. Specifies that all responses will be returned with an HTTP 200 OK status code - even errors. This parameter exists to accommodate Flash and JavaScript applications running in browsers that intercept all non-200 responses. If used, it's then the job of the client to determine error states by parsing the response body.

Type xsd:boolean.

Default is false.

redirect

Optional. Specifies a URL that the method should redirect to upon completion.

Type xsd:anyURI.

success_redirect

Optional. Specifies a URL that the method should redirect to upon successful completion.

Type xsd:anyURI.

error_redirect

Optional. Specifies a URL that the method should redirect to in the event of an error.

Type xsd:anyURI.

sign_redirects

Optional. Specifies that redirect URLs should be signed with a timestamp and a hash of the query string arguments and a secret key.

Type xsd:boolean.

Default is false.

old_password

Required. The user's existing password.

Type xsd:string.

user_password

Required. The new password.

Type xsd:string.

retype_password

Required. The new password re-typed by the user to confirm.

Type xsd:string.

reminder_hint

Required. Password hint entered by the user.

Type xsd:string.

sso_auth_token

Required. This method must be called with a valid session authentication token returned by login, authenticateUser, getSingleSignOnToken, or by an embedded ] session tag in a Convio web page.

-->

Server API Parameters

method: Required. The name of this method. Must be "changePassword"
api_key: Required. An arbitrary value that must be passed when invoking the Convio Client and Server APIs. The value passed by the caller must match the value in the CONVIO_API_KEY site configuration parameter, which is unique for each Convio site.
Type xsd:string.
response_format: Optional. Used to specify either XML or JSON formatting for the response.
Type xsd:string. Default is xml. Options are: xml json
v: Required. API version to invoke. Must be "1.0".
Type xsd:string.
suppress_response_codes: Optional. Specifies that all responses will be returned with an HTTP 200 OK status code - even errors. This parameter exists to accommodate Flash and JavaScript applications running in browsers that intercept all non-200 responses. If used, it's then the job of the client to determine error states by parsing the response body.
Type xsd:boolean. Default is false.
login_name: Required. The user_name of the Convio administrative account that was created for API access. Note that this must be a special administrator account used just for API access.
Type xsd:string.
login_password: Required. The password of the Convio administrative account that was created for API access. Note that this must be a special administrator account used just for API access.
Type xsd:string.
old_password: Required. The user's existing password.
Type xsd:string.
user_password: Required. The new password.
Type xsd:string.
retype_password: Required. The new password re-typed by the user to confirm.
Type xsd:string.
reminder_hint: Required. Password hint entered by the user.
Type xsd:string.

-->

Response

The HTTP status code of 200 usually indicates a successful invocation. If an error occurs during processing, HTTP status code 403 is usually returned, and the structure of the response is an errorResponse object. It contains two elements: a code element and a message element. The code element contains a number corresponding to the error conditions documented on the error code list page. The message element contains a text message that may provide further detail about the error. The response is formatted as XML by default, but the response_format input parameter can be used to specify either XML or JSON formatting.

XML response


<updateConsResponse xsi:schemaLocation="http://convio.com/crm/v1.0 http://service.convio.net/xmlschema/crm.public.v1.xsd" xmlns="http://convio.com/crm/v1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <cons_id>1000121</cons_id>
  <message>User updated.</message>
</updateConsResponse>

JSON response


{"updateConsResponse":{"message":"User updated.","cons_id":"1000121"}}

Jeff Mills · September 2009

JeffMills :
We've developed a new system of documentation that generates doc's from various inputs from developers and writers, which should help keep information up to date. I expect it to be ready to publish very soon, but I don't know of a committed date. My guess is that the focus on building this, which will replace the current documentation, is why the existing published doc's haven't been updated recently. Here is some information about this API method that I copied from an internal draft of the new system:

-->

changePassword
Used to change a user's password in the Convio constituent database.

Client ServletServer ServletHTTP Methods SupportedRequires AuthenticationTrusted IP Address OnlyCRConsAPISRConsAPIPOST method only.Yes.Server.

Client API Syntax
https://secure2.convio.net/organization/site/CRConsAPI?method=changePassword & api_key =value & v =value & old_password =value & user_password =value & retype_password =value & reminder_hint =value &sso_auth_token=value

Server API Syntax
https://secure2.convio.net/organization/site/SRConsAPI?method=changePassword & api_key =value & v =value & login_name =value & login_password =value & old_password =value & user_password =value & retype_password =value & reminder_hint =value

-->
Client API Parameters

method

Required. The name of this method. Must be "changePassword"

api_key

Required. An arbitrary value that must be passed when invoking the Convio Client and Server APIs. The value passed by the caller must match the value in the CONVIO_API_KEY site configuration parameter, which is unique for each Convio site.

Type xsd:string.

response_format

Optional. Used to specify either XML or JSON formatting for the response.

Type xsd:string.

Default is xml.

Options are:
xml
json

v

Required. API version to invoke. Must be "1.0".

Type xsd:string.

suppress_response_codes

Optional. Specifies that all responses will be returned with an HTTP 200 OK status code - even errors. This parameter exists to accommodate Flash and JavaScript applications running in browsers that intercept all non-200 responses. If used, it's then the job of the client to determine error states by parsing the response body.

Type xsd:boolean.

Default is false.

redirect

Optional. Specifies a URL that the method should redirect to upon completion.

Type xsd:anyURI.

success_redirect

Optional. Specifies a URL that the method should redirect to upon successful completion.

Type xsd:anyURI.

error_redirect

Optional. Specifies a URL that the method should redirect to in the event of an error.

Type xsd:anyURI.

sign_redirects

Optional. Specifies that redirect URLs should be signed with a timestamp and a hash of the query string arguments and a secret key.

Type xsd:boolean.

Default is false.

old_password

Required. The user's existing password.

Type xsd:string.

user_password

Required. The new password.

Type xsd:string.

retype_password

Required. The new password re-typed by the user to confirm.

Type xsd:string.

reminder_hint

Required. Password hint entered by the user.

Type xsd:string.

sso_auth_token

Required. This method must be called with a valid session authentication token returned by login, authenticateUser, getSingleSignOnToken, or by an embedded ] session tag in a Convio web page.

-->
Server API Parameters

method

Required. The name of this method. Must be "changePassword"

api_key

Required. An arbitrary value that must be passed when invoking the Convio Client and Server APIs. The value passed by the caller must match the value in the CONVIO_API_KEY site configuration parameter, which is unique for each Convio site.
Type xsd:string.
response_format

Optional. Used to specify either XML or JSON formatting for the response.
Type xsd:string. Default is xml. Options are: xml json
v

Required. API version to invoke. Must be "1.0".
Type xsd:string.
suppress_response_codes

Optional. Specifies that all responses will be returned with an HTTP 200 OK status code - even errors. This parameter exists to accommodate Flash and JavaScript applications running in browsers that intercept all non-200 responses. If used, it's then the job of the client to determine error states by parsing the response body.
Type xsd:boolean. Default is false.
login_name

Required. The user_name of the Convio administrative account that was created for API access. Note that this must be a special administrator account used just for API access.
Type xsd:string.
login_password

Required. The password of the Convio administrative account that was created for API access. Note that this must be a special administrator account used just for API access.
Type xsd:string.
old_password

Required. The user's existing password.
Type xsd:string.
user_password

Required. The new password.
Type xsd:string.
retype_password

Required. The new password re-typed by the user to confirm.
Type xsd:string.
reminder_hint

Required. Password hint entered by the user.
Type xsd:string.
-->
Response

The HTTP status code of 200 usually indicates a successful invocation. If an error occurs during processing, HTTP status code 403 is usually returned, and the structure of the response is an errorResponse object. It contains two elements: a code element and a message element. The code element contains a number corresponding to the error conditions documented on the error code list page. The message element contains a text message that may provide further detail about the error. The response is formatted as XML by default, but the response_format input parameter can be used to specify either XML or JSON formatting.
XML response
<updateConsResponse xsi:schemaLocation="http://convio.com/crm/v1.0 http://service.convio.net/xmlschema/crm.public.v1.xsd" xmlns="http://convio.com/crm/v1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <cons_id>1000121</cons_id>
  <message>User updated.</message>
</updateConsResponse>
JSON response
{"updateConsResponse":{"message":"User updated.","cons_id":"1000121"}}

Some formatting got mangled during the copy and paste but I hope you can find the information you need until the new doc's are published.

Unable to update user password via API?

Comments

changePassword

Client API Syntax

Server API Syntax

Client API Parameters

Server API Parameters

Response

changePassword

Client API Syntax

Server API Syntax

Client API Parameters

Server API Parameters

Response

Categories