Only update user data if all fields are valid

On user account update, first verify all submitted fields, and only update the data if they are valid. Fixes #20817
mantisbt · May 14, 2016 · 777f5e8 · 777f5e8
1 parent ae8871c
commit 777f5e8
Showing 1 changed file with 19 additions and 19 deletions.
diff --git a/account_update.php b/account_update.php
@@ -84,9 +84,9 @@
 $t_redirect_url = 'index.php';
 
 # @todo Listing what fields were updated is not standard behaviour of MantisBT - it also complicates the code.
-$t_email_updated = false;
-$t_password_updated = false;
-$t_realname_updated = false;
+$t_update_email = null;
+$t_update_password = null;
+$t_update_realname = null;
 
 # Do not allow blank passwords in account verification/reset
 if( $t_account_verification && is_blank( $f_password ) ) {
@@ -101,8 +101,7 @@
 if( !( $t_ldap && config_get( 'use_ldap_email' ) )
 	&& !$t_account_verification ) {
 	if( $f_email != user_get_email( $t_user_id ) ) {
-		user_set_email( $t_user_id, $f_email );
-		$t_email_updated = true;
+		$t_update_email = $f_email;
 	}
 }
 
@@ -114,8 +113,7 @@
 		# checks for problems with realnames
 		$t_username = user_get_field( $t_user_id, 'username' );
 		user_ensure_realname_unique( $t_username, $t_realname );
-		user_set_realname( $t_user_id, $t_realname );
-		$t_realname_updated = true;
+		$t_update_realname = $t_realname;
 	}
 }
 
@@ -129,37 +127,39 @@
 		}
 
 		if( !auth_does_password_match( $t_user_id, $f_password ) ) {
-			user_set_password( $t_user_id, $f_password );
-			$t_password_updated = true;
+			$t_update_password = $f_password;
 		}
 	}
 }
 
-form_security_purge( 'account_update' );
-
-# Clear the verification token
-if( $t_account_verification ) {
-	token_delete( TOKEN_ACCOUNT_VERIFY, $t_user_id );
-}
-
 html_page_top( null, $t_redirect_url );
 
 $t_message = '';
 
-if( $t_email_updated ) {
+if( $t_update_email ) {
+	user_set_email( $t_user_id, $f_email );
 	$t_message .= lang_get( 'email_updated' );
 }
 
-if( $t_password_updated ) {
+if( $t_update_password ) {
+	user_set_password( $t_user_id, $f_password );
 	$t_message = is_blank( $t_message ) ? '' : $t_message . '<br />';
 	$t_message .= lang_get( 'password_updated' );
+
+	# Clear the verification token
+	if( $t_account_verification ) {
+		token_delete( TOKEN_ACCOUNT_VERIFY, $t_user_id );
+	}
 }
 
-if( $t_realname_updated ) {
+if( $t_update_realname ) {
+	user_set_realname( $t_user_id, $t_realname );
 	$t_message = is_blank( $t_message ) ? '' : $t_message . '<br />';
 	$t_message .= lang_get( 'realname_updated' );
 }
 
+form_security_purge( 'account_update' );
+
 html_operation_successful( $t_redirect_url, $t_message );
 
 html_page_bottom();