New Email Required Status for User Account Finished

Update for #757. - Conf require_user_email now works - Added emailtoconfirm column to store unverified email. This allows user to reverify same email address if email gets lost - Locked message added for someone who was logged in previous and comes back to site with a locked account - Fix for pwrequestid set to a string with the text "NULL" instead of actually NULL
Geeklog-Core · Dec 27, 2017 · 1745f2b · 1745f2b
1 parent 2f772df
commit 1745f2b
Show file tree

Hide file tree

Showing 9 changed files with 39 additions and 21 deletions.
diff --git a/public_html/admin/install/devel-db-update.php b/public_html/admin/install/devel-db-update.php
@@ -110,6 +110,10 @@ function update_DatabaseFor220()
 
     // Add column to confirm new email address
     $_SQL[] = "ALTER TABLE `{$_TABLES['users']}` ADD `emailconfirmid` VARCHAR(16) NULL DEFAULT NULL AFTER `pwrequestid`";
+    $_SQL[] = "ALTER TABLE `{$_TABLES['users']}` ADD `emailtoconfirm` VARCHAR(96) NULL DEFAULT NULL AFTER `emailconfirmid`";
+
+    // Fix for password request id getting set to a string with the word "NULL" instead of actually NULL
+    $_SQL[] = "UPDATE `{$_TABLES['users']}` SET pwrequestid = NULL WHERE pwrequestid = 'NULL'";    
 
     // Add theme admin
     $result = DB_query("SELECT * FROM {$_TABLES['groups']} WHERE grp_name='Theme Admin'");

diff --git a/public_html/docs/english/config.html b/public_html/docs/english/config.html
@@ -810,10 +810,11 @@ <h3><a name="users_users">Users and Submissions: Users</a></h3>
 <tr>
   <td valign="top"><a name="desc_require_user_email">require_user_email</a></td>
   <td valign="top">true</td>
-  <td valign="top">If set to true, users will be required to add an email address to their account and need to verify it 
+  <td valign="top">If set to true, users without email addresses will be required to add an email address to their account and need to verify it 
     before they can continue to use the website while logged in. This affects remote accounts as some 
     may not return an email address to Geeklog when the account is created due to permissions from the 
-    remote service.</td></tr>       
+    remote service. When this is set to true Geeklog will check for an email address when a user logs in. If there is not one, the user account 
+    status will be switched from "Active" to "New Email Required".</td></tr>       
 <tr>
   <td valign="top"><a name="desc_show_servicename">show_servicename</a></td>
   <td valign="top">true</td>

diff --git a/public_html/docs/japanese/config.html b/public_html/docs/japanese/config.html
@@ -747,10 +747,11 @@ <h3><a name="users_users">ユーザーと投稿: ユーザー</a></h3>
 <tr>
   <td valign="top"><a name="desc_require_user_email">require_user_email</a></td>
   <td valign="top">true</td>
-  <td valign="top">If set to true, users will be required to add an email address to their account and need to verify it 
+  <td valign="top">If set to true, users without email addresses will be required to add an email address to their account and need to verify it 
     before they can continue to use the website while logged in. This affects remote accounts as some 
     may not return an email address to Geeklog when the account is created due to permissions from the 
-    remote service.</td></tr>    
+    remote service. When this is set to true Geeklog will check for an email address when a user logs in. If there is not one, the user account 
+    status will be switched from "Active" to "New Email Required".</td></tr>   
 <tr>
   <td valign="top"><a name="desc_show_servicename">サービス名を表示する(show_servicename)</a></td>
   <td valign="top">はい</td>

diff --git a/public_html/users.php b/public_html/users.php
@@ -69,7 +69,7 @@ function USER_emailPassword($username, $msg = 0)
 
     $username = DB_escapeString($username);
     // don't retrieve any remote users!
-    $result = DB_query("SELECT uid,email,status FROM {$_TABLES['users']} WHERE username = '$username' AND ((remoteservice is null) OR (remoteservice = ''))");
+    $result = DB_query("SELECT uid,email,status FROM {$_TABLES['users']} WHERE username = '$username' AND ((remoteservice is NULL) OR (remoteservice = ''))");
     $nrows = DB_numRows($result);
     if ($nrows == 1) {
         $A = DB_fetchArray($result);
@@ -242,6 +242,7 @@ function USER_emailConfirmation($email)
             }
             $emailconfirmid = substr(md5(uniqid(rand(), 1)), 1, 16);
             DB_change($_TABLES['users'], 'emailconfirmid', "$emailconfirmid", 'uid', $uid);
+            DB_change($_TABLES['users'], 'emailtoconfirm', "$email", 'uid', $uid);
 
             $mailtext = sprintf($LANG04['email_msg_email_status_1'], $_USER['username']);
             $mailtext .= $_CONF['site_url'] . '/users.php?mode=newemailstatus&uid=' . $uid . '&ecid=' . $emailconfirmid . "\n\n";
@@ -263,8 +264,6 @@ function USER_emailConfirmation($email)
                 $redirect = $_CONF['site_url'] . "/users.php?mode=newemailstatus&msg=85";    
             }
 
-            // Update new email after so it doesn't affect com_mail status check
-            DB_change($_TABLES['users'], 'email', "$email", 'uid', $uid);
 
             // Email sent so to confirm new email address so now logoff and tell user go check inbox
             COM_redirect($redirect);            
@@ -1075,8 +1074,7 @@ function USER_tryTwoFactorAuth()
                     SEC_updateUserPassword(Geeklog\Input::post('passwd'), $uid);
 
                     DB_delete($_TABLES['sessions'], 'uid', $uid);
-                    DB_change($_TABLES['users'], 'pwrequestid', "NULL",
-                        'uid', $uid);
+                    DB_query("UPDATE {$_TABLES['users']} SET pwrequestid = NULL WHERE uid = $uid");
                     COM_redirect($_CONF['site_url'] . '/users.php?msg=53');
                 } else { // request invalid or expired
                     $display .= COM_showMessage(54);
@@ -1155,11 +1153,14 @@ function USER_tryTwoFactorAuth()
         if (!empty($uid) && ($uid > 0) && !empty($ecid) && (strlen($ecid) === 16)) {
             $valid = DB_count($_TABLES['users'], array('uid', 'emailconfirmid'), array($uid, $ecid));
             if ($valid == 1) {
-                //SEC_updateUserPassword(Geeklog\Input::post('passwd'), $uid);
+                $confirmed_email = DB_getItem($_TABLES['users'], 'emailtoconfirm', "uid = $uid");
 
                 DB_delete($_TABLES['sessions'], 'uid', $uid);
-                DB_change($_TABLES['users'], 'emailconfirmid', "NULL", 'uid', $uid);
+
+                DB_change($_TABLES['users'], 'email', $confirmed_email, 'uid', $uid);
                 DB_change($_TABLES['users'], 'status', USER_ACCOUNT_ACTIVE, 'uid', $uid);
+
+                DB_query("UPDATE {$_TABLES['users']} SET emailconfirmid = NULL, emailtoconfirm = NULL WHERE uid = $uid");
 
                 COM_redirect($_CONF['site_url'] . '/users.php?msg=503');    
             }
@@ -1357,8 +1358,7 @@ function USER_tryTwoFactorAuth()
                 USER_resendRequest(); // won't come back
             }
 
-            DB_change($_TABLES['users'], 'pwrequestid', "NULL", 'uid', $uid);
-            //DB_change($_TABLES['users'], 'emailconfirmid', "NULL", 'uid', $uid);
+            DB_query("UPDATE {$_TABLES['users']} SET pwrequestid = NULL WHERE uid = $uid");
             $_USER = SESS_getUserDataFromId($uid);
 
             if (isset($_CONF['enable_twofactorauth']) && $_CONF['enable_twofactorauth'] &&

diff --git a/sql/mysql_tableanddata.php b/sql/mysql_tableanddata.php
@@ -494,6 +494,7 @@
   language varchar(64) default NULL,
   pwrequestid varchar(16) default NULL,
   emailconfirmid varchar(16) default NULL,
+  emailtoconfirm varchar(96) default NULL,
   status smallint(5) unsigned NOT NULL default '1',
   num_reminders tinyint(1) NOT NULL default 0,
   invalidlogins SMALLINT NOT NULL DEFAULT '0', 

diff --git a/sql/pgsql_tableanddata.php b/sql/pgsql_tableanddata.php
@@ -493,6 +493,7 @@
   language varchar(64) default NULL,
   pwrequestid varchar(16) default NULL,
   emailconfirmid varchar(16) default NULL,
+  emailtoconfirm varchar(96) default NULL,
   status smallint NOT NULL default '1',
   num_reminders smallint NOT NULL default 0,
   invalidlogins SMALLINT NOT NULL DEFAULT '0', 

diff --git a/sql/updates/mysql_2.1.3_to_2.2.0.php b/sql/updates/mysql_2.1.3_to_2.2.0.php
@@ -41,6 +41,10 @@
 
 // Add column to confirm new email address
 $_SQL[] = "ALTER TABLE `{$_TABLES['users']}` ADD `emailconfirmid` VARCHAR(16) NULL DEFAULT NULL AFTER `pwrequestid`";
+$_SQL[] = "ALTER TABLE `{$_TABLES['users']}` ADD `emailtoconfirm` VARCHAR(96) NULL DEFAULT NULL AFTER `emailconfirmid`";
+
+// Fix for password request id getting set to a string with the word "NULL" instead of actually NULL
+$_SQL[] = "UPDATE `{$_TABLES['users']}` SET pwrequestid = NULL WHERE pwrequestid = 'NULL'";
 
 /**
  * Upgrade Messages

diff --git a/sql/updates/pgsql_2.1.3_to_2.2.0.php b/sql/updates/pgsql_2.1.3_to_2.2.0.php
@@ -41,6 +41,10 @@
 
 // Add column to confirm new email address
 $_SQL[] = "ALTER TABLE `{$_TABLES['users']}` ADD `emailconfirmid` VARCHAR(16) NULL DEFAULT NULL AFTER `pwrequestid`";
+$_SQL[] = "ALTER TABLE `{$_TABLES['users']}` ADD `emailtoconfirm` VARCHAR(96) NULL DEFAULT NULL AFTER `emailconfirmid`";
+
+// Fix for password request id getting set to a string with the word "NULL" instead of actually NULL
+$_SQL[] = "UPDATE `{$_TABLES['users']}` SET pwrequestid = NULL WHERE pwrequestid = 'NULL'";
 
 /**
  * Upgrade Messages

diff --git a/system/lib-sessions.php b/system/lib-sessions.php
@@ -214,20 +214,22 @@ function SESS_sessionCheck()
 
     // Check to see if user status is set to something we have to redirect the user too
     if ($_USER['uid'] > 1) {
-        // Check if user has email account and if required
-        if ($_CONF['require_user_email'] && empty($_USER['email'])) {
-            $needEmail = true;
-        } else {
-            $needEmail = false;
+        // Check if active user has email account and if required
+        // Doesn't matter if remote account or not
+        if ($_CONF['require_user_email'] && empty($_USER['email']) && $_USER['status'] == USER_ACCOUNT_ACTIVE) {
+            $_USER['status'] = USER_ACCOUNT_NEW_EMAIL;
+            DB_change($_TABLES['users'], 'status', USER_ACCOUNT_NEW_EMAIL, 'uid', $_USER['uid']);
         }
 
         if ($_USER['status'] == USER_ACCOUNT_LOCKED) {
             // Account is locked so user shouldn't be logged in
-            COM_redirect($_CONF['site_url'] . '/users.php?mode=logout');  
-        } elseif ($needEmail || $_USER['status']  == USER_ACCOUNT_NEW_EMAIL || $_USER['status'] == USER_ACCOUNT_NEW_PASSWORD) {
+            if ($_SERVER['PHP_SELF'] != '/users.php') {
+                COM_redirect($_CONF['site_url'] . '/users.php?mode=logout&msg=17');  
+            }
+        } elseif ($_USER['status']  == USER_ACCOUNT_NEW_EMAIL || $_USER['status'] == USER_ACCOUNT_NEW_PASSWORD) {
             // Account requires additional info so get it
             if ($_SERVER['PHP_SELF'] != '/users.php') {
-                if ($needEmail || $_USER['status']  == USER_ACCOUNT_NEW_EMAIL) {
+                if ($_USER['status']  == USER_ACCOUNT_NEW_EMAIL) {
                     COM_redirect($_CONF['site_url'] . '/users.php?mode=newemailstatus');
                 } elseif ($status == USER_ACCOUNT_NEW_PASSWORD) {
                     COM_redirect($_CONF['site_url'] . '/users.php?mode=newpwdstatus');