Use unique identifier to authenticate profile changes

git-svn-id: https://ai-contest.googlecode.com/svn/trunk@612 9d0e4ec5-6d14-e29b-3149-cabf4038ef1e
aichallenge · Nov 27, 2010 · 816b26f · 816b26f
1 parent 15e5f5d
commit 816b26f
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 5 deletions.
diff --git a/planet_wars/www/profile.php b/planet_wars/www/profile.php
@@ -43,7 +43,9 @@
   o.org_id,
   o.name as org_name,
   c.country_id,
-  c.name as country_name
+  c.name as country_name,
+  u.email,
+  u.activation_code
 from
   users u
   left outer join organizations o on o.org_id = u.org_id
@@ -74,13 +76,18 @@
 }
 if (logged_in_with_valid_credentials() && current_user_id() == $user_id) {
     $logged_in = true;
+    $chk = mt_rand();
+    $update_key = sha1(
+        $chk . $userdata["activation_code"] . $userdata["email"]);
 } else {
     $logged_in = false;
 }
 if (!$userresult) {
   echo "<p>Invalid User ID</p>";
 } else {
-echo <<<EOT
+echo "    <h2>Profile for $username</h2>";
+if ($logged_in) {
+echo <<< EOT
     <script>
     function toggle_change_org() {
        if (document.getElementById('orgchange').style.display == 'none') {
@@ -101,10 +108,10 @@ function toggle_change_country() {
        }
     }
     </script>
-    <h2>Profile for $username</h2>
+    <form method="post" action="save_profile.php">
+        <input type="hidden" name="chk" value="$chk" />
+        <input type="hidden" name="update_key" value="$update_key" />
 EOT;
-if ($logged_in) {
-  echo '   <form method="post" action="save_profile.php">';
 }
 echo <<<EOT
     <p><strong>Country:</strong>&nbsp;

diff --git a/planet_wars/www/save_profile.php b/planet_wars/www/save_profile.php
@@ -27,8 +27,26 @@ function check_valid_country($id) {
 if (!logged_in_with_valid_credentials())
   die ("Nice try.. but the bad robot WILL get you");
 
+if (!array_key_exists('chk', $_POST)
+    || !array_key_exists('update_key', $_POST)) {
+  die("Check keys not found.");
+}
+
 $user_id = current_user_id();
 
+$query = "SELECT email, activation_code FROM users WHERE user_id=".$user_id;
+$result = mysql_query($query);
+if ($row = mysql_fetch_assoc($result)) {
+  $chk = $_POST['chk'];
+  $update_key = $_POST['update_key'];
+  $local_key = sha1($chk . $row['activation_code'] . $row['email']);
+  if ($local_key != $update_key) {
+    die("Bad update key found.");
+  }
+} else {
+  die("User data query failed.");
+}
+
 if (array_key_exists('user_country', $_POST)) {
   $country_id = $_POST['user_country'];
   if (!check_valid_country($country_id))