|
60 | 60 |
|
61 | 61 | form_security_validate( 'account_update' ); |
62 | 62 |
|
63 | | -# If token is set, it's a password reset request from verify.php, and if |
64 | | -# not we need to reauthenticate the user |
65 | | -$t_verify_user_id = gpc_get( 'verify_user_id', false ); |
66 | | -$t_account_verification = $t_verify_user_id ? token_get_value( TOKEN_ACCOUNT_VERIFY, $t_verify_user_id ) : false; |
67 | | -if( !$t_account_verification ) { |
68 | | - auth_reauthenticate(); |
69 | | - $t_user_id = auth_get_current_user_id(); |
70 | | -} else { |
| 63 | +$t_verify_user_id = gpc_get_int( 'verify_user_id', 0 ); |
| 64 | +$t_account_verification = (bool)$t_verify_user_id; |
| 65 | +if( $t_account_verification ) { |
| 66 | + # Password reset request from verify.php - validate the confirmation hash |
| 67 | + $f_confirm_hash = gpc_get_string( 'confirm_hash' ); |
| 68 | + $t_token_confirm_hash = token_get_value( TOKEN_ACCOUNT_ACTIVATION, $t_verify_user_id ); |
| 69 | + if( $t_token_confirm_hash == null || $f_confirm_hash !== $t_token_confirm_hash ) { |
| 70 | + trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR ); |
| 71 | + } |
| 72 | + |
| 73 | + # Make sure the token is not expired |
| 74 | + if( null === token_get_value( TOKEN_ACCOUNT_VERIFY, $t_verify_user_id ) ) { |
| 75 | + trigger_error( ERROR_SESSION_NOT_VALID, ERROR ); |
| 76 | + } |
| 77 | + |
71 | 78 | # set a temporary cookie so the login information is passed between pages. |
72 | 79 | auth_set_cookies( $t_verify_user_id ); |
73 | 80 | # fake login so the user can set their password |
74 | 81 | auth_attempt_script_login( user_get_username( $t_verify_user_id ) ); |
75 | 82 | $t_user_id = $t_verify_user_id; |
| 83 | +} else { |
| 84 | + # Normal account update - authenticate the user |
| 85 | + auth_reauthenticate(); |
| 86 | + $t_user_id = auth_get_current_user_id(); |
76 | 87 | } |
77 | 88 |
|
78 | 89 | auth_ensure_user_authenticated(); |
|
0 commit comments