зеркало из https://github.com/mozilla/pjs.git
- Ratecomment is now secured
- Made create, verify, recover, and reset scripts
This commit is contained in:
bugzilla%micropipes.com
Родитель
7c9c2cffc7
Коммит
f520dd503c
|
|
@ -6,7 +6,7 @@
|
|||
* @subpackage docs
|
||||
*
|
||||
* Variables:
|
||||
* $_GET['id'] = Addon ID (integer)
|
||||
* $_GET['aid'] = Addon ID (integer)
|
||||
*/
|
||||
|
||||
startProcessing('addcomment.tpl', null, null);
|
||||
|
|
@ -14,14 +14,14 @@ require_once 'includes.php';
|
|||
|
||||
session_start();
|
||||
|
||||
if ((!array_key_exists('id', $_GET)) || !is_numeric($_GET['id'])) {
|
||||
if ((!array_key_exists('aid', $_GET)) || !is_numeric($_GET['aid'])) {
|
||||
triggerError('There was an error processing your request.');
|
||||
}
|
||||
|
||||
//This is a secure page, so we'll check the session
|
||||
if (!$_auth->validSession()) {
|
||||
//id is already verified to be numeric from above
|
||||
header('Location: '.WEB_PATH."/login.php?dest=comment&id={$_GET['id']}");
|
||||
header('Location: '.WEB_PATH."/login.php?dest=comment&aid={$_GET['aid']}");
|
||||
exit;
|
||||
}
|
||||
|
||||
|
|
@ -29,7 +29,7 @@ if (!$_auth->validSession()) {
|
|||
$_errors = array();
|
||||
|
||||
// This will be used in queries and the template
|
||||
$addon = new AddOn($_GET['id']);
|
||||
$addon = new AddOn($_GET['aid']);
|
||||
|
||||
// If the comment is added successfully, this will toggle (used in the template)
|
||||
$added_comment = false;
|
||||
|
|
|
|||
|
|
@ -0,0 +1,132 @@
|
|||
<?php
|
||||
/**
|
||||
* Create a new account
|
||||
*
|
||||
* @package amo
|
||||
* @subpackage docs
|
||||
*
|
||||
*/
|
||||
|
||||
startProcessing('createaccount.tpl', null, null, 'nonav');
|
||||
require_once 'includes.php';
|
||||
|
||||
// If there are problems, these will be set to true and used in the template. By
|
||||
// using null/booleans, error messages are kept in the template.
|
||||
$error_email_empty = null;
|
||||
$error_email_malformed = null;
|
||||
$error_emailconfirm_empty = null;
|
||||
$error_emailconfirm_nomatch = null;
|
||||
$error_email_duplicate = null;
|
||||
$error_name_empty = null;
|
||||
$error_password_empty = null;
|
||||
$error_passwordconfirm_empty = null;
|
||||
$error_passwordconfirm_nomatch = null;
|
||||
|
||||
$_bad_input = false; // think positive :)
|
||||
$account_created = false;
|
||||
|
||||
if (array_key_exists('submit', $_POST) && isset($_POST['submit'])) {
|
||||
/* Verify Input */
|
||||
// Check email - a little long and confusing. Basically, throw an error if
|
||||
// the following is not met (in order):
|
||||
// $email is set, $emailconfirm is set, $email=$emailconfirm, and $email is a valid address
|
||||
if (!array_key_exists('email', $_POST) || empty($_POST['email'])) {
|
||||
$error_email_empty = true;
|
||||
$_bad_input = true;
|
||||
} else {
|
||||
if (!array_key_exists('emailconfirm', $_POST) || empty($_POST['emailconfirm'])) {
|
||||
$error_emailconfirm_empty = true;
|
||||
$_bad_input = true;
|
||||
} else {
|
||||
// technically this would catch if emailconfirm was empty to, but
|
||||
// waiting until here could make php throw a warning.
|
||||
if ($_POST['email'] != $_POST['emailconfirm']) {
|
||||
$error_emailconfirm_nomatch = true;
|
||||
$_bad_input = true;
|
||||
}
|
||||
}
|
||||
// Regex from Gavin Sharp -- thanks Gavin.
|
||||
if (!preg_match('/^(([A-Za-z0-9]+_+)|([A-Za-z0-9]+\-+)|([A-Za-z0-9]+\.+)|([A-Za-z0-9]+\++))*[A-Za-z0-9]+@((\w+\-+)|(\w+\.))*\w{1,63}\.[a-zA-Z]{2,6}$/',$_POST['email'])) {
|
||||
$error_email_malformed = true;
|
||||
$_bad_input = true;
|
||||
}
|
||||
}
|
||||
// name is required
|
||||
if (!array_key_exists('name', $_POST) || empty($_POST['name'])) {
|
||||
$error_name_empty = true;
|
||||
$_bad_input = true;
|
||||
}
|
||||
// password is required and match
|
||||
if (!array_key_exists('password', $_POST) || empty($_POST['password'])) {
|
||||
$error_password_empty = true;
|
||||
$_bad_input = true;
|
||||
} else {
|
||||
if (!array_key_exists('passwordconfirm', $_POST) || empty($_POST['passwordconfirm'])) {
|
||||
$error_passwordconfirm_empty = true;
|
||||
$_bad_input = true;
|
||||
} else {
|
||||
if ($_POST['password'] != $_POST['passwordconfirm']) {
|
||||
$error_passwordconfirm_nomatch = true;
|
||||
$_bad_input = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
// This is a little out of order because we're trying to save a query. If we
|
||||
// haven't had any bad input yet, do one last check to make sure the email
|
||||
// address isn't already in use.
|
||||
if ($_bad_input === false) {
|
||||
$_user_test = user::getUserByEmail($_POST['email']);
|
||||
|
||||
if (is_object($_user_test)) {
|
||||
$_bad_input = true;
|
||||
$error_email_duplicate = true;
|
||||
}
|
||||
}
|
||||
|
||||
// We're happy with the input, make a new account
|
||||
if ($_bad_input === false) {
|
||||
$_user_info = array();
|
||||
$_user_info['email'] = $_POST['email'];
|
||||
$_user_info['name'] = $_POST['name'];
|
||||
$_user_info['website'] = $_POST['website'];
|
||||
$_user_info['password'] = $_POST['password'];
|
||||
$user_id = user::addUser($_user_info);
|
||||
if ($user_id === false) {
|
||||
triggerError('There was an error processing your request.');
|
||||
}
|
||||
$user = new User($user_id[0]);
|
||||
// we're emailing them their plain text password
|
||||
$user->sendConfirmation($_user_info['password']);
|
||||
$account_created = true;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// Pull values from POST to put back in the form
|
||||
$email_value = array_key_exists('email', $_POST) ? $_POST['email'] : '';
|
||||
$emailconfirm_value = array_key_exists('emailconfirm', $_POST) ? $_POST['emailconfirm'] : '';
|
||||
$name_value = array_key_exists('name', $_POST) ? $_POST['name'] : '';
|
||||
$website_value = array_key_exists('website', $_POST) ? $_POST['website'] : '';
|
||||
|
||||
// Assign template variables.
|
||||
$tpl->assign(
|
||||
array( 'title' => 'Create a Mozilla Addons Account',
|
||||
'currentTab' => null,
|
||||
'account_created' => $account_created,
|
||||
'bad_input' => $_bad_input,
|
||||
'error_email_empty' => $error_email_empty,
|
||||
'error_email_malformed' => $error_email_malformed,
|
||||
'error_emailconfirm_empty' => $error_emailconfirm_empty,
|
||||
'error_emailconfirm_nomatch' => $error_emailconfirm_nomatch,
|
||||
'error_email_duplicate' => $error_email_duplicate,
|
||||
'error_name_empty' => $error_name_empty,
|
||||
'error_password_empty' => $error_password_empty,
|
||||
'error_passwordconfirm_empty' => $error_passwordconfirm_empty,
|
||||
'error_passwordconfirm_nomatch' => $error_passwordconfirm_nomatch,
|
||||
'email_value' => $email_value,
|
||||
'emailconfirm_value' => $emailconfirm_value,
|
||||
'name_value' => $name_value,
|
||||
'website_value' => $website_value
|
||||
)
|
||||
);
|
||||
?>
|
||||
|
|
@ -15,7 +15,9 @@ require_once 'includes.php';
|
|||
// authenticate, try again" message.
|
||||
$login_error = null;
|
||||
|
||||
$valid_destinations = array ('comment' => WEB_PATH.'/addcomment.php');
|
||||
$valid_destinations = array ( 'default' => WEB_PATH.'/index.php',
|
||||
'rate' => WEB_PATH.'/ratecomment.php',
|
||||
'comment' => WEB_PATH.'/addcomment.php');
|
||||
|
||||
if (!empty($_POST['username']) && !empty($_POST['password'])) {
|
||||
if ($_auth->authenticate($_POST['username'], $_POST['password'])) {
|
||||
|
|
@ -25,17 +27,25 @@ if (!empty($_POST['username']) && !empty($_POST['password'])) {
|
|||
if (array_key_exists('dest', $_GET) && array_key_exists($_GET['dest'], $valid_destinations)) {
|
||||
$_next_page = $valid_destinations[$_GET['dest']];
|
||||
} else {
|
||||
triggerError('There was an error processing your request.');
|
||||
$_next_page = $valid_destinations['default'];
|
||||
}
|
||||
|
||||
/* Right now $_GET['id'] is needed for all pages, but potentially you could
|
||||
/* Right now $_GET['aid'] is needed for all pages, but potentially you could
|
||||
* login and not need it, so this should handle all cases. */
|
||||
if (array_key_exists('id', $_GET) && is_numeric($_GET['id'])) {
|
||||
$_addon = "?id={$_GET['id']}";
|
||||
if (array_key_exists('aid', $_GET) && is_numeric($_GET['aid'])) {
|
||||
$_addon = "?aid={$_GET['aid']}";
|
||||
} else {
|
||||
$_addon = '';
|
||||
}
|
||||
|
||||
// For ratecomment.php
|
||||
if (array_key_exists('cid', $_GET)) {
|
||||
$_addon .= '&cid='.urlencode($_GET['cid']);
|
||||
}
|
||||
if (array_key_exists('r', $_GET)) {
|
||||
$_addon .= '&r='.urlencode($_GET['r']);
|
||||
}
|
||||
|
||||
header("Location: {$_next_page}{$_addon}");
|
||||
exit;
|
||||
|
||||
|
|
|
|||
|
|
@ -9,11 +9,23 @@
|
|||
startProcessing('ratecomment.tpl', null, null);
|
||||
require_once 'includes.php';
|
||||
|
||||
session_start();
|
||||
|
||||
// If some of the inputs don't exist, throw an error and exit
|
||||
if (empty($_GET['aid']) || empty($_GET['cid']) || empty($_GET['r'])) {
|
||||
triggerError('Missing required parameter(s). Script cannot continue.');
|
||||
}
|
||||
|
||||
//This is a secure page, so we'll check the session
|
||||
if (!$_auth->validSession()) {
|
||||
//id is already verified to be numeric from above
|
||||
$_aid = urlencode($_GET['aid']);
|
||||
$_cid = urlencode($_GET['cid']);
|
||||
$_r = urlencode($_GET['r']);
|
||||
header('Location: '.WEB_PATH."/login.php?dest=rate&aid={$_aid}&cid={$_cid}&r={$_r}");
|
||||
exit;
|
||||
}
|
||||
|
||||
// Get our addon ID.
|
||||
if (isset($_GET['aid'])) {
|
||||
$clean['aid'] = intval($_GET['aid']);
|
||||
|
|
|
|||
|
|
@ -0,0 +1,38 @@
|
|||
<?php
|
||||
/**
|
||||
* Page to recover passwords for existing accounts
|
||||
*
|
||||
* @package amo
|
||||
* @subpackage docs
|
||||
*
|
||||
*/
|
||||
|
||||
startProcessing('recoverpassword.tpl', null, null, 'nonav');
|
||||
require_once 'includes.php';
|
||||
|
||||
$bad_input = false;
|
||||
$success = false;
|
||||
if (array_key_exists('email', $_POST) && !empty($_POST['email'])) {
|
||||
$user = user::getUserByEmail($_POST['email']);
|
||||
if ($user === false) {
|
||||
// bad email address
|
||||
$bad_input = true;
|
||||
} else {
|
||||
$user->generateConfirmationCode();
|
||||
$user->sendPasswordRecoveryEmail();
|
||||
$success = true;
|
||||
}
|
||||
}
|
||||
|
||||
$email_value = array_key_exists('email', $_POST) ? $_POST['email'] : '';
|
||||
|
||||
// Assign template variables.
|
||||
$tpl->assign(
|
||||
array( 'title' => 'Firefox Add-ons Password Recovery',
|
||||
'currentTab' => null,
|
||||
'email' => $email_value,
|
||||
'bad_input' => $bad_input,
|
||||
'success' => $success
|
||||
)
|
||||
);
|
||||
?>
|
||||
|
|
@ -0,0 +1,55 @@
|
|||
<?php
|
||||
/**
|
||||
* Page to reset passwords for existing accounts
|
||||
*
|
||||
* @package amo
|
||||
* @subpackage docs
|
||||
*
|
||||
*/
|
||||
|
||||
startProcessing('resetpassword.tpl', null, null, 'nonav');
|
||||
require_once 'includes.php';
|
||||
|
||||
if (! (array_key_exists('email', $_GET) && array_key_exists('code', $_GET)) ) {
|
||||
triggerError('There was an error processing your request.');
|
||||
}
|
||||
|
||||
$user = user::getUserByEmail($_GET['email']);
|
||||
|
||||
if ($user === false) {
|
||||
// bad email address
|
||||
triggerError('There was an error processing your request.');
|
||||
}
|
||||
|
||||
$authorized = $user->checkResetPasswordCode($_GET['email'], $_GET['code']);
|
||||
|
||||
if ($authorized === false) {
|
||||
// bad code
|
||||
triggerError('There was an error processing your request.');
|
||||
}
|
||||
|
||||
$bad_input = false;
|
||||
$success = false;
|
||||
if (array_key_exists('password', $_POST)
|
||||
&& array_key_exists('passwordconfirm', $_POST)
|
||||
&& !empty($_POST['password'])) {
|
||||
|
||||
if ($_POST['password'] != $_POST['passwordconfirm']) {
|
||||
$bad_input = true;
|
||||
}
|
||||
|
||||
if ($bad_input === false) {
|
||||
$user->setPassword($_POST['password']);
|
||||
$success = true;
|
||||
}
|
||||
}
|
||||
|
||||
// Assign template variables.
|
||||
$tpl->assign(
|
||||
array( 'title' => 'Firefox Add-ons Password Recovery',
|
||||
'currentTab' => null,
|
||||
'bad_input' => $bad_input,
|
||||
'success' => $success
|
||||
)
|
||||
);
|
||||
?>
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
<?php
|
||||
/**
|
||||
* Verify a newly created account
|
||||
*
|
||||
* @package amo
|
||||
* @subpackage docs
|
||||
*
|
||||
*/
|
||||
|
||||
startProcessing('verifyaccount.tpl', null, null, 'nonav');
|
||||
require_once 'includes.php';
|
||||
|
||||
if (! (array_key_exists('email', $_GET) && array_key_exists('confirmationcode', $_GET)) ) {
|
||||
triggerError('There was an error processing your request.');
|
||||
}
|
||||
|
||||
$user = user::getUserByEmail($_GET['email']);
|
||||
|
||||
// Most likely not a valid email
|
||||
if ($user===false) {
|
||||
triggerError('There was an error processing your request.');
|
||||
}
|
||||
|
||||
$confirmed = $user->confirm($_GET['confirmationcode']);
|
||||
|
||||
|
||||
// Assign template variables.
|
||||
$tpl->assign(
|
||||
array( 'title' => 'Verify your Mozilla Addons Account',
|
||||
'currentTab' => null,
|
||||
'email' => $_GET['email'],
|
||||
'confirmed' => $confirmed
|
||||
)
|
||||
);
|
||||
?>
|
||||
Загрузка…
Ссылка в новой задаче