2
Okay. I've got this working well and tested on my internal site. I tried to post instructions the other day and Protector locked me out. Thanks to Mamba for the rescue.
I can't seem to attach anything here so instead I've placed the instructions on Google Docs for now. You can get them at this link.
This is Alpha. Works on my 2.4.2 system. I've tested it from the perspective of a regular user and an admin. I have tried to break it but not found any problems so far. Your thoughts and suggestions welcomed.
I can't seem to attach anything here so instead I've placed the instructions on Google Docs for now. You can get them at this link.
This is Alpha. Works on my 2.4.2 system. I've tested it from the perspective of a regular user and an admin. I have tried to break it but not found any problems so far. Your thoughts and suggestions welcomed.
3
In that case my statement only applies to 2.4.x which does indeed use register.php for email activation. The following line is from XoopsMailer->send() in /class/xoopsmailer.php
Which file manages the activation in earlier versions of xoops? Any idea why it was changed?
$text = str_replace("{X_UACTLINK}", XOOPS_URL . "/register.php?op=actv&id=" . $user->getVar("uid") . "&actkey=" . $user->getVar('actkey'), $text); Which file manages the activation in earlier versions of xoops? Any idea why it was changed?
4
Quote:
But the activation request comes after the referrer check. A user clicking though from the registration email will have no referrer. I must be missing something obvious here :(
No it won't. The email activation makes a request of a different file to activate the account.
But the activation request comes after the referrer check. A user clicking though from the registration email will have no referrer. I must be missing something obvious here :(
5
Figured it out. It seems the insertUser method can't occur while there's a server GET request. Solution is to extend the member handler and do the database updates in there using _uHandler->insert.
I have no idea why this works but it does work
It appears this hack will work with a little more tinkering.
I have no idea why this works but it does work
It appears this hack will work with a little more tinkering.
6
Right! I'm not sure if this is relevant but it might mean something to a developer. The warnings are triggered by this instance of insertUser near the end of my code fragment.
Curiously, if I change the values for pending_email and pending_key to anything longer than an empty string I get a different warning.
Quote:
I should add that $member_handler->insertUser() returns true despite the database values not being updated. The warnings come from the inline debug
I'm stumped.
// always cancel the pending email if we get to here
$edituser->setVar('pending_email', '');
$edituser->setVar('pending_key', '');
if (! $member_handler->insertUser($edituser)) {
include $GLOBALS['xoops']->path('header.php');
echo $edituser->getHtmlErrors();
include $GLOBALS['xoops']->path('footer.php');
} else {
redirect_header('userinfo.php?uid=' . $uid, 1, _US_PROFUPDATED);
} Curiously, if I change the values for pending_email and pending_key to anything longer than an empty string I get a different warning.
Quote:
Warning: Database updates are not allowed during processing of a GET request in file /class/database/mysqldatabase.php line 400
I should add that $member_handler->insertUser() returns true despite the database values not being updated. The warnings come from the inline debug
I'm stumped.
7
Thanks in advance for your help ghia.
changeemail -> processpending -> actvemail -> cancelpending
changeemail
get data from user
check password
processpending
check user authority to make change
check data
if data wrong then back to changeemail
else store data and send confirmation email
actvemail
this step may be skipped
check confirmation link
update user record
cancelpending
clear pending request
Modified File List
./edituser.php
./userinfo.php
./kernel/user.php
./modules/system/templates/system_userinfo.html
./language/english/mail_template/changeemail.tpl
./language/english/user.php
./class/xoopsmailer.php
./sql/mysql.sql
File: ./edituser.php
Includes code for the change email form, processing the change, cancelling the change and activating the change.
File: ./userinfo.php
Assigns extra variables needed to put the change email button on the system_userinfo template.
File: ./kernel/user.php
xoopsUser class extended to include variables pending_email and pending_key, functions for their return and a function isEmailChangePending().
File: ./modules/system/templates/system_userinfo.html
Updated to include the change email button.
File: ./language/english/user.php
Added defines for the buttons and captions.
File: ./language/english/mail_template/changeemail.tpl
New mail template for email activation.
File: ./class/xoopsmailer.php
Added decode for pending link and pending email tags in template.
File: ./sql/mysql.sql
Adds two new fields to users table.
changeemail -> processpending -> actvemail -> cancelpending
changeemail
get data from user
check password
processpending
check user authority to make change
check data
if data wrong then back to changeemail
else store data and send confirmation email
actvemail
this step may be skipped
check confirmation link
update user record
cancelpending
clear pending request
Modified File List
./edituser.php
./userinfo.php
./kernel/user.php
./modules/system/templates/system_userinfo.html
./language/english/mail_template/changeemail.tpl
./language/english/user.php
./class/xoopsmailer.php
./sql/mysql.sql
File: ./edituser.php
Includes code for the change email form, processing the change, cancelling the change and activating the change.
File: ./userinfo.php
Assigns extra variables needed to put the change email button on the system_userinfo template.
File: ./kernel/user.php
xoopsUser class extended to include variables pending_email and pending_key, functions for their return and a function isEmailChangePending().
File: ./modules/system/templates/system_userinfo.html
Updated to include the change email button.
File: ./language/english/user.php
Added defines for the buttons and captions.
File: ./language/english/mail_template/changeemail.tpl
New mail template for email activation.
File: ./class/xoopsmailer.php
Added decode for pending link and pending email tags in template.
File: ./sql/mysql.sql
Adds two new fields to users table.
8
In response to this thread I've been working at extending the functionality of the system module to include confirmation emails with user initiated email changes. It's been pretty straightforward except that I've come up against an object handler or database concurrency issue that I simply can't get my head around.
The bulk of the hack is in edituser.php (extract below) and is modelled on the activation process in register.php. I'm up to testing the database interaction. I haven't tested the mailer. Setting up a pending email change works and is properly reflected in the users table. Cancelling and/or activating the change produces this error.
Quote:
I can't see for the code what is different in the method I've used to update the user record. Any help, advice or pointers to tutorials would be appreciated.
The bulk of the hack is in edituser.php (extract below) and is modelled on the activation process in register.php. I'm up to testing the database interaction. I haven't tested the mailer. Setting up a pending email change works and is properly reflected in the users table. Cancelling and/or activating the change produces this error.
Quote:
Warning: Insert failed in method 'cleanVars' of object 'XoopsUser' in file /class/model/write.php line 265
I can't see for the code what is different in the method I've used to update the user record. Any help, advice or pointers to tutorials would be appreciated.
// confirmed email change - Rob Stockley -----------------------------
if ($op == 'processpending'){
// get to here after form is submitted
if (!$GLOBALS['xoopsSecurity']->check()) {
redirect_header('index.php', 3, _US_NOEDITRIGHT . "
exit();
}
$uid = (!empty($_POST['uid'])) ? intval($_POST['uid']) : 0;
$pemail = (!empty($_POST['pending_email'])) ? $myts->stripSlashesGPC(trim($_POST['pending_email'])) : '';
$pwd_txt = (!empty($_POST['pwd_txt'])) ? $myts->stripSlashesGPC(trim($_POST['pwd_txt'])) : '';
// check sanity of user
if (empty($uid) || $xoopsUser->getVar('uid') != $uid) {
redirect_header('index.php', 3, _US_NOEDITRIGHT);
exit();
}
// check format of proposed email
if ($pemail == '' || ! checkEmail($pemail)) {
$errors[] = _US_INVALIDMAIL;
}
// check user password
if ($pwd_txt == '') {
$errors[] = _US_ENTERPWD;
} elseif (strcmp($xoopsUser->getVar('pass'), md5($pwd_txt)) != 0) {
$errors[] = _US_INVALIDPWD;
}
// if there were form errors display these and rerun the form.
if (count($errors) > 0) {
include $GLOBALS['xoops']->path('header.php');
echo '';
foreach ($errors as $er) {
echo '' . $er . '
}
echo '
$op = 'changeemail';
} else {
// no errors so update the user record
$pkey = substr(md5(uniqid(mt_rand(), 1)), 0, 8);
$member_handler =& xoops_gethandler('member');
$edituser =& $member_handler->getUser($uid);
$edituser->setVar('pending_email', $pemail);
$edituser->setVar('pending_key', $pkey);
if (! $member_handler->insertUser($edituser)) {
include $GLOBALS['xoops']->path('header.php');
echo $edituser->getHtmlErrors();
include $GLOBALS['xoops']->path('footer.php');
} else {
//invoke the mailer
$xoopsMailer =& xoops_getMailer();
$xoopsMailer->useMail();
$xoopsMailer->setTemplate('changeemail.tpl');
$xoopsMailer->assign('SITENAME', $xoopsConfig['sitename']);
$xoopsMailer->assign('ADMINMAIL', $xoopsConfig['adminmail']);
$xoopsMailer->assign('SITEURL', XOOPS_URL . "/");
$xoopsMailer->setToEmails(array($pemail));
$xoopsMailer->setFromEmail($xoopsConfig['adminmail']);
$xoopsMailer->setFromName($xoopsConfig['sitename']);
$xoopsMailer->setSubject(sprintf(_US_USERKEYFOR, $uname));
# if (! $xoopsMailer->send()) {
# echo _US_PMAILFAIL;
# } else {
# echo _US_PMAILSUCCESS;
# }
redirect_header('userinfo.php?uid=' . $uid, 1, _US_PROFUPDATED);
}
exit();
}
}
if ($op == 'changeemail'){
// get to here when change email button is clicked
include_once $GLOBALS['xoops']->path('header.php');
include_once $GLOBALS['xoops']->path('include/comment_constants.php');
include_once $GLOBALS['xoops']->path('include/xoopscodes.php');
$uid = $xoopsUser->getVar('uid');
echo '. $uid . '">' . _US_PROFILE . ' »» ' . _US_CHANGEEMAIL . '
$form = new XoopsThemeForm(_US_CHANGEEMAIL, 'userinfo', 'edituser.php', 'post', true);
$email = new XoopsFormLabel(_US_EMAIL, $xoopsUser->getVar('email'));
$form->addElement($email);
$pending_email = new XoopsFormText(_US_NEWEMAIL, 'pending_email', 30, 60, $xoopsUser->getVar('pending_email', 'E'));
$form->addElement($pending_email);
// inlcude password to avoid account hijacking
$pwd_text = new XoopsFormPassword(_US_PASSWORD, 'pwd_txt', 10, 32);
$form->addElement($pwd_text);
$form->addElement(new XoopsFormHidden('op', 'processpending'));
$form->addElement(new XoopsFormHidden('uid', $uid));
$form->addElement(new XoopsFormButton('', 'submit', _SUBMIT, 'submit'));
$form->display();
include $GLOBALS['xoops']->path('footer.php');
}
if ($op == 'actvemail' || $op == 'cancelpending'){
// get to here if cancel button clicked or through email link
$uid = (!empty($_GET['uid'])) ? intval($_GET['uid']) : 0;
$pkey = (!empty($_GET['pending_key'])) ? trim($_GET['pending_key']) : '';
$pemail = $xoopsUser->getVar('pending_email', 'E');
// user sanity check
if (empty($uid) || $xoopsUser->getVar('uid') != $uid) {
redirect_header('index.php', 3, _US_NOEDITRIGHT);
exit();
}
// get ready to update the user record
$member_handler =& xoops_gethandler('member');
$edituser =& $member_handler->getUser($uid);
if ($op == 'actvemail') {
// if we're being activated then check the key
if ($pkey == '' || strcmp($pkey, $xoopsUser->getVar('pending_key')) != 0) {
redirect_header('index.php', 3, _US_NOEDITRIGHT . "
exit();
}
// key was good copy pending email into primary email field
$edituser->setVar('email', $pemail);
}
// always cancel the pending email if we get to here
$edituser->setVar('pending_email', '');
$edituser->setVar('pending_key', '');
if (! $member_handler->insertUser($edituser)) {
include $GLOBALS['xoops']->path('header.php');
echo $edituser->getHtmlErrors();
include $GLOBALS['xoops']->path('footer.php');
} else {
redirect_header('userinfo.php?uid=' . $uid, 1, _US_PROFUPDATED);
}
exit();
}
// confirmed email change - Rob Stockley -----------------------------
9
This hack will break the self activation process for new users.
// pk block access without referer This hack will break the self activation process for new users.
10
Before you upgrade always, Always, ALWAYS BACKUP YOUR WEBSITE!
If your core XOOPS is 2.4.1 without any hacks applied then simply overwrite your current installation with the 2.4.1 to 2.4.2 patch. The patch only includes the few files that have changed or are new. If you have applied hacks then you'll need to search though the patch to identify any hacks that will be overwritten.
Good luck :)
If your core XOOPS is 2.4.1 without any hacks applied then simply overwrite your current installation with the 2.4.1 to 2.4.2 patch. The patch only includes the few files that have changed or are new. If you have applied hacks then you'll need to search though the patch to identify any hacks that will be overwritten.
Good luck :)
Login
Search
Recent Posts
Who's Online
Donat-O-Meter
| Stats | |
| Goal: | AU$15.00 |
| Due Date: | Jul 31 |
| Gross Amount: | AU$0.00 |
| Net Balance: | AU$0.00 |
| Left to go: | AU$15.00 |
 |
|