mirror of
https://github.com/moodle/moodle.git
synced 2025-08-03 16:13:28 +02:00
More security for email confirmation process ... a 15-character random
"secret" key is stored the user record on account creation, sent via email and checked again during confirmation.
This commit is contained in:
martin
parent
ceb7ea7550
commit
a789fb73f4
4 changed files with 25 additions and 5 deletions
|
|
@ -167,7 +167,7 @@ CREATE TABLE `user` (
|
|||
`lastlogin` int(10) unsigned NOT NULL default '0',
|
||||
`currentlogin` int(10) unsigned NOT NULL default '0',
|
||||
`lastIP` varchar(15) default NULL,
|
||||
`personality` varchar(5) default NULL,
|
||||
`secret` varchar(15) default NULL,
|
||||
`picture` tinyint(1) default NULL,
|
||||
`url` varchar(255) default NULL,
|
||||
`description` text,
|
||||
|
|
|
|||
|
|
@ -2,9 +2,9 @@
|
|||
|
||||
require("../config.php");
|
||||
|
||||
if ( isset($x) && isset($s) ) { # x = user.id s = user.username
|
||||
if ( isset($p) && isset($s) ) { # p = user.secret s = user.username
|
||||
|
||||
$user = get_user_info_from_db("id", "$x");
|
||||
$user = get_user_info_from_db("secret", "$p");
|
||||
|
||||
if ($user) {
|
||||
if ($user->username == $s) {
|
||||
|
|
|
|||
|
|
@ -13,6 +13,9 @@
|
|||
$user->password = md5($user->password);
|
||||
$user->confirmed = 0;
|
||||
$user->firstaccess = time();
|
||||
$user->secret = random_string(15);
|
||||
echo $user->secret;
|
||||
$db->debug = true;
|
||||
|
||||
if (! ($user->id = insert_record("user", $user)) ) {
|
||||
error("Could not add your record to the database!");
|
||||
|
|
@ -96,6 +99,20 @@ function validate_form($user, &$err) {
|
|||
}
|
||||
|
||||
|
||||
function random_string ($length=15) {
|
||||
$pool = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
|
||||
$pool .= "abcdefghijklmnopqrstuvwxyz";
|
||||
$pool .= "0123456789";
|
||||
$poollen = strlen($pool);
|
||||
mt_srand ((double) microtime() * 1000000);
|
||||
$string = "";
|
||||
for ($i = 0; $i < $length; $i++) {
|
||||
$string .= substr($pool, (mt_rand()%($poollen)), 1);
|
||||
}
|
||||
return $string;
|
||||
}
|
||||
|
||||
|
||||
function send_confirmation_email($user) {
|
||||
|
||||
global $CFG;
|
||||
|
|
@ -105,7 +122,7 @@ function send_confirmation_email($user) {
|
|||
|
||||
$data->firstname = $user->firstname;
|
||||
$data->sitename = $site->fullname;
|
||||
$data->link = "$CFG->wwwroot/login/confirm.php?x=$user->id&s=$user->username";
|
||||
$data->link = "$CFG->wwwroot/login/confirm.php?p=$user->secret&s=$user->username";
|
||||
$data->admin = "$from->firstname $from->lastname ($from->email)";
|
||||
|
||||
$message = get_string("emailconfirmation", "", $data);
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
// If there's something it cannot do itself, it
|
||||
// will tell you what you need to do.
|
||||
|
||||
$version = 2002090900; // The current version is a date (YYYYMMDDXX) where
|
||||
$version = 2002091000; // The current version is a date (YYYYMMDDXX) where
|
||||
// XX is a number that increments during the day
|
||||
|
||||
$release = "1.0.4"; // For humans only, not used for the upgrade process
|
||||
|
|
@ -71,6 +71,9 @@ function upgrade_moodle($oldversion=0) {
|
|||
execute_sql(" ALTER TABLE `course` ADD `teachers` VARCHAR( 100 ) DEFAULT 'Teachers' NOT NULL AFTER `teacher` ");
|
||||
execute_sql(" ALTER TABLE `course` ADD `students` VARCHAR( 100 ) DEFAULT 'Students' NOT NULL AFTER `student` ");
|
||||
}
|
||||
if ($oldversion < 2002091000) {
|
||||
execute_sql(" ALTER TABLE `user` CHANGE `personality` `secret` VARCHAR( 15 ) DEFAULT NULL ");
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue