moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-06 09:26:35 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-82379 core_user: Move email change token to user private access key

Browse source
This commit is contained in:
Huong Nguyen 2024-12-05 10:26:00 +07:00 committed by Jun Pataleta
parent 488da643c6
commit bef45583cc
No known key found for this signature in database
GPG key ID: F83510526D99E2C7
4 changed files with 18 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

3
lang/en/auth.php
View file

@ -38,7 +38,7 @@ $string['auth_changepasswordhelp'] = 'Change password help';
$string['auth_changepasswordhelp_expl'] = 'Display lost password help to users who have lost their {$a} password. This will be displayed either as well as or instead of the <strong>Change Password URL</strong> or Internal Moodle password change.';
$string['auth_changepasswordurl'] = 'Change password URL';
$string['auth_changepasswordurl_expl'] = 'Specify the url to send users who have lost their {$a} password. Set <strong>Use standard Change Password page</strong> to <strong>No</strong>.';
$string['auth_changingemailaddress'] = 'You have requested a change of email address, from {$a->oldemail} to {$a->newemail}. For security reasons, we are sending you an email message at the new address to confirm that it belongs to you. Your email address will be updated as soon as you open the URL sent to you in that message.';
$string['auth_changingemailaddress'] = 'You have requested a change of email address, from {$a->oldemail} to {$a->newemail}. For security reasons, we are sending you an email message at the new address to confirm that it belongs to you. Your email address will be updated as soon as you open the URL sent to you in that message. The confirmation link will expire in <b>10 minutes</b>';
$string['authinstructions'] = 'Leave this blank for the default login instructions to be displayed on the login page. If you want to provide custom login instructions, enter them here.';
$string['auth_invalidnewemailkey'] = 'Error: if you are trying to confirm a change of email address, you may have made a mistake in copying the URL we sent you by email. Please copy the address and try again.';
$string['auth_loginpasswordtoggle'] = 'Password visibility toggle';
@ -82,6 +82,7 @@ $string['emailupdatemessage'] = 'Hi {$a->firstname},
You have requested a change of your email address for your account on {$a->site}. To confirm this change, please go to the following web address:
{$a->url}
The confirmation link will expire in <b>10 minutes</b>.
{$a->supportemail}';
$string['emailupdatesuccess'] = 'Email address of user <em>{$a->fullname}</em> was successfully updated to <em>{$a->email}</em>.';

6
user/edit.php
View file

@ -199,9 +199,11 @@ if ($userform->is_cancelled()) {
// Other users require a confirmation email.
if (isset($usernew->email) and $user->email != $usernew->email && !has_capability('moodle/user:update', $systemcontext)) {
$a = new stdClass();
$emailchangedkey = random_string(20);
// Set the key to expire in 10 minutes.
$validuntil = time() + 600;
$emailchangedkey = create_user_key('core_user/email_change', $user->id, null, null, $validuntil);
set_user_preference('newemail', $usernew->email, $user->id);
set_user_preference('newemailkey', $emailchangedkey, $user->id);
set_user_preference('newemailattemptsleft', 3, $user->id);
$a->newemail = $emailchanged = $usernew->email;

2
user/editlib.php
View file

@ -31,8 +31,8 @@ require_once($CFG->dirroot . '/user/lib.php');
*/
function cancel_email_update($userid) {
unset_user_preference('newemail', $userid);
unset_user_preference('newemailkey', $userid);
unset_user_preference('newemailattemptsleft', $userid);
delete_user_key('core_user/email_change', $userid);
}
/**

13
user/emailupdate.php
View file

@ -44,6 +44,14 @@ $stremailupdate = get_string('emailupdate', 'auth', $a);
$PAGE->set_title($stremailupdate);
$PAGE->set_heading(format_string($SITE->fullname) . ": $stremailupdate");
// Validate the key.
$errormessage = get_string('auth_invalidnewemailkey', 'auth');
try {
$userkey = validate_user_key($key, 'core_user/email_change', null);
} catch (moodle_exception $e) {
$userkey = null;
$errormessage = $e->getMessage();
}
if (empty($preferences['newemailattemptsleft'])) {
redirect("$CFG->wwwroot/user/view.php?id=$user->id");
@ -54,7 +62,8 @@ if (empty($preferences['newemailattemptsleft'])) {
echo $OUTPUT->header();
echo $OUTPUT->box(get_string('auth_outofnewemailupdateattempts', 'auth'), 'center');
echo $OUTPUT->footer();
} else if ($key == $preferences['newemailkey']) {
} else if ($userkey && $userkey->userid == $user->id) {
// Key validated, continue with email update.
$olduser = clone($user);
cancel_email_update($user->id);
$user->email = $preferences['newemail'];
@ -90,6 +99,6 @@ if (empty($preferences['newemailattemptsleft'])) {
$preferences['newemailattemptsleft']--;
set_user_preference('newemailattemptsleft', $preferences['newemailattemptsleft'], $user->id);
echo $OUTPUT->header();
echo $OUTPUT->box(get_string('auth_invalidnewemailkey', 'auth'), 'center');
echo $OUTPUT->box($errormessage, 'center');
echo $OUTPUT->footer();
}