summaryrefslogtreecommitdiff
path: root/lib/VNWeb/User
diff options
context:
space:
mode:
authorYorhel <git@yorhel.nl>2019-10-03 17:33:33 +0200
committerYorhel <git@yorhel.nl>2019-10-03 17:33:35 +0200
commit3f7769d2ba4047e8766e511b7a42c7aa4721f6f8 (patch)
treefb3263931645793e280f30e1bce0271281b496b6 /lib/VNWeb/User
parent0965af5fd74cf53503bb7ae0262d31c25f894385 (diff)
Require email confirmation when changing email address
This ensures that the email address linked to a user is always valid and actually belong(s|ed) to that user.
Diffstat (limited to 'lib/VNWeb/User')
-rw-r--r--lib/VNWeb/User/Edit.pm53
1 files changed, 50 insertions, 3 deletions
diff --git a/lib/VNWeb/User/Edit.pm b/lib/VNWeb/User/Edit.pm
index 8b1f1ea2..4e67bf4e 100644
--- a/lib/VNWeb/User/Edit.pm
+++ b/lib/VNWeb/User/Edit.pm
@@ -34,6 +34,11 @@ my $FORM = form_compile in => {
elm_form UserEdit => undef, $FORM;
+sub _getmail {
+ my $uid = shift;
+ tuwf->dbVali(select => sql_func user_getmail => \$uid, \auth->uid, sql_fromhex auth->token);
+}
+
TUWF::get qr{/$RE{uid}/edit}, sub {
my $u = tuwf->dbRowi(q{
SELECT id, username, perm, ign_votes, hide_list, show_nsfw, traits_sexual,
@@ -43,7 +48,7 @@ TUWF::get qr{/$RE{uid}/edit}, sub {
return tuwf->resNotFound if !can_edit u => $u;
- $u->{email} = tuwf->dbVali(select => sql_func user_getmail => \$u->{id}, \auth->uid, sql_fromhex auth->token);
+ $u->{email} = _getmail $u->{id};
$u->{authmod} = auth->permUsermod;
$u->{password} = undef;
$u->{skin} ||= config->{skin_default};
@@ -65,6 +70,8 @@ TUWF::get qr{/$RE{uid}/edit}, sub {
json_api qr{/u/edit}, $FORM, sub {
my $data = shift;
+ my $username = tuwf->dbVali('SELECT username FROM users WHERE id =', \$data->{id});
+ return tuwf->resNotFound if !$username;
return elm_Unauth if !can_edit u => $data;
if(auth->permUsermod) {
@@ -88,12 +95,52 @@ json_api qr{/u/edit}, $FORM, sub {
}
}
- tuwf->dbExeci(select => sql_func user_setmail => \$data->{id}, \auth->uid, sql_fromhex(auth->token), \$data->{email});
+ my $ret = \&elm_Success;
+
+ my $oldmail = _getmail $data->{id};
+ if($data->{email} ne $oldmail) {
+ if(auth->permUsermod) {
+ tuwf->dbExeci(select => sql_func user_admin_setmail => \$data->{id}, \auth->uid, sql_fromhex(auth->token), \$data->{email});
+ } else {
+ my $token = auth->setmail_token($data->{email});
+ my $body = sprintf
+ "Hello %s,"
+ ."\n\n"
+ ."To confirm that you want to change the email address associated with your VNDB.org account from %s to %s, click the link below:"
+ ."\n\n"
+ ."%s"
+ ."\n\n"
+ ."vndb.org",
+ $username, $oldmail, $data->{email}, tuwf->reqBaseURI()."/u$data->{id}/setmail/$token";
+
+ tuwf->mail($body,
+ To => $data->{email},
+ From => 'VNDB <noreply@vndb.org>',
+ Subject => "Confirm e-mail change for $username",
+ );
+ $ret = \&elm_MailChange;
+ }
+ }
$data->{skin} = '' if $data->{skin} eq config->{skin_default};
auth->prefSet($_, $data->{$_}, $data->{id}) for qw/hide_list show_nsfw traits_sexual tags_all tags_cont tags_ero tags_tech spoilers skin customcss/;
- elm_Success
+ $ret->();
+};
+
+
+TUWF::get qr{/$RE{uid}/setmail/(?<token>[a-f0-9]{40})}, sub {
+ my $success = auth->setmail_confirm(tuwf->capture('id'), tuwf->capture('token'));
+ my $title = $success ? 'E-mail confirmed' : 'Error confirming email';
+ framework_ title => $title, index => 0, sub {
+ div_ class => 'mainbox', sub {
+ h1_ $title;
+ div_ class => $success ? 'notice' : 'warning', sub {
+ p_ "Your e-mail address has been updated!" if $success;
+ p_ "Invalid or expired confirmation link." if !$success;
+ };
+ };
+ };
};
1;