r24115 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r24114‎ \| r24115 \| r24116 >
Date:	09:04, 15 July 2007
Author:	aaron
Status:	old
Tags:
Comment:	*Honor alternate name input. Escape text of request to avoid injections. Send out rejection emails :(
Modified paths:	/trunk/extensions/ConfirmAccount/ConfirmAccount.i18n.php (modified) (history) /trunk/extensions/ConfirmAccount/ConfirmAccount_body.php (modified) (history)

Diff [purge]

Index: trunk/extensions/ConfirmAccount/ConfirmAccount_body.php
—	—	@@ -359,7 +359,7 @@
360	360	$this->acrID = $wgRequest->getIntOrNull( 'acrid' );
361	361	# For renaming to alot for collisions with other local requests
362	362	# that were added to some global $wgAuth system first.
363		~~- $this->mUsername = $wgRequest->getIntOrNull( 'wpNewName' );~~
	363	+ $this->mUsername = $wgRequest->getText( 'wpNewName' );
364	364
365	365	$this->skin = $wgUser->getSkin();
366	366
—	—	@@ -381,46 +381,60 @@
382	382	$wgOut->returnToMain( null, $wgTitle );
383	383	return;
384	384	}
385		-
	385	+
386	386	if( $action == 'reject' ) {
	387	+ # Make proxy user to email a rejection message :(
	388	+ $u = User::newFromName( $row->acr_name, 'creatable' );
	389	+ $u->setEmail( $row->acr_email );
	390	+ $result = $u->sendMail( wfMsg( 'confirmaccount-email-subj' ),
	391	+ wfMsg( 'confirmaccount-email-body2', $u->getName() ) );
	392	+ if( WikiError::isError( $result ) ) {
	393	+ $error = wfMsg( 'mailerror', htmlspecialchars( $result->getMessage() ) );
	394	+ $this->showForm( $error );
	395	+ return false;
	396	+ }
	397	+
387	398	$dbw = wfGetDB( DB_MASTER );
388	399	$dbw->delete( 'account_requests', array('acr_id' => $this->acrID), __METHOD__ );
389		-
	400	+
390	401	$this->showSuccess( $action );
391	402	} else if( $action == 'accept' ) {
392	403	global $wgMakeUserPageFromBio;
393	404	# Check if the name is to be overridden
394	405	$name = $this->mUsername ? trim($this->mUsername) : $row->acr_name;
395		~~- # Now create a dummy user ($u) and check if it is valid~~
396		~~- $u = User::newFromName( $name, 'creatable' );~~
397		~~- if( is_null( $u ) ) {~~
	406	+ # Now create user and check if the name is valid
	407	+ $user = User::newFromName( $name, 'creatable' );
	408	+ if( is_null( $user ) ) {
398	409	$this->showForm( wfMsgHtml('noname') );
399	410	return;
400	411	}
401	412	# Check if already in use
402		~~- if( 0 != $u->idForName() \|\| $wgAuth->userExists( $u->getName() ) ) {~~
	413	+ if( 0 != $user->idForName() \|\| $wgAuth->userExists( $user->getName() ) ) {
403	414	$this->showForm( wfMsgHtml('userexists') );
404	415	return;
405	416	}
406		-
	417	+ # Make a random password
407	418	$pass = User::randomPassword();
408		~~- if( !$wgAuth->addUser( $u, $pass, $row->acr_email, $row->acr_real_name ) ) {~~
409		~~- $this->showForm( wfMsg( 'externaldberror' ) );~~
410		~~- return false;~~
411		~~- }~~
412		~~- # Now that name is validated, create the stub account~~
413		~~- $user = User::createNew( $name );~~
414	419	# VERY important to set email now. Otherwise user will have to request
415	420	# a new password at the login screen...
416	421	$user->setEmail( $row->acr_email );
417		~~- $user->setRealName( $row->acr_real_name );~~
418		~~- $user->setPassword( $pass );~~
419		~~- $user->saveSettings(); // Save this stuff now~~
420		~~- # Email this password~~
421		~~- $user->sendMail( wfMsg( 'confirmaccount-email-subj' ),~~
	422	+ $result = $user->sendMail( wfMsg( 'confirmaccount-email-subj' ),
422	423	wfMsg( 'confirmaccount-email-body',
423	424	$user->getName(),
424	425	$pass ) );
	426	+ if( WikiError::isError( $result ) ) {
	427	+ $error = wfMsg( 'mailerror', htmlspecialchars( $result->getMessage() ) );
	428	+ $this->showForm( $error );
	429	+ return false;
	430	+ }
	431	+ if( !$wgAuth->addUser( $user, $pass, $row->acr_email, $row->acr_real_name ) ) {
	432	+ $this->showForm( wfMsg( 'externaldberror' ) );
	433	+ return false;
	434	+ }
	435	+ # Set password and realname
	436	+ $user->setPassword( $pass );
	437	+ $user->setRealName( $row->acr_real_name );
	438	+ $user->saveSettings(); // Save this into the DB
425	439	# Check if the user already confirmed email address
426	440	$dbw = wfGetDB( DB_MASTER );
427	441	$dbw->update( 'user',
—	—	@@ -428,17 +442,16 @@
429	443	'user_email_token_expires' => $row->acr_email_token_expires ),
430	444	array( 'user_id' => $user->getID() ),
431	445	__METHOD__ );
432		-
433	446	# OK, now remove the request
434	447	$dbw->delete( 'account_requests', array('acr_id' => $this->acrID), __METHOD__ );
435		-
	448	+
436	449	wfRunHooks( 'AddNewAccount', array( $user ) );
437	450	# Start up the user's brand new userpage
438	451	if( $wgMakeUserPageFromBio ) {
439	452	$userpage = new Article( $user->getUserPage() );
440	453	$userpage->doEdit( $row->acr_bio, wfMsg('confirmaccount-summary'), EDIT_NEW );
441	454	}
442		-
	455	+
443	456	$this->showSuccess( $action, $user->getName() );
444	457	}
445	458	}
—	—	@@ -472,14 +485,14 @@
473	486
474	487	$econf = $row->acr_email_authenticated ? ' <strong>'.wfMsg('confirmaccount-econf').'</strong>' : '';
475	488	$form .= "<tr><td>".wfMsgHtml('requestaccount-email')."</td>";
476		~~- $form .= "<td>".$row->acr_email.$econf."</td></tr>\n";~~
	489	+ $form .= "<td>".htmlspecialchars($row->acr_email).$econf."</td></tr>\n";
477	490	$form .= '</table></fieldset>';
478	491
479	492	$form .= '<fieldset>';
480	493	$form .= '<legend>' . wfMsg('requestacount-legend2') . '</legend>';
481	494	$form .= '<table cellpadding=\'4\'>';
482	495	$form .= "<tr><td>".wfMsgHtml('requestaccount-real')."</td>";
483		~~- $form .= "<td>".$row->acr_real_name."</td></tr>\n";~~
	496	+ $form .= "<td>".htmlspecialchars($row->acr_real_name)."</td></tr>\n";
484	497	$form .= '</table cellpadding=\'4\'>';
485	498	$form .= "<p>".wfMsgHtml('requestaccount-bio')."</p>";
486	499	$form .= "<p><textarea tabindex='1' readonly name='wpBio' id='wpBio' rows='10' cols='80' style='width:100%'>" .
—	—	@@ -491,11 +504,11 @@
492	505	$form .= '<legend>' . wfMsg('requestacount-legend3') . '</legend>';
493	506	$form .= "<p>".wfMsgHtml('requestaccount-notes')."</p>\n";
494	507	$form .= "<p><textarea tabindex='1' readonly name='wpNotes' id='wpNotes' rows='3' cols='80' style='width:100%'>" .
495		~~- $row->acr_notes .~~
	508	+ htmlspecialchars($row->acr_notes) .
496	509	"</textarea></p>";
497	510	$form .= "<p>".wfMsgHtml('requestaccount-urls')."</p>\n";
498	511	$form .= "<p><textarea tabindex='1' readonly name='wpUrls' id='wpUrls' rows='2' cols='80' style='width:100%'>" .
499		~~- $row->acr_urls .~~
	512	+ htmlspecialchars($row->acr_urls) .
500	513	"</textarea></p>";
501	514	$form .= '</fieldset>';
502	515
—	—	@@ -565,12 +578,15 @@
566	579	$r = '<li>';
567	580	$r .= $time." ($link)".'<br/>';
568	581	$r .= '<table cellspacing=\'1\' cellpadding=\'3\' border=\'1\' width=\'100%\'>';
569		~~- $r .= '<tr><td><strong>'.wfMsg('confirmaccount-name').'</strong></td><td width=\'100%\'>'.$row->acr_name.'</td></tr>';~~
570		~~- $r .= '<tr><td><strong>'.wfMsg('confirmaccount-real').'</strong></td><td width=\'100%\'>'.$row->acr_real_name.'</td></tr>';~~
	582	+ $r .= '<tr><td><strong>'.wfMsg('confirmaccount-name').'</strong></td><td width=\'100%\'>' .
	583	+ htmlspecialchars($row->acr_name) . '</td></tr>';
	584	+ $r .= '<tr><td><strong>'.wfMsg('confirmaccount-real').'</strong></td><td width=\'100%\'>' .
	585	+ htmlspecialchars($row->acr_real_name) . '</td></tr>';
571	586	$econf = $row->acr_email_authenticated ? ' <strong>'.wfMsg('confirmaccount-econf').'</strong>' : '';
572		~~- $r .= '<tr><td><strong>'.wfMsg('confirmaccount-email').'</strong></td><td width=\'100%\'>'.$row->acr_email.$econf.'</td></tr>';~~
	587	+ $r .= '<tr><td><strong>'.wfMsg('confirmaccount-email').'</strong></td><td width=\'100%\'>' .
	588	+ htmlspecialchars($row->acr_email) . $econf.'</td></tr>';
573	589	# Truncate this, blah blah...
574		~~- $bio = substr( $row->acr_bio, 0, 500 );~~
	590	+ $bio = substr( htmlspecialchars($row->acr_bio), 0, 500 );
575	591	$bio = strlen($bio) < strlen($row->acr_bio) ? "$bio . . ." : $bio;
576	592
577	593	$r .= '<tr><td><strong>'.wfMsg('confirmaccount-bio').'</strong></td><td width=\'100%\'><i>'.$bio.'</i></td></tr>';
Index: trunk/extensions/ConfirmAccount/ConfirmAccount.i18n.php
—	—	@@ -68,7 +68,7 @@
69	69	'confirmaccount-real' => 'Name',
70	70	'confirmaccount-email' => 'Email',
71	71	'confirmaccount-bio' => 'Biography',
72		~~- 'confirmaccount-review' => 'Review this request in detail',~~
	72	+ 'confirmaccount-review' => 'Approve/Reject',
73	73	'confirmacount-confirm' => 'Use the buttons below to irreversibly confirm this request and create the account or deny it.',
74	74	'confirmaccount-econf' => '(confirmed)',
75	75	'confirmacount-create' => 'Confirm (create account)',
—	—	@@ -85,4 +85,9 @@
86	86
87	87	You may have been granted a slightly different name than requested. This could be due to name collisions
88	88	or policy reasons. Also, please immediatly login, go to your preferences options, and set a new password.',
89		~~-);~~
	89	+ 'confirmaccount-email-body2' => 'Sorry, your request for an account "$1" has been rejected on {{SITENAME}}.
	90	+
	91	+There are several ways this can happen. You may not have filled out the form correctly, did not provide adequate
	92	+length in your responses, or otherwise failed to meet some policy criteria. There may be contact lists on site that
	93	+you can use if you want to know more about user account policy.',
	94	+);
\ No newline at end of file

Status & tagging log

15:20, 12 September 2011 Meno25 (talk | contribs) changed the status of r24115 [removed: ok added: old]