diff options
| author | Jakub Senko <jakubsenko@gmail.com> | 2018-10-28 10:12:13 +0100 |
|---|---|---|
| committer | Jakub Senko <jakubsenko@gmail.com> | 2018-10-28 10:12:13 +0100 |
| commit | 1d2a654ad7f34367cc5f8c8b3d5893e617b92f3f (patch) | |
| tree | 4ff64b0d309db4667f16d4acdb2906a4136686ad | |
| parent | 30d1048c8e3b66f3a3144974f9f3fc87054b2be2 (diff) | |
| download | forums-1d2a654ad7f34367cc5f8c8b3d5893e617b92f3f.tar forums-1d2a654ad7f34367cc5f8c8b3d5893e617b92f3f.tar.gz forums-1d2a654ad7f34367cc5f8c8b3d5893e617b92f3f.tar.bz2 forums-1d2a654ad7f34367cc5f8c8b3d5893e617b92f3f.tar.xz forums-1d2a654ad7f34367cc5f8c8b3d5893e617b92f3f.zip | |
[ticket/10432] Fix errors and address privacy concern
PHPBB3-10432
| -rw-r--r-- | phpBB/includes/ucp/ucp_remind.php | 33 | ||||
| -rw-r--r-- | phpBB/language/en/common.php | 1 | ||||
| -rw-r--r-- | phpBB/language/en/ucp.php | 3 | ||||
| -rw-r--r-- | tests/functional/user_password_reset_test.php | 16 |
4 files changed, 26 insertions, 27 deletions
diff --git a/phpBB/includes/ucp/ucp_remind.php b/phpBB/includes/ucp/ucp_remind.php index 8cf7ea268d..e50428bfea 100644 --- a/phpBB/includes/ucp/ucp_remind.php +++ b/phpBB/includes/ucp/ucp_remind.php @@ -79,7 +79,7 @@ class ucp_remind extract($phpbb_dispatcher->trigger_event('core.ucp_remind_modify_select_sql', compact($vars))); $sql = $db->sql_build_query('SELECT', $sql_array); - $result = $db->sql_query($sql); + $result = $db->sql_query_limit($sql, 2); // don't waste resources on more rows than we need $rowset = $db->sql_fetchrowset($result); if (count($rowset) > 1) @@ -93,29 +93,24 @@ class ucp_remind } else { - $user_row = $rowset[0]; - $db->sql_freeresult($result); + $message = $user->lang['PASSWORD_UPDATED_IF_EXISTED'] . '<br /><br />' . sprintf($user->lang['RETURN_INDEX'], '<a href="' . append_sid("{$phpbb_root_path}index.$phpEx") . '">', '</a>'); - if (!$user_row) + if (empty($rowset)) { - trigger_error('NO_EMAIL_USER'); + trigger_error($message); } - if ($user_row['user_type'] == USER_IGNORE) + $user_row = $rowset[0]; + $db->sql_freeresult($result); + + if (!$user_row) { - trigger_error('NO_USER'); + trigger_error($message); } - if ($user_row['user_type'] == USER_INACTIVE) + if ($user_row['user_type'] == USER_IGNORE || $user_row['user_type'] == USER_INACTIVE) { - if ($user_row['user_inactive_reason'] == INACTIVE_MANUAL) - { - trigger_error('ACCOUNT_DEACTIVATED'); - } - else - { - trigger_error('ACCOUNT_NOT_ACTIVATED'); - } + trigger_error($message); } // Check users permissions @@ -124,8 +119,7 @@ class ucp_remind if (!$auth2->acl_get('u_chgpasswd')) { - send_status_line(403, 'Forbidden'); - trigger_error('NO_AUTH_PASSWORD_REMINDER'); + trigger_error($message); } $server_url = generate_board_url(); @@ -164,9 +158,6 @@ class ucp_remind $messenger->send($user_row['user_notify_type']); - meta_refresh(3, append_sid("{$phpbb_root_path}index.$phpEx")); - - $message = $user->lang['PASSWORD_UPDATED'] . '<br /><br />' . sprintf($user->lang['RETURN_INDEX'], '<a href="' . append_sid("{$phpbb_root_path}index.$phpEx") . '">', '</a>'); trigger_error($message); } } diff --git a/phpBB/language/en/common.php b/phpBB/language/en/common.php index 213563aea0..a037c5bfe8 100644 --- a/phpBB/language/en/common.php +++ b/phpBB/language/en/common.php @@ -62,7 +62,6 @@ $lang = array_merge($lang, array( 'ACCOUNT_ALREADY_ACTIVATED' => 'Your account has already been activated.', 'ACCOUNT_DEACTIVATED' => 'Your account has been manually deactivated and is only able to be reactivated by an administrator.', - 'ACCOUNT_NOT_ACTIVATED' => 'Your account has not been activated yet.', 'ACP' => 'Administration Control Panel', 'ACP_SHORT' => 'ACP', 'ACTIVE' => 'active', diff --git a/phpBB/language/en/ucp.php b/phpBB/language/en/ucp.php index 301739186c..cfcbc63144 100644 --- a/phpBB/language/en/ucp.php +++ b/phpBB/language/en/ucp.php @@ -373,7 +373,6 @@ $lang = array_merge($lang, array( 'NO_AUTH_EDIT_MESSAGE' => 'You are not authorised to edit private messages.', 'NO_AUTH_FORWARD_MESSAGE' => 'You are not authorised to forward private messages.', 'NO_AUTH_GROUP_MESSAGE' => 'You are not authorised to send private messages to groups.', - 'NO_AUTH_PASSWORD_REMINDER' => 'You are not authorised to request a new password.', 'NO_AUTH_PROFILEINFO' => 'You are not authorised to change your profile information.', 'NO_AUTH_READ_HOLD_MESSAGE' => 'You are not authorised to read private messages that are on hold.', 'NO_AUTH_READ_MESSAGE' => 'You are not authorised to read private messages.', @@ -412,7 +411,7 @@ $lang = array_merge($lang, array( 'PASS_TYPE_SYMBOL_EXPLAIN' => 'Password must be between %1$s and %2$s long, must contain letters in mixed case, must contain numbers and must contain symbols.', 'PASSWORD' => 'Password', 'PASSWORD_ACTIVATED' => 'Your new password has been activated.', - 'PASSWORD_UPDATED' => 'A new password was sent to your registered email address.', + 'PASSWORD_UPDATED_IF_EXISTED' => 'If your account exists a new password was sent to your registered email address. If it does not, it may be because you are banned, not activated your account yet or not allowed to change password. Contact admin if that is the case.', 'PERMISSIONS_RESTORED' => 'Successfully restored original permissions.', 'PERMISSIONS_TRANSFERRED' => 'Successfully transferred permissions from <strong>%s</strong>, you are now able to browse the board with this user’s permissions.<br />Please note that admin permissions were not transferred. You are able to revert to your permission set at any time.', 'PM_DISABLED' => 'Private messaging has been disabled on this board.', diff --git a/tests/functional/user_password_reset_test.php b/tests/functional/user_password_reset_test.php index af53ba2b0d..2361eed066 100644 --- a/tests/functional/user_password_reset_test.php +++ b/tests/functional/user_password_reset_test.php @@ -23,17 +23,27 @@ class phpbb_functional_user_password_reset_test extends phpbb_functional_test_ca $this->add_lang('ucp'); $user_id = $this->create_user('reset-password-test-user', 'reset-password-test-user@test.com'); + // test without email $crawler = self::request('GET', "ucp.php?mode=sendpassword&sid={$this->sid}"); $form = $crawler->selectButton('submit')->form(); $crawler = self::submit($form); $this->assertContainsLang('NO_EMAIL_USER', $crawler->text()); + // test with non-existent email + $crawler = self::request('GET', "ucp.php?mode=sendpassword&sid={$this->sid}"); + $form = $crawler->selectButton('submit')->form(array( + 'email' => 'non-existent@email.com', + )); + $crawler = self::submit($form); + $this->assertContainsLang('PASSWORD_UPDATED_IF_EXISTED', $crawler->text()); + + // test with correct email $crawler = self::request('GET', "ucp.php?mode=sendpassword&sid={$this->sid}"); $form = $crawler->selectButton('submit')->form(array( 'email' => 'reset-password-test-user@test.com', )); $crawler = self::submit($form); - $this->assertContainsLang('PASSWORD_UPDATED', $crawler->text()); + $this->assertContainsLang('PASSWORD_UPDATED_IF_EXISTED', $crawler->text()); // Check if columns in database were updated for password reset $this->get_user_data('reset-password-test-user'); @@ -57,7 +67,7 @@ class phpbb_functional_user_password_reset_test extends phpbb_functional_test_ca 'username' => 'reset-password-test-user1', )); $crawler = self::submit($form); - $this->assertContainsLang('PASSWORD_UPDATED', $crawler->text()); + $this->assertContainsLang('PASSWORD_UPDATED_IF_EXISTED', $crawler->text()); // Check if columns in database were updated for password reset $this->get_user_data('reset-password-test-user1'); @@ -182,7 +192,7 @@ class phpbb_functional_user_password_reset_test extends phpbb_functional_test_ca $db = $this->get_db(); $sql = 'SELECT user_id, username, user_type, user_email, user_newpasswd, user_lang, user_notify_type, user_actkey, user_inactive_reason FROM ' . USERS_TABLE . " - WHERE username = '$username'"; + WHERE username = '" . $db->sql_escape($username) . "'"; $result = $db->sql_query($sql); $this->user_data = $db->sql_fetchrow($result); $db->sql_freeresult($result); |