validation code is login for registered users
Hi,
I have not checked the latest update of Links and did not implement a solution of my own.
Please accept this as a note which might be interesting.
The validation code is kind of secure but I think it is not necessary to allow someone to login with the validation code if a user is already registered.
Login.pm says you can:
# --------------------------------------------------------
# Validates a user.
#
my $code = $IN->param('code');
$code =~ s/^\s*|\s*$//g;
my $mtl = Links::Build::build('title', Links::language('LINKS_VALIDATE'), "$CFG->{db_cgi_url}/user.cgi?validate=1");
if (!$code) {
print $IN->header;
print Links::SiteHTML::display('validate_form', { error => Links::language('USER_INVALIDVAL'), main_title_loop => $mtl });
return;
}
my $db = $DB->table('Users');
my $sth = $db->select({ Validation => $code });
my $user = $sth->fetchrow_hashref;
if (! $user) {
print $IN->header;
print Links::SiteHTML::display('validate_form', { error => Links::language('USER_INVALIDVAL'), main_title_loop => $mtl });
return;
}
$db->update({ Status => 'Registered' }, { Username => $user->{Username} });
login_user($user->{Username}, $user->{Password}, 'validate_success');
}
Regards
Niko
I have not checked the latest update of Links and did not implement a solution of my own.
Please accept this as a note which might be interesting.
The validation code is kind of secure but I think it is not necessary to allow someone to login with the validation code if a user is already registered.
Login.pm says you can:
Code:
sub validate_user { # --------------------------------------------------------
# Validates a user.
#
my $code = $IN->param('code');
$code =~ s/^\s*|\s*$//g;
my $mtl = Links::Build::build('title', Links::language('LINKS_VALIDATE'), "$CFG->{db_cgi_url}/user.cgi?validate=1");
if (!$code) {
print $IN->header;
print Links::SiteHTML::display('validate_form', { error => Links::language('USER_INVALIDVAL'), main_title_loop => $mtl });
return;
}
my $db = $DB->table('Users');
my $sth = $db->select({ Validation => $code });
my $user = $sth->fetchrow_hashref;
if (! $user) {
print $IN->header;
print Links::SiteHTML::display('validate_form', { error => Links::language('USER_INVALIDVAL'), main_title_loop => $mtl });
return;
}
$db->update({ Status => 'Registered' }, { Username => $user->{Username} });
login_user($user->{Username}, $user->{Password}, 'validate_success');
}
Regards
Niko