#476067 - Add FormToken to account / profile settings and PW recovery
Signed-off-by: Darrell Armstrong <darrell.armstrong@eclipse.org>
diff --git a/eclipse.org-common/classes/users/siteLogin.class.php b/eclipse.org-common/classes/users/siteLogin.class.php
index 24232e4..295e3f8 100644
--- a/eclipse.org-common/classes/users/siteLogin.class.php
+++ b/eclipse.org-common/classes/users/siteLogin.class.php
@@ -772,6 +772,10 @@
}
private function _processSaveProfile() {
+ if (!$this->FormToken->verifyToken($_POST['token-update-profile']) || !empty($_POST['profile-name-req'])) {
+ //token verification failed or expected empty field wasn't empty
+ return FALSE;
+ }
if ($this->password_expired === TRUE) {
$this->messages['password_expired']['danger'][] = "You need to set a new password before you can update your profile.";
return FALSE;
@@ -874,7 +878,10 @@
}
private function _processSave() {
-
+ if (!$this->FormToken->verifyToken($_POST['token-edit-account']) || !empty($_POST['edit-account-email-req'])) {
+ //token verification failed or expected empty field wasn't empty
+ return FALSE;
+ }
// Check IF the password is expired
// AND if the user is NOT trying to change the password
if ($this->password_expired === TRUE && (empty($this->password1) && empty($this->password2))) {
@@ -1054,6 +1061,10 @@
}
private function _resetPassword() {
+ if (!$this->FormToken->verifyToken($_POST['token-password-recovery']) || !empty($_POST['recover-account-email-req'])) {
+ //token verification failed or expected empty field wasn't empty
+ return FALSE;
+ }
# reset stage 1. We got an email address, create token and email to user
# make sure someone isn't blasting us. We disregard "token failed" since a common use-case
# is to click the reset link after it has expired.
@@ -1142,6 +1153,10 @@
}
private function _resetPassword3() {
+ if (!$this->FormToken->verifyToken($_POST['token-password-reset']) || !empty($_POST['reset-account-email-req'])) {
+ //token verification failed or expected empty field wasn't empty
+ return FALSE;
+ }
# reset stage 3. We got a token back, and user is submitting a password.
if ($this->t != "" && $this->password1 != "" ) {
if ($this->password1 != $this->password2) {
diff --git a/site_login/content/en_password_recovery.php b/site_login/content/en_password_recovery.php
index 852bcb4..7d78038 100644
--- a/site_login/content/en_password_recovery.php
+++ b/site_login/content/en_password_recovery.php
@@ -46,6 +46,8 @@
<div class="col-sm-24">
<button id="btn_submit" type="submit" name="btn-submit" tabindex="4" class="btn btn-primary">Reset password</button>
<input type="hidden" name="t" value="<?php print $var_reset['token']; ?>" />
+ <input type="hidden" name="token-password-reset" value="<?php print $Sitelogin->FormToken->getToken();?>" />
+ <input type="hidden" name="reset-account-email-req" value="" />
</div>
</div>
</form>
@@ -62,6 +64,8 @@
</div>
<button type="submit" name="btn_submit" class="btn btn-warning" >Continue</button>
<input type="hidden" name="stage" value="reset" />
+ <input type="hidden" name="token-password-recovery" value="<?php print $Sitelogin->FormToken->getToken();?>" />
+ <input type="hidden" name="recover-account-email-req" value="" />
</form>
<?php endif;?>
</div>
diff --git a/site_login/content/myaccount/en_accountsettings.php b/site_login/content/myaccount/en_accountsettings.php
index 8c7bd81..3a0c17f 100644
--- a/site_login/content/myaccount/en_accountsettings.php
+++ b/site_login/content/myaccount/en_accountsettings.php
@@ -87,6 +87,8 @@
<div class="col-sm-24">
<button type="submit" name="btn_submit" class="btn btn-warning" />Update account</buttton>
<input type="hidden" name="stage" value="save-account" />
+ <input type="hidden" name="token-edit-account" value="<?php print $Sitelogin->FormToken->getToken();?>" />
+ <input type="hidden" name="edit-account-email-req" value="" />
</div>
</div>
</form>
diff --git a/site_login/content/myaccount/en_profile.php b/site_login/content/myaccount/en_profile.php
index aebd4b9..bc4bd3a 100644
--- a/site_login/content/myaccount/en_profile.php
+++ b/site_login/content/myaccount/en_profile.php
@@ -90,6 +90,8 @@
<div class="col-sm-24">
<button type="submit" name="btn_submit" class="btn btn-warning">Update Profile</button>
<input type="hidden" name="stage" value="save-profile" />
+ <input type="hidden" name="token-update-profile" value="<?php print $Sitelogin->FormToken->getToken();?>" />
+ <input type="hidden" name="profile-name-req" value="" />
</div>
</div>
</form>