email address update

svn path=/trunk/boinc/; revision=946
This commit is contained in:
David Anderson 2003-02-19 20:34:33 +00:00
parent bc26be32cc
commit a16c91e272
12 changed files with 166 additions and 2376 deletions

View File

@ -3308,3 +3308,31 @@ David Feb 18 2003
server_types.C
test/
test.inc
David Feb 19 2003
- Added scheme for verified user update of email address
When user updates email address, their email address in the DB
is set to a "munged" form that includes a random string,
and an email is sent to the new address that includes a
URL that they must visit to verify the change.
- The same mechanism is used on account creation;
the email DB field is initially set to a munged form.
This prevents hackers from adding entries to the DB
with other peoples' email addresses.
- Separate logic for update email address from update other user info;
remove combinatorial logic (?) for update other user info
configure (removed; generated from configure.in by autoconf)
db/
db.h
html_user/
create_account_action.php
create_account_form.php
edit_action.php (removed)
edit_email_action.php (new)
edit_email_form.php (new)
edit_user_info.php (removed)
edit_user_info_form.php (new)
login_action.php
user.inc
util.inc

2235
configure vendored

File diff suppressed because it is too large Load Diff

View File

@ -92,7 +92,7 @@ struct APP_VERSION {
int min_core_version; // min core version this will run with
int max_core_version; // if <>0, max core version this will run with
// the following defined for core client
// the following defined for core client app
//
char message[256]; // if we get a request from this version,
// send this message

View File

@ -4,7 +4,7 @@ include_once("util.inc");
function show_error($str) {
page_head("Create account: error");
echo $str;
echo "$str<br>\n";
echo mysql_error();
echo "<p>Click your browser's <b>Back</b> button to try again.\n<p>\n";
page_tail();
@ -15,8 +15,8 @@ function show_error($str) {
db_init();
$new_email_addr = $HTTP_POST_VARS["new_email_addr"];
if (strlen($new_email_addr) == 0) {
show_error("Email address missing");
if (!is_valid_email_addr($new_email_addr)) {
show_error("Invalid email address");
}
$query = "select * from user where email_addr='$new_email_addr'";
$result = mysql_query($query);
@ -39,10 +39,11 @@ function show_error($str) {
}
$authenticator = random_string();
$munged_email_addr = munge_email_addr($new_email_addr, $authenticator);
$query = sprintf(
"insert into user (create_time, email_addr, name, web_password, authenticator, country, postal_code, total_credit, expavg_credit, expavg_time, teamid, venue) values(%d, '%s', '%s', '%s', '%s', '%s', %d, 0, 0, 0, 0, 'home')",
"insert into user (create_time, email_addr, name, web_password, authenticator, country, postal_code, total_credit, expavg_credit, expavg_time, teamid, venue) values(%d, '%s', '%s', '%s', '%s', '%s', '%s', 0, 0, 0, 0, 'home')",
time(),
$new_email_addr,
$munged_email_addr,
$HTTP_POST_VARS["new_name"],
$HTTP_POST_VARS["new_password"],
$authenticator,

View File

@ -23,7 +23,7 @@ Use your real name or a nickname.
<tr><td align=right>
<b>Email address:</b>
<br><font size=-1>
Must be a valid address.
Must be a valid address of the form name@domain.
</font>
</td><td>
<input name=new_email_addr size=50>

View File

@ -1,115 +0,0 @@
<?php
require_once("util.inc");
require_once("user.inc");
require_once("db.inc");
require_once("edit.inc");
$authenticator = init_session();
db_init();
$user = get_user_from_auth($authenticator);
require_login($user);
page_head("Updating User Account");
$my_email = $HTTP_POST_VARS["my_email"];
$my_name = $HTTP_POST_VARS["my_name"];
$my_country = $HTTP_POST_VARS["my_country"];
$my_zip = $HTTP_POST_VARS["my_zip"];
// TODO: we need to keep track of whether email addresses
// have been verified or not (i.e. whether we ever got back
// the authenticator, either via web or from core client)
// The right was to do this is to add a "email_verified"
// flag to the user structure.
// Also, email need not be unique.
if (strlen($my_email)) {
$query = sprintf("select * from user where email_addr='%s'", $my_email);
$result = mysql_query($query);
if ($result) {
$old = mysql_fetch_object($result);
mysql_free_result($result);
}
if ($old) {
$email_ok = EMAIL_EXISTS;
} else {
srand((double)microtime*1000000);
$new_pass = rand();
$query = sprintf("update user set email_addr='%s', web_password ='%s' where id=%d", $my_email, $new_pass, $user->id);
$result = mysql_query($query);
if ($result) {
$email_ok = EMAIL_UPDATED;
mail($my_email, "NEW PASSWORD", "Your new temporary password is ".$new_pass.".\n\n"
."You must use it as your password to access your account the next time you login."
." Thereafter, you can change your password by clicking on the CHANGE PASSWORD link in your"
." Project User Page and use the changed password as your new permanent password.\n"
);
} else {
$email_ok = EMAIL_FAIL;
}
}
}
if (strlen($my_name) && strlen($my_country) && strlen($my_zip)) {
$query = sprintf("update user set name='%s', country='%s', postal_code=%d where id=%d", $my_name, $my_country, $my_zip, $user->id);
$result = mysql_query($query);
if($result) {
print_update_ok($email_ok);
} else {
print_update_fail($email_ok);
}
} else if (strlen($my_name) && strlen($my_country)) {
$query = sprintf("update user set name='%s', country='%s' where id=%d", $my_name, $my_country, $user->id);
$result = mysql_query($query);
if($result) {
print_update_ok($email_ok);
} else {
print_update_fail($email_ok);
}
} else if (strlen($my_country) && strlen($my_zip)) {
$query = sprintf("update user set country='%s', postal_code='%s' where id=%d", $my_country, $my_zip, $user->id);
$result = mysql_query($query);
if($result) {
print_update_ok($email_ok);
} else {
print_update_fail($email_ok);
}
} else if (strlen($my_name) && strlen($my_zip)) {
$query = sprintf("update user set name='%s', postal_code=%d where id=%d", $my_name, $my_zip, $user->id);
$result = mysql_query($query);
if($result) {
print_update_ok($email_ok);
} else {
print_update_fail($email_ok);
}
} else if (strlen($my_name)) {
$query = sprintf("update user set name='%s' where id=%d", $my_name, $user->id);
$result = mysql_query($query);
if($result) {
print_update_ok($email_ok);
} else {
print_update_fail($email_ok);
}
} else if (strlen($my_country)) {
$query = sprintf("update user set country='%s' where id=%d", $my_country, $user->id);
$result = mysql_query($query);
if($result) {
print_update_ok($email_ok);
} else {
print_update_fail($email_ok);
}
} else if (strlen($my_zip)) {
$query = sprintf("update user set postal_code='%s' where id=%d", $my_zip, $user->id);
$result = mysql_query($query);
if($result) {
print_update_ok($email_ok);
} else {
print_update_fail($email_ok);
}
}
page_tail();
?>

View File

@ -0,0 +1,65 @@
<?php
require_once("util.inc");
require_once("user.inc");
require_once("db.inc");
function send_verify_email($user, $email_addr, $key) {
mail(
$email_addr,
PROJECT." account email change",
"You have asked that the email address of your PROJECT account
be changed to $email_addr.
To confirm this change, please visit the following URL:
".MASTER_URL."/confirm_email_change.php?id=$user->id&str=$key"
);
}
$authenticator = init_session();
db_init();
$user = get_user_from_auth($authenticator);
require_login($user);
$email_addr = $HTTP_POST_VARS["email_addr"];
page_head("Edit email address");
if ($email_addr == "Verification pending") {
echo "You previously requested an email address change.
An email was sent to the new address,
containing a URL that you must visit to verify the new address.
";
} else if (!is_valid_email_addr($email_addr)) {
echo "Invalid email address requested";
} else if ($email_addr == $user->email_addr) {
echo "No change requested";
} else {
$existing = null;
$result = mysql_query("select * from user where email_addr='$email_addr'");
if ($result) {
$existing = mysql_fetch_object($result);
mysql_free_result($result);
}
if ($existing) {
echo "There's already an account with that email address";
} else {
$x = random_string();
$y = munge_email_addr($email_addr, $x);
$result = mysql_query("update user set email_addr='$y' where id=$user->id");
if ($result) {
send_verify_email($user, $email_addr, $x);
echo "
An email has been sent to $email_addr,
containing a URL that you must visit to verify the address.
";
} else {
echo "
We can't update your email address
due to a database problem. Please try again later.
";
}
}
}
page_tail();
?>

View File

@ -0,0 +1,29 @@
<?php
require_once("edit.inc");
require_once("util.inc");
db_init();
$authenticator = init_session();
$user = get_user_from_auth($authenticator);
require_login($user);
page_head("Edit email address");
if (is_valid_email_addr($user->email_addr)) {
$email_text = $user->email_addr;
} else {
$email_text = "Verification pending";
}
echo "<form method=post action=edit_email_action.php>\n
".TABLE2."\n
<tr><td align=right><b>Email address</b>
<br><font size=-1>Must be a valid address of the form 'name@domain'</font></b></td>\n
<td><input name=email_addr size=50 value='$email_text'></td></tr>
<tr><td><br></td><td><input type=submit value='OK'>\n
</table>\n
</form>";
page_tail();
?>

View File

@ -9,18 +9,17 @@ $user = get_user_from_auth($authenticator);
require_login($user);
page_head("Edit user information");
echo "<form method=post action=edit_action.php>\n
echo "<form method=post action=edit_user_info_action.php>\n
".TABLE2."\n
<tr><td align=right><b>User name</b></td>\n
<td><input name=my_name type=text size=30 value='$user->name'></td></tr>
<tr><td align=right><b>Email address</b></td>\n
<td><input name=my_email type=text size=50 value='$user->email_addr'></td></tr>
<td><input name=user_name size=30 value='$user->name'></td></tr>
<tr><td align=right><b>Country:</b></font></td>
<td><select name=my_country>";
<td><select name=country>";
print_country_select($user->country);
echo "</select></td></tr>
<tr><td align=right><b>Postal (ZIP) code</b></td>
<td><input name=my_zip type=text size=20 value='$user->postal_code'></td></tr>
<td><input name=postal_code size=20 value='$user->postal_code'></td></tr>
<tr><td><br></td><td><input type=submit value='OK'>\n
</table>\n
</form>";

View File

@ -33,6 +33,9 @@
// echo "Bad password.";
// }
} else {
if (split_munged_email_addr($user->email_addr, $authenticator, $email)) {
mysql_query("update user set email_addr='$email' where id=$user->id");
}
$_SESSION["authenticator"] = $user->authenticator;
$next_url = $HTTP_POST_VARS["next_url"];
Header("Location: $next_url");

View File

@ -17,19 +17,25 @@ function show_user_stats($user) {
echo "</table>\n";
}
function edit_link() {
return "<br><font size=-1><a href=edit_user_info_form.php>edit</a></font>";
}
function edit_email_link() {
return "<br><font size=-1><a href=edit_email_form.php>edit</a></font>";
}
function show_user_profile($user) {
if (is_valid_email_addr($user->email_addr)) {
$email_text = $user->email_addr;
} else {
$email_text = "Verification pending";
}
echo TABLE2."\n";
echo "<tr>".TD2.LG_FONT."<b>User information</b></font></td></tr>\n";
row("<b>name</b>", $user->name);
row("<b>email address</b>", $user->email_addr);
row("<b>country</b>", $user->country);
row("<b>postal (ZIP) code</b>", $user->postal_code);
echo "<tr><td align=right><a href=edit_user_info.php>Edit user information</a></td>\n";
if (1) {
echo "<td><br></td></tr>\n";
} else {
echo "<td align=center><a href=change_password.php>Change Password</a></td></tr>\n";
}
row("<b>name</b>", $user->name.edit_link());
row("<b>email address</b>", $email_text.edit_email_link());
row("<b>country</b>", $user->country.edit_link());
row("<b>postal (ZIP) code</b>", $user->postal_code.edit_link());
echo "</table>\n";
}

View File

@ -29,9 +29,11 @@ function send_auth_email($email_addr, $auth) {
mail($email_addr, PROJECT." new account confirmation",
"This email confirms the creation of your ".PROJECT." account.
".PROJECT." URL: ".MASTER_URL."
Your account key: $auth\n
Please save this email, as you will need the account key
to access your account on the ".PROJECT." web site."
Please save this email.
You will need your account key to log in to the ".PROJECT." web site."
);
}
@ -223,13 +225,20 @@ function is_valid_email_addr($addr) {
}
function munge_email_addr($email, $string) {
return "@$email_$string";
return "@".$email."_".$string;
}
// if email_addr is of the form @X_Y, split out the X and return true.
// otherwise return false
//
function split_munged_email_addr($addr, $string, &$email) {
if (substr($addr, 0, 1) != "@") return false;
$x = strrchr($addr, "_");
if (!$x) return false;
$y = substr($x, 1);
if ($y != $string) return false;
$email = substr($addr, 1, strlen($addr)-strlen($x)-1);
return true;
}
?>