Commit 9347252f authored by Kjartan's avatar Kjartan

- fixing user registration and field validation.

parent 8457c4d2
......@@ -89,15 +89,6 @@ function user_load($array = array()) {
}
function user_save($account, $array = array()) {
if (!user_access("administer users")) {
if (array_intersect(array_keys($array), array("rid", "init", "rating", "session"))) {
watchdog("warning", "detected malicious attempt to alter a protected database field");
}
unset($array["rid"], $array["init"], $array["rating"], $array["session"]);
}
/*
** Dynamically compose a SQL query:
*/
......@@ -546,7 +537,7 @@ function user_login($edit = array(), $msg = "") {
if (module_invoke($module, "auth", $name, $pass, $server)) {
if (variable_get("user_register", 1) == 1 && !user_load(array("name" => "$name@$server"))) { //register this new user
watchdog("user", "new user: $name@$server ($module ID)");
$user = user_save("", array("name" => "$name@$server", "pass" => user_password(), "init" => "$name@$server", "rid" => _user_authenticated_id(), "status" => 1, "authname_$module" => "$name@$server"));
$user = user_save("", array("name" => "$name@$server", "pass" => user_password(), "init" => "$name@$server", "status" => 1, "authname_$module" => "$name@$server"));
break;
}
}
......@@ -777,8 +768,10 @@ function user_register($edit = array()) {
$pass = user_password();
// create new user account, noting whether administrator approval is required
admin_access_init();
$account = user_save("", array_merge(array("name" => $edit["name"], "pass" => $pass, "init" => $edit["mail"], "mail" => $edit["mail"], "rid" => _user_authenticated_id(), "status" => (variable_get("user_register", 1) == 1 ? 1 : 0)), $data));
user_role_init();
// TODO: is this necessary? Won't session_write replicate this?
unset($edit["session"]);
$account = user_save("", array_merge(array("name" => $edit["name"], "pass" => $pass, "init" => $edit["mail"], "mail" => $edit["mail"], "rid" => _user_authenticated_id(), "rating" => 0, "status" => (variable_get("user_register", 1) == 1 ? 1 : 0)), $data));
watchdog("user", "new user: '". $edit["name"] ."' <". $edit["mail"] .">");
$variables = array("%username" => $edit["name"], "%site" => variable_get("site_name", "drupal"), "%password" => $pass, "%uri" => path_uri(), "%uri_brief" => path_uri(1), "%mailto" => $edit["mail"], "%date" => format_date(time()));
......@@ -904,9 +897,24 @@ function user_edit($edit = array()) {
$error = t("The specified passwords do not match.");
}
}
unset($edit["pass1"], $edit["pass2"]);
/*
** Validate input fields to make sure users don't submit
** invalid form.
*/
if (!user_access("administer users")) {
if (array_intersect(array_keys($array), array("rid", "init", "rating", "session"))) {
watchdog("warning", "detected malicious attempt to alter a protected database field");
}
$edit["rid"] = $user->rid;
$edit["init"] = $user->init;
$edit["rating"] = $user->rating;
$edit["session"] = $user->session;
}
if (!$error) {
/*
** Save user information:
......@@ -1479,7 +1487,7 @@ function user_admin_account() {
}
function admin_access_init() {
function user_role_init() {
$role = db_fetch_object(db_query("SELECT * FROM role WHERE name = 'anonymous user'"));
if (!$role) {
db_query("INSERT INTO role (name) VALUES ('anonymous user')");
......@@ -1499,7 +1507,7 @@ function user_admin() {
** Initialize all the roles and permissions:
*/
admin_access_init();
user_role_init();
/*
** Compile a list of the administrative links:
......
......@@ -89,15 +89,6 @@ function user_load($array = array()) {
}
function user_save($account, $array = array()) {
if (!user_access("administer users")) {
if (array_intersect(array_keys($array), array("rid", "init", "rating", "session"))) {
watchdog("warning", "detected malicious attempt to alter a protected database field");
}
unset($array["rid"], $array["init"], $array["rating"], $array["session"]);
}
/*
** Dynamically compose a SQL query:
*/
......@@ -546,7 +537,7 @@ function user_login($edit = array(), $msg = "") {
if (module_invoke($module, "auth", $name, $pass, $server)) {
if (variable_get("user_register", 1) == 1 && !user_load(array("name" => "$name@$server"))) { //register this new user
watchdog("user", "new user: $name@$server ($module ID)");
$user = user_save("", array("name" => "$name@$server", "pass" => user_password(), "init" => "$name@$server", "rid" => _user_authenticated_id(), "status" => 1, "authname_$module" => "$name@$server"));
$user = user_save("", array("name" => "$name@$server", "pass" => user_password(), "init" => "$name@$server", "status" => 1, "authname_$module" => "$name@$server"));
break;
}
}
......@@ -777,8 +768,10 @@ function user_register($edit = array()) {
$pass = user_password();
// create new user account, noting whether administrator approval is required
admin_access_init();
$account = user_save("", array_merge(array("name" => $edit["name"], "pass" => $pass, "init" => $edit["mail"], "mail" => $edit["mail"], "rid" => _user_authenticated_id(), "status" => (variable_get("user_register", 1) == 1 ? 1 : 0)), $data));
user_role_init();
// TODO: is this necessary? Won't session_write replicate this?
unset($edit["session"]);
$account = user_save("", array_merge(array("name" => $edit["name"], "pass" => $pass, "init" => $edit["mail"], "mail" => $edit["mail"], "rid" => _user_authenticated_id(), "rating" => 0, "status" => (variable_get("user_register", 1) == 1 ? 1 : 0)), $data));
watchdog("user", "new user: '". $edit["name"] ."' <". $edit["mail"] .">");
$variables = array("%username" => $edit["name"], "%site" => variable_get("site_name", "drupal"), "%password" => $pass, "%uri" => path_uri(), "%uri_brief" => path_uri(1), "%mailto" => $edit["mail"], "%date" => format_date(time()));
......@@ -904,9 +897,24 @@ function user_edit($edit = array()) {
$error = t("The specified passwords do not match.");
}
}
unset($edit["pass1"], $edit["pass2"]);
/*
** Validate input fields to make sure users don't submit
** invalid form.
*/
if (!user_access("administer users")) {
if (array_intersect(array_keys($array), array("rid", "init", "rating", "session"))) {
watchdog("warning", "detected malicious attempt to alter a protected database field");
}
$edit["rid"] = $user->rid;
$edit["init"] = $user->init;
$edit["rating"] = $user->rating;
$edit["session"] = $user->session;
}
if (!$error) {
/*
** Save user information:
......@@ -1479,7 +1487,7 @@ function user_admin_account() {
}
function admin_access_init() {
function user_role_init() {
$role = db_fetch_object(db_query("SELECT * FROM role WHERE name = 'anonymous user'"));
if (!$role) {
db_query("INSERT INTO role (name) VALUES ('anonymous user')");
......@@ -1499,7 +1507,7 @@ function user_admin() {
** Initialize all the roles and permissions:
*/
admin_access_init();
user_role_init();
/*
** Compile a list of the administrative links:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment