Changeset 10800 for trunk/src/bp-members/classes/class-bp-signup.php

Timestamp:

05/24/2016 02:34:37 PM (9 years ago)

Author:

boonebgorges

Message:

Better hash building for activation keys, password reset keys, and filenames.

There is no need to use user-facing info for these hashes.

Props DJPaul, vortfu.

File:

• trunk/src/bp-members/classes/class-bp-signup.php (modified) (1 diff)

trunk/src/bp-members/classes/class-bp-signup.php

@@ -747 +747 @@
             $user_id = username_exists( $signup->user_login );
 
-            if ( ! empty( $user_id ) && $signup->activation_key == wp_hash( $user_id ) ) {
+            if ( ! empty( $user_id ) && $signup->activation_key === bp_get_user_meta( $user_id, 'activation_key', true ) ) {
 
                 if ( 2 != self::check_user_status( $user_id ) ) {