Skip to:
Content

BuddyPress.org

Changeset 11766


Ignore:
Timestamp:
12/12/2017 02:26:15 AM (4 years ago)
Author:
boonebgorges
Message:

Members: Require a form submission to activate an account.

Previously, simply loading a URL of the form /activate/12345 would activate
the account with key 12345. This caused conflicts with some mail scanning
services, which follow links in emails, causing accounts to be self-activated.

A small backward-compatibility layer ensures that custom activate.php
templates containing forms with action="get" continue to work.

Fixes #6049.

Location:
trunk/src
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-core/bp-core-template.php

    r11763 r11766  
    11511151 */
    11521152function bp_account_was_activated() {
    1153     $bp                  = buddypress();
    1154     $activation_complete = !empty( $bp->activation_complete )
    1155         ? $bp->activation_complete
    1156         : false;
     1153    $activation_complete = ! empty( buddypress()->activation_complete ) || ( bp_is_current_component( 'activate' ) && ! empty( $_GET['activated'] ) );
    11571154
    11581155    return $activation_complete;
  • trunk/src/bp-members/bp-members-actions.php

    r10711 r11766  
    108108}
    109109
     110/**
     111 * Catches and processes account activation requests.
     112 *
     113 * @since 3.0.0
     114 */
     115function bp_members_action_activate_account() {
     116    if ( ! bp_is_current_component( 'activate' ) ) {
     117        return;
     118    }
     119
     120    if ( is_user_logged_in() ) {
     121        return;
     122    }
     123
     124    if ( ! empty( $_POST['key'] ) ) {
     125        $key = wp_unslash( $_POST['key'] );
     126
     127    // Backward compatibility with templates using `method="get"` in their activation forms.
     128    } elseif ( ! empty( $_GET['key'] ) ) {
     129        $key = wp_unslash( $_GET['key'] );
     130    }
     131
     132    if ( empty( $key ) ) {
     133        return;
     134    }
     135
     136    $bp = buddypress();
     137
     138    /**
     139     * Filters the activation signup.
     140     *
     141     * @since 1.1.0
     142     *
     143     * @param bool|int $value Value returned by activation.
     144     *                        Integer on success, boolean on failure.
     145     */
     146    $user = apply_filters( 'bp_core_activate_account', bp_core_activate_signup( $key ) );
     147
     148    // If there were errors, add a message and redirect.
     149    if ( ! empty( $user->errors ) ) {
     150        bp_core_add_message( $user->get_error_message(), 'error' );
     151        bp_core_redirect( trailingslashit( bp_get_root_domain() . '/' . $bp->pages->activate->slug ) );
     152    }
     153
     154    bp_core_add_message( __( 'Your account is now active!', 'buddypress' ) );
     155    bp_core_redirect( add_query_arg( 'activated', '1', bp_get_activation_page() ) );
     156
     157}
     158add_action( 'bp_actions', 'bp_members_action_activate_account' );
     159
    110160/*
    111161 * Unhooked in 1.6.0 - moved to settings
  • trunk/src/bp-members/bp-members-screens.php

    r11360 r11766  
    291291 *
    292292 * @since 1.1.0
    293  *
    294  * @todo Move the actual activation process into an action in bp-members-actions.php
    295293 */
    296294function bp_core_screen_activation() {
     
    326324    }
    327325
    328     // Grab the key (the old way).
    329     $key = isset( $_GET['key'] ) ? $_GET['key'] : '';
    330 
    331     // Grab the key (the new way).
    332     if ( empty( $key ) ) {
    333         $key = bp_current_action();
    334     }
    335 
    336326    // Get BuddyPress.
    337327    $bp = buddypress();
    338 
    339     // We've got a key; let's attempt to activate the signup.
    340     if ( ! empty( $key ) ) {
    341 
    342         /**
    343          * Filters the activation signup.
    344          *
    345          * @since 1.1.0
    346          *
    347          * @param bool|int $value Value returned by activation.
    348          *                        Integer on success, boolean on failure.
    349          */
    350         $user = apply_filters( 'bp_core_activate_account', bp_core_activate_signup( $key ) );
    351 
    352         // If there were errors, add a message and redirect.
    353         if ( ! empty( $user->errors ) ) {
    354             bp_core_add_message( $user->get_error_message(), 'error' );
    355             bp_core_redirect( trailingslashit( bp_get_root_domain() . '/' . $bp->pages->activate->slug ) );
    356         }
    357 
    358         bp_core_add_message( __( 'Your account is now active!', 'buddypress' ) );
    359         $bp->activation_complete = true;
    360     }
    361328
    362329    /**
  • trunk/src/bp-members/bp-members-template.php

    r11588 r11766  
    21192119
    21202120/**
     2121 * Get the activation key from the current request URL.
     2122 *
     2123 * @since 3.0.0
     2124 *
     2125 * @return string
     2126 */
     2127function bp_get_current_activation_key() {
     2128    $key = '';
     2129
     2130    if ( bp_is_current_component( 'activate' ) ) {
     2131        if ( isset( $_GET['key'] ) ) {
     2132            $key = wp_unslash( $_GET['key'] );
     2133        } else {
     2134            $key = bp_current_action();
     2135        }
     2136    }
     2137
     2138    /**
     2139     * Filters the activation key from the current request URL.
     2140     *
     2141     * @since 3.0.0
     2142     *
     2143     * @param string $key Activation key.
     2144     */
     2145    return apply_filters( 'bp_get_current_activation_key', $key );
     2146}
     2147
     2148/**
    21212149 * Output the username submitted during signup.
    21222150 *
  • trunk/src/bp-templates/bp-legacy/buddypress/members/activate.php

    r11171 r11766  
    5151            <p><?php _e( 'Please provide a valid activation key.', 'buddypress' ); ?></p>
    5252
    53             <form action="" method="get" class="standard-form" id="activation-form">
     53            <form action="" method="post" class="standard-form" id="activation-form">
    5454
    5555                <label for="key"><?php _e( 'Activation Key:', 'buddypress' ); ?></label>
    56                 <input type="text" name="key" id="key" value="" />
     56                <input type="text" name="key" id="key" value="<?php echo esc_attr( bp_get_current_activation_key() ); ?>" />
    5757
    5858                <p class="submit">
  • trunk/src/bp-templates/bp-nouveau/buddypress/members/activate.php

    r11686 r11766  
    2626            <p><?php _e( 'Please provide a valid activation key.', 'buddypress' ); ?></p>
    2727
    28             <form action="" method="get" class="standard-form" id="activation-form">
     28            <form action="" method="post" class="standard-form" id="activation-form">
    2929
    3030                <label for="key"><?php _e( 'Activation Key:', 'buddypress' ); ?></label>
    31                 <input type="text" name="key" id="key" value="" />
     31                <input type="text" name="key" id="key" value="<?php echo esc_attr( bp_get_current_activation_key() ); ?>" />
    3232
    3333                <p class="submit">
Note: See TracChangeset for help on using the changeset viewer.