Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
10/30/2014 04:09:06 AM (10 years ago)
Author:
djpaul
Message:

Signups: move the activation link's key from the query param into the URL proper.

Some email hosts strip the key from the activation link, or mangle it, or prevent it being easily copyable inside their web interfaces. Some web servers/configurations, can also be commonly configured to strip query parameters from the majority of requests, so hopefully this change will alleviate these problems.

Compatibility is maintained for the older query param-style activation links.

Fixes #5831, props r-a-y.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-members/bp-members-screens.php

    r8682 r9109  
    234234    }
    235235
    236     // Check if an activation key has been passed
    237     if ( isset( $_GET['key'] ) ) {
    238 
    239         // Activate the signup
    240         $user = apply_filters( 'bp_core_activate_account', bp_core_activate_signup( $_GET['key'] ) );
    241 
    242         // If there were errors, add a message and redirect
    243         if ( !empty( $user->errors ) ) {
    244             bp_core_add_message( $user->get_error_message(), 'error' );
    245             bp_core_redirect( trailingslashit( bp_get_root_domain() . '/' . $bp->pages->activate->slug ) );
    246         }
    247 
    248         $hashed_key = wp_hash( $_GET['key'] );
    249 
    250         // Check if the avatar folder exists. If it does, move rename it, move
    251         // it and delete the signup avatar dir
    252         if ( file_exists( bp_core_avatar_upload_path() . '/avatars/signups/' . $hashed_key ) )
    253             @rename( bp_core_avatar_upload_path() . '/avatars/signups/' . $hashed_key, bp_core_avatar_upload_path() . '/avatars/' . $user );
    254 
    255         bp_core_add_message( __( 'Your account is now active!', 'buddypress' ) );
    256 
    257         $bp->activation_complete = true;
    258     }
     236    // grab the key (the old way)
     237    $key = isset( $_GET['key'] ) ? $_GET['key'] : '';
     238 
     239    // grab the key (the new way)
     240    if ( empty( $key ) ) {
     241        $key = bp_current_action();
     242    }
     243
     244    // bail if no key
     245    if ( empty( $key ) ) {
     246        return;
     247    }
     248 
     249    // Activate the signup
     250    $user = apply_filters( 'bp_core_activate_account', bp_core_activate_signup( $key ) );
     251
     252    // If there were errors, add a message and redirect
     253    if ( ! empty( $user->errors ) ) {
     254        bp_core_add_message( $user->get_error_message(), 'error' );
     255        bp_core_redirect( trailingslashit( bp_get_root_domain() . '/' . $bp->pages->activate->slug ) );
     256    }
     257
     258    $hashed_key = wp_hash( $key );
     259
     260    // Check if the avatar folder exists. If it does, move rename it, move
     261    // it and delete the signup avatar dir
     262    if ( file_exists( bp_core_avatar_upload_path() . '/avatars/signups/' . $hashed_key ) ) {
     263        @rename( bp_core_avatar_upload_path() . '/avatars/signups/' . $hashed_key, bp_core_avatar_upload_path() . '/avatars/' . $user );
     264    }
     265
     266    bp_core_add_message( __( 'Your account is now active!', 'buddypress' ) );
     267    $bp->activation_complete = true;
    259268
    260269    bp_core_load_template( apply_filters( 'bp_core_template_activate', array( 'activate', 'registration/activate' ) ) );
Note: See TracChangeset for help on using the changeset viewer.