From 8f817bf9a845dc2a023d5ee59e10ee380cbe9523 Mon Sep 17 00:00:00 2001 From: Dries Buytaert Date: Tue, 30 Jun 2009 09:52:54 +0000 Subject: - Patch #497612 by Moshe Weitzman et al: harden user login by correctly using the form API. --- modules/user/user.pages.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'modules') diff --git a/modules/user/user.pages.inc b/modules/user/user.pages.inc index d3b736c02..e9778e32e 100644 --- a/modules/user/user.pages.inc +++ b/modules/user/user.pages.inc @@ -101,9 +101,9 @@ function user_pass_reset(&$form_state, $uid, $timestamp, $hashed_pass, $action = watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp)); // Set the new user. $user = $account; - // user_authenticate_finalize() also updates the login timestamp of the + // user_login_finalize() also updates the login timestamp of the // user, which invalidates further use of the one-time login link. - user_authenticate_finalize($form_state['values']); + user_login_finalize(); drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to login. Please change your password.')); drupal_goto('user/' . $user->uid . '/edit'); } -- cgit v1.2.3