diff options
| author | Kjartan Mannes <kjartan@2.no-reply.drupal.org> | 2002-09-25 22:05:47 +0000 |
|---|---|---|
| committer | Kjartan Mannes <kjartan@2.no-reply.drupal.org> | 2002-09-25 22:05:47 +0000 |
| commit | 9347252fb9dcf2f8603b652a1b77ccdb21e09c63 (patch) | |
| tree | 64ef727a515357243725f5879e1b857a9b8a74a7 /modules | |
| parent | 8457c4d2ff5c1a1032d8a15741a31e7f145f56a7 (diff) | |
| download | brdo-9347252fb9dcf2f8603b652a1b77ccdb21e09c63.tar.gz brdo-9347252fb9dcf2f8603b652a1b77ccdb21e09c63.tar.bz2 | |
- fixing user registration and field validation.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/user.module | 38 | ||||
| -rw-r--r-- | modules/user/user.module | 38 |
2 files changed, 46 insertions, 30 deletions
diff --git a/modules/user.module b/modules/user.module index b45257ec0..486f1b75c 100644 --- a/modules/user.module +++ b/modules/user.module @@ -89,15 +89,6 @@ function user_load($array = array()) { } function user_save($account, $array = array()) { - - if (!user_access("administer users")) { - if (array_intersect(array_keys($array), array("rid", "init", "rating", "session"))) { - watchdog("warning", "detected malicious attempt to alter a protected database field"); - } - - unset($array["rid"], $array["init"], $array["rating"], $array["session"]); - } - /* ** Dynamically compose a SQL query: */ @@ -546,7 +537,7 @@ function user_login($edit = array(), $msg = "") { if (module_invoke($module, "auth", $name, $pass, $server)) { if (variable_get("user_register", 1) == 1 && !user_load(array("name" => "$name@$server"))) { //register this new user watchdog("user", "new user: $name@$server ($module ID)"); - $user = user_save("", array("name" => "$name@$server", "pass" => user_password(), "init" => "$name@$server", "rid" => _user_authenticated_id(), "status" => 1, "authname_$module" => "$name@$server")); + $user = user_save("", array("name" => "$name@$server", "pass" => user_password(), "init" => "$name@$server", "status" => 1, "authname_$module" => "$name@$server")); break; } } @@ -777,8 +768,10 @@ function user_register($edit = array()) { $pass = user_password(); // create new user account, noting whether administrator approval is required - admin_access_init(); - $account = user_save("", array_merge(array("name" => $edit["name"], "pass" => $pass, "init" => $edit["mail"], "mail" => $edit["mail"], "rid" => _user_authenticated_id(), "status" => (variable_get("user_register", 1) == 1 ? 1 : 0)), $data)); + user_role_init(); + // TODO: is this necessary? Won't session_write replicate this? + unset($edit["session"]); + $account = user_save("", array_merge(array("name" => $edit["name"], "pass" => $pass, "init" => $edit["mail"], "mail" => $edit["mail"], "rid" => _user_authenticated_id(), "rating" => 0, "status" => (variable_get("user_register", 1) == 1 ? 1 : 0)), $data)); watchdog("user", "new user: '". $edit["name"] ."' <". $edit["mail"] .">"); $variables = array("%username" => $edit["name"], "%site" => variable_get("site_name", "drupal"), "%password" => $pass, "%uri" => path_uri(), "%uri_brief" => path_uri(1), "%mailto" => $edit["mail"], "%date" => format_date(time())); @@ -904,9 +897,24 @@ function user_edit($edit = array()) { $error = t("The specified passwords do not match."); } } - unset($edit["pass1"], $edit["pass2"]); + /* + ** Validate input fields to make sure users don't submit + ** invalid form. + */ + + if (!user_access("administer users")) { + if (array_intersect(array_keys($array), array("rid", "init", "rating", "session"))) { + watchdog("warning", "detected malicious attempt to alter a protected database field"); + } + + $edit["rid"] = $user->rid; + $edit["init"] = $user->init; + $edit["rating"] = $user->rating; + $edit["session"] = $user->session; + } + if (!$error) { /* ** Save user information: @@ -1479,7 +1487,7 @@ function user_admin_account() { } -function admin_access_init() { +function user_role_init() { $role = db_fetch_object(db_query("SELECT * FROM role WHERE name = 'anonymous user'")); if (!$role) { db_query("INSERT INTO role (name) VALUES ('anonymous user')"); @@ -1499,7 +1507,7 @@ function user_admin() { ** Initialize all the roles and permissions: */ - admin_access_init(); + user_role_init(); /* ** Compile a list of the administrative links: diff --git a/modules/user/user.module b/modules/user/user.module index b45257ec0..486f1b75c 100644 --- a/modules/user/user.module +++ b/modules/user/user.module @@ -89,15 +89,6 @@ function user_load($array = array()) { } function user_save($account, $array = array()) { - - if (!user_access("administer users")) { - if (array_intersect(array_keys($array), array("rid", "init", "rating", "session"))) { - watchdog("warning", "detected malicious attempt to alter a protected database field"); - } - - unset($array["rid"], $array["init"], $array["rating"], $array["session"]); - } - /* ** Dynamically compose a SQL query: */ @@ -546,7 +537,7 @@ function user_login($edit = array(), $msg = "") { if (module_invoke($module, "auth", $name, $pass, $server)) { if (variable_get("user_register", 1) == 1 && !user_load(array("name" => "$name@$server"))) { //register this new user watchdog("user", "new user: $name@$server ($module ID)"); - $user = user_save("", array("name" => "$name@$server", "pass" => user_password(), "init" => "$name@$server", "rid" => _user_authenticated_id(), "status" => 1, "authname_$module" => "$name@$server")); + $user = user_save("", array("name" => "$name@$server", "pass" => user_password(), "init" => "$name@$server", "status" => 1, "authname_$module" => "$name@$server")); break; } } @@ -777,8 +768,10 @@ function user_register($edit = array()) { $pass = user_password(); // create new user account, noting whether administrator approval is required - admin_access_init(); - $account = user_save("", array_merge(array("name" => $edit["name"], "pass" => $pass, "init" => $edit["mail"], "mail" => $edit["mail"], "rid" => _user_authenticated_id(), "status" => (variable_get("user_register", 1) == 1 ? 1 : 0)), $data)); + user_role_init(); + // TODO: is this necessary? Won't session_write replicate this? + unset($edit["session"]); + $account = user_save("", array_merge(array("name" => $edit["name"], "pass" => $pass, "init" => $edit["mail"], "mail" => $edit["mail"], "rid" => _user_authenticated_id(), "rating" => 0, "status" => (variable_get("user_register", 1) == 1 ? 1 : 0)), $data)); watchdog("user", "new user: '". $edit["name"] ."' <". $edit["mail"] .">"); $variables = array("%username" => $edit["name"], "%site" => variable_get("site_name", "drupal"), "%password" => $pass, "%uri" => path_uri(), "%uri_brief" => path_uri(1), "%mailto" => $edit["mail"], "%date" => format_date(time())); @@ -904,9 +897,24 @@ function user_edit($edit = array()) { $error = t("The specified passwords do not match."); } } - unset($edit["pass1"], $edit["pass2"]); + /* + ** Validate input fields to make sure users don't submit + ** invalid form. + */ + + if (!user_access("administer users")) { + if (array_intersect(array_keys($array), array("rid", "init", "rating", "session"))) { + watchdog("warning", "detected malicious attempt to alter a protected database field"); + } + + $edit["rid"] = $user->rid; + $edit["init"] = $user->init; + $edit["rating"] = $user->rating; + $edit["session"] = $user->session; + } + if (!$error) { /* ** Save user information: @@ -1479,7 +1487,7 @@ function user_admin_account() { } -function admin_access_init() { +function user_role_init() { $role = db_fetch_object(db_query("SELECT * FROM role WHERE name = 'anonymous user'")); if (!$role) { db_query("INSERT INTO role (name) VALUES ('anonymous user')"); @@ -1499,7 +1507,7 @@ function user_admin() { ** Initialize all the roles and permissions: */ - admin_access_init(); + user_role_init(); /* ** Compile a list of the administrative links: |