Mercurial Hosting > freedit

--- a/src/api/change_email.json.luan	Mon Nov 28 23:47:19 2022 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,33 +0,0 @@
-local Luan = require "luan:Luan.luan"
-local error = Luan.error
-local Html = require "luan:Html.luan"
-local url_encode = Html.url_encode or error()
-local Io = require "luan:Io.luan"
-local output_of = Io.output_of or error()
-local Http = require "luan:http/Http.luan"
-local Mail = require "site:/lib/Mail.luan"
-local Api = require "site:/api/Api.luan"
-local api = Api.api or error()
-local user_error = Api.user_error or error()
-
-
-return api(function()
-	local base_url = Http.request.parameters.base_url or user_error "missing base_url param"
-	local from = Http.request.parameters.from or user_error "missing from param"
-	local email = Http.request.parameters.email or user_error "missing email param"
-	local password = Http.request.parameters.password or user_error "missing password param"
-	local mailer = Mail.sender() or user_error "mail not configured"
-	mailer.send{
-		From = from
-		To = email
-		Subject = "Change Email"
-		body = output_of(function() %>
-Change your email address to this email by clicking this link:
-
-<%=base_url%>/change_email.html?email=<%=url_encode(email)%>&password=<%=password%>
-<%		end)
-	}
-	return {
-		okay = true
-	}
-end)
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/api/change_email_1.json.luan	Tue Nov 29 16:09:17 2022 -0700
@@ -0,0 +1,36 @@
+local Luan = require "luan:Luan.luan"
+local error = Luan.error
+local Html = require "luan:Html.luan"
+local url_encode = Html.url_encode or error()
+local Io = require "luan:Io.luan"
+local output_of = Io.output_of or error()
+local Http = require "luan:http/Http.luan"
+local Mail = require "site:/lib/Mail.luan"
+local Api = require "site:/api/Api.luan"
+local api = Api.api or error()
+local user_error = Api.user_error or error()
+
+
+return api(function()
+	local base_url = Http.request.parameters.base_url or user_error "missing base_url param"
+	local from = Http.request.parameters.from or user_error "missing from param"
+	local to = Http.request.parameters.to or user_error "missing to param"
+	local email = Http.request.parameters.email or user_error "missing email param"
+	local password = Http.request.parameters.password or user_error "missing password param"
+	local mailer = Mail.sender() or user_error "mail not configured"
+	mailer.send{
+		From = from
+		To = to
+		Subject = "Change Email"
+		body = output_of(function() %>
+Change your email address to <%=email%> by clicking this link:
+
+<%=base_url%>/change_email.html?email=<%=url_encode(email)%>&password1=<%=password%>
+
+If you don't want to change your email address, then don't click on the link.
+<%		end)
+	}
+	return {
+		okay = true
+	}
+end)
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/api/change_email_2.json.luan	Tue Nov 29 16:09:17 2022 -0700
@@ -0,0 +1,33 @@
+local Luan = require "luan:Luan.luan"
+local error = Luan.error
+local Html = require "luan:Html.luan"
+local url_encode = Html.url_encode or error()
+local Io = require "luan:Io.luan"
+local output_of = Io.output_of or error()
+local Http = require "luan:http/Http.luan"
+local Mail = require "site:/lib/Mail.luan"
+local Api = require "site:/api/Api.luan"
+local api = Api.api or error()
+local user_error = Api.user_error or error()
+
+
+return api(function()
+	local base_url = Http.request.parameters.base_url or user_error "missing base_url param"
+	local from = Http.request.parameters.from or user_error "missing from param"
+	local email = Http.request.parameters.email or user_error "missing email param"
+	local password = Http.request.parameters.password or user_error "missing password param"
+	local mailer = Mail.sender() or user_error "mail not configured"
+	mailer.send{
+		From = from
+		To = email
+		Subject = "Change Email"
+		body = output_of(function() %>
+Change your email address to this email by clicking this link:
+
+<%=base_url%>/change_email.html?email=<%=url_encode(email)%>&password2=<%=password%>
+<%		end)
+	}
+	return {
+		okay = true
+	}
+end)
--- a/src/api/forms.html	Mon Nov 28 23:47:19 2022 -0700
+++ b/src/api/forms.html	Tue Nov 29 16:09:17 2022 -0700
@@ -15,8 +15,18 @@
 			<p><input type=submit></p>
 		</form>
 		<hr>
-		<form action="change_email.json">
-			<h3>change_email</h3>
+		<form action="change_email_1.json">
+			<h3>change_email_1</h3>
+			<p>base_url: <input name=base_url type=url required></p>
+			<p>from: <input name=from required></p>
+			<p>to: <input name=to type=email required></p>
+			<p>email: <input name=email type=email required></p>
+			<p>password: <input name=password required></p>
+			<p><input type=submit></p>
+		</form>
+		<hr>
+		<form action="change_email_2.json">
+			<h3>change_email_2</h3>
 			<p>base_url: <input name=base_url type=url required></p>
 			<p>from: <input name=from required></p>
 			<p>email: <input name=email type=email required></p>
--- a/src/change_email.html.luan	Mon Nov 28 23:47:19 2022 -0700
+++ b/src/change_email.html.luan	Tue Nov 29 16:09:17 2022 -0700
@@ -38,11 +38,20 @@
 <%
 end

+local function invalid()
+	page(function()
+%>
+			<p>This link is no longer valid.  Please <a href="/change_email.html">try again</a>.</p>
+<%
+	end)
+end
+
 return function()
 	local user = User.current_required()
 	if user==nil then return end
 	local email = Http.request.parameters.email
-	local password = Http.request.parameters.password
+	local password1 = Http.request.parameters.password1
+	local password2 = Http.request.parameters.password2
 	if email == nil then
 		page(function()
 %>
@@ -56,35 +65,57 @@
 			</form>
 <%
 		end)
-	elseif password == nil then
+	elseif password1 == nil and password2 == nil then
 		run_in_transaction( function()
 			user = user.reload()
-			user.hidden_password = User.new_password()
+			user.hidden_password_1 = User.new_password()
 			user.save()
 		end )
-		local result = call_mail_api( "change_email", {
+		local result = call_mail_api( "change_email_1", {
 			base_url = base_url()
 			from = forum_title.." <support@freedit.org>"
+			to = user.email
 			email = email
-			password = user.hidden_password
+			password = user.hidden_password_1
 		} )
 		result.okay or error(result.error)
 		page(function()
 %>
-			<p>We have sent an email to your new email address.  Click on the link in that email to complete the change.</p>
+			<p>We have sent an email to your current email address.  Click on the link in that email to change your email.</p>
 <%
 		end)
-	elseif password ~= user.hidden_password then
+	elseif password1 ~= nil then
+		if password1 ~= user.hidden_password_1 then
+			invalid()
+			return
+		end
+		run_in_transaction( function()
+			user = user.reload()
+			user.hidden_password_1 = nil
+			user.hidden_password_2 = User.new_password()
+			user.save()
+		end )
+		local result = call_mail_api( "change_email_2", {
+			base_url = base_url()
+			from = forum_title.." <support@freedit.org>"
+			email = email
+			password = user.hidden_password_2
+		} )
+		result.okay or error(result.error)
 		page(function()
 %>
-			<p>This link is no longer valid.  Please <a href="/change_email.html">try again</a>.</p>
+			<p>We have sent an email to <b><%=email%></b>.  Click on the link in that email to complete the change.</p>
 <%
 		end)
-	else
+	elseif password2 ~= nil then
+		if password2 ~= user.hidden_password_2 then
+			invalid()
+			return
+		end
 		run_in_transaction( function()
 			user = user.reload()
 			user.email = email
-			user.hidden_password = nil
+			user.hidden_password_2 = nil
 			user.save()
 		end )
 		page(function()
@@ -92,5 +123,7 @@
 			<p>Your email has been change to <b><%=user.email%></b>.</p>
 <%
 		end)
+	else
+		error()
 	end
 end
--- a/src/lib/User.luan	Mon Nov 28 23:47:19 2022 -0700
+++ b/src/lib/User.luan	Tue Nov 29 16:09:17 2022 -0700
@@ -39,7 +39,8 @@
 		password = doc.password
 		name = doc.user_name
 		created = doc.created
-		hidden_password = doc.hidden_password
+		hidden_password_1 = doc.hidden_password_1
+		hidden_password_2 = doc.hidden_password_2
 	}
 	set_local_only(users_by_id,user.id,user)
 	return user
@@ -54,7 +55,8 @@
 		password = user.password
 		user_name = user.name
 		created = user.created or time_now()
-		hidden_password = user.hidden_password
+		hidden_password_1 = user.hidden_password_1
+		hidden_password_2 = user.hidden_password_2
 	}
 end