Mercurial Hosting > nabble
changeset 66:3fbe9cb2e325
security
author | Franklin Schmidt <fschmidt@gmail.com> |
---|---|
date | Wed, 18 Sep 2024 03:51:47 -0600 |
parents | 3d7067a23eff |
children | 9d0fefce6985 |
files | src/nabble/view/web/template/UserNamespace.java src/nabble/view/web/user/ChangeEmail.java src/nabble/view/web/user/ChangeEmail.jtp src/nabble/view/web/user/ChangeEmail3.java src/nabble/view/web/user/ChangeEmail3.jtp |
diffstat | 5 files changed, 15 insertions(+), 15 deletions(-) [+] |
line wrap: on
line diff
diff -r 3d7067a23eff -r 3fbe9cb2e325 src/nabble/view/web/template/UserNamespace.java --- a/src/nabble/view/web/template/UserNamespace.java Tue Sep 17 05:01:59 2024 -0600 +++ b/src/nabble/view/web/template/UserNamespace.java Wed Sep 18 03:51:47 2024 -0600 @@ -392,7 +392,7 @@ } @Command public void change_email_path(IPrintWriter out,Interpreter interp) { - out.print( interp.encode( "/user/ChangeEmail.jtp?user=" + user().getId() ) ); + out.print( interp.encode( "/user/ChangeEmail.jtp" ) ); } @Command public void change_avatar_path(IPrintWriter out,Interpreter interp) {
diff -r 3d7067a23eff -r 3fbe9cb2e325 src/nabble/view/web/user/ChangeEmail.java --- a/src/nabble/view/web/user/ChangeEmail.java Tue Sep 17 05:01:59 2024 -0600 +++ b/src/nabble/view/web/user/ChangeEmail.java Wed Sep 18 03:51:47 2024 -0600 @@ -25,9 +25,8 @@ protected void service(HttpServletRequest request,HttpServletResponse response) throws ServletException, IOException { - long userId = Jtp.getLong(request, "user"); Site site = Jtp.getSiteNotNull(request); - User user = site.getUser(userId); + User user = Jtp.getUser(request); User visitor = Jtp.getUser(request); boolean isAllowed = user.equals(visitor) || Permissions.isInGroup(visitor, Permissions.ADMINISTRATORS_GROUP); @@ -47,7 +46,6 @@ user.setProperty("_new_email", email); String url = ServletUtils.getContextURL(request) + "/user/ChangeEmail3.jtp?email=" + HtmlUtils.urlEncode(email) - + "&user=" + user.getId() + "&h=" + emailHash(email) ; ChangeEmailMail.send(site, user.getName(), user.getEmail(), email, url);
diff -r 3d7067a23eff -r 3fbe9cb2e325 src/nabble/view/web/user/ChangeEmail.jtp --- a/src/nabble/view/web/user/ChangeEmail.jtp Tue Sep 17 05:01:59 2024 -0600 +++ b/src/nabble/view/web/user/ChangeEmail.jtp Wed Sep 18 03:51:47 2024 -0600 @@ -25,9 +25,8 @@ protected void service(HttpServletRequest request,HttpServletResponse response) throws ServletException, IOException { - long userId = Jtp.getLong(request, "user"); Site site = Jtp.getSiteNotNull(request); - User user = site.getUser(userId); + User user = Jtp.getUser(request); User visitor = Jtp.getUser(request); boolean isAllowed = user.equals(visitor) || Permissions.isInGroup(visitor, Permissions.ADMINISTRATORS_GROUP); @@ -47,7 +46,6 @@ user.setProperty("_new_email", email); String url = ServletUtils.getContextURL(request) + "/user/ChangeEmail3.jtp?email=" + HtmlUtils.urlEncode(email) - + "&user=" + user.getId() + "&h=" + emailHash(email) ; ChangeEmailMail.send(site, user.getName(), user.getEmail(), email, url);
diff -r 3d7067a23eff -r 3fbe9cb2e325 src/nabble/view/web/user/ChangeEmail3.java --- a/src/nabble/view/web/user/ChangeEmail3.java Tue Sep 17 05:01:59 2024 -0600 +++ b/src/nabble/view/web/user/ChangeEmail3.java Wed Sep 18 03:51:47 2024 -0600 @@ -40,19 +40,20 @@ out.print( "\r\n <h1>Change Email Confirmation</h1>\r\n " ); String email = request.getParameter("email"); - long userId = Long.valueOf(request.getParameter("user")); Site site = Jtp.getSite(request); - User user = site.getUser(userId); + User user = Jtp.getUser(request); + if( user==null ) { + Jtp.login("You must login to change your email.",request,response); + return; + } String newEmail = user.getProperty("_new_email"); int hash = Integer.parseInt(request.getParameter("h")); user.setProperty("_new_email", null); // delete key if (newEmail == null || !newEmail.equals(email) || hash != ChangeEmail.emailHash(newEmail)) { - out.print( "\r\n<p><strong>We were unable to change your email address.</strong></p>\r\n<p>Please try <a href=\"ChangeEmail.jtp?user=" ); - out.print( (user.getId()) ); - out.print( "\">changing your email</a> again or <a href=\"/template/NamlServlet.jtp?macro=user_profile\">go back to menu</a>.</p>\r\n" ); + out.print( "\r\n<p><strong>We were unable to change your email address.</strong></p>\r\n<p>Please try <a href=\"ChangeEmail.jtp\">changing your email</a> again or <a href=\"/template/NamlServlet.jtp?macro=user_profile\">go back to menu</a>.</p>\r\n" ); } else { DbDatabase db = site.getDb();
diff -r 3d7067a23eff -r 3fbe9cb2e325 src/nabble/view/web/user/ChangeEmail3.jtp --- a/src/nabble/view/web/user/ChangeEmail3.jtp Tue Sep 17 05:01:59 2024 -0600 +++ b/src/nabble/view/web/user/ChangeEmail3.jtp Wed Sep 18 03:51:47 2024 -0600 @@ -42,10 +42,13 @@ <h1>Change Email Confirmation</h1> <% String email = request.getParameter("email"); - long userId = Long.valueOf(request.getParameter("user")); Site site = Jtp.getSite(request); - User user = site.getUser(userId); + User user = Jtp.getUser(request); + if( user==null ) { + Jtp.login("You must login to change your email.",request,response); + return; + } String newEmail = user.getProperty("_new_email"); int hash = Integer.parseInt(request.getParameter("h")); user.setProperty("_new_email", null); // delete key @@ -53,7 +56,7 @@ { %> <p><strong>We were unable to change your email address.</strong></p> - <p>Please try <a href="ChangeEmail.jtp?user=<%=user.getId()%>">changing your email</a> again or <a href="/template/NamlServlet.jtp?macro=user_profile">go back to menu</a>.</p> + <p>Please try <a href="ChangeEmail.jtp">changing your email</a> again or <a href="/template/NamlServlet.jtp?macro=user_profile">go back to menu</a>.</p> <% } else { DbDatabase db = site.getDb();