changeset 66:3fbe9cb2e325 default tip

security
author Franklin Schmidt <fschmidt@gmail.com>
date Wed, 18 Sep 2024 03:51:47 -0600
parents 3d7067a23eff
children
files src/nabble/view/web/template/UserNamespace.java src/nabble/view/web/user/ChangeEmail.java src/nabble/view/web/user/ChangeEmail.jtp src/nabble/view/web/user/ChangeEmail3.java src/nabble/view/web/user/ChangeEmail3.jtp
diffstat 5 files changed, 15 insertions(+), 15 deletions(-) [+]
line wrap: on
line diff
--- a/src/nabble/view/web/template/UserNamespace.java	Tue Sep 17 05:01:59 2024 -0600
+++ b/src/nabble/view/web/template/UserNamespace.java	Wed Sep 18 03:51:47 2024 -0600
@@ -392,7 +392,7 @@
 	}
 
 	@Command public void change_email_path(IPrintWriter out,Interpreter interp) {
-		out.print( interp.encode( "/user/ChangeEmail.jtp?user=" + user().getId() ) );
+		out.print( interp.encode( "/user/ChangeEmail.jtp" ) );
 	}
 
 	@Command public void change_avatar_path(IPrintWriter out,Interpreter interp) {
--- a/src/nabble/view/web/user/ChangeEmail.java	Tue Sep 17 05:01:59 2024 -0600
+++ b/src/nabble/view/web/user/ChangeEmail.java	Wed Sep 18 03:51:47 2024 -0600
@@ -25,9 +25,8 @@
 	protected void service(HttpServletRequest request,HttpServletResponse response)
 		throws ServletException, IOException
 	{
-		long userId = Jtp.getLong(request, "user");
 		Site site = Jtp.getSiteNotNull(request);
-		User user = site.getUser(userId);
+		User user = Jtp.getUser(request);
 
 		User visitor = Jtp.getUser(request);
 		boolean isAllowed = user.equals(visitor) || Permissions.isInGroup(visitor, Permissions.ADMINISTRATORS_GROUP);
@@ -47,7 +46,6 @@
 				user.setProperty("_new_email", email);
 				String url = ServletUtils.getContextURL(request)
 					+ "/user/ChangeEmail3.jtp?email=" + HtmlUtils.urlEncode(email)
-					+ "&user=" + user.getId()
 					+ "&h=" + emailHash(email)
 				;
 				ChangeEmailMail.send(site, user.getName(), user.getEmail(), email, url);
--- a/src/nabble/view/web/user/ChangeEmail.jtp	Tue Sep 17 05:01:59 2024 -0600
+++ b/src/nabble/view/web/user/ChangeEmail.jtp	Wed Sep 18 03:51:47 2024 -0600
@@ -25,9 +25,8 @@
 	protected void service(HttpServletRequest request,HttpServletResponse response)
 		throws ServletException, IOException
 	{
-		long userId = Jtp.getLong(request, "user");
 		Site site = Jtp.getSiteNotNull(request);
-		User user = site.getUser(userId);
+		User user = Jtp.getUser(request);
 
 		User visitor = Jtp.getUser(request);
 		boolean isAllowed = user.equals(visitor) || Permissions.isInGroup(visitor, Permissions.ADMINISTRATORS_GROUP);
@@ -47,7 +46,6 @@
 				user.setProperty("_new_email", email);
 				String url = ServletUtils.getContextURL(request)
 					+ "/user/ChangeEmail3.jtp?email=" + HtmlUtils.urlEncode(email)
-					+ "&user=" + user.getId()
 					+ "&h=" + emailHash(email)
 				;
 				ChangeEmailMail.send(site, user.getName(), user.getEmail(), email, url);
--- a/src/nabble/view/web/user/ChangeEmail3.java	Tue Sep 17 05:01:59 2024 -0600
+++ b/src/nabble/view/web/user/ChangeEmail3.java	Wed Sep 18 03:51:47 2024 -0600
@@ -40,19 +40,20 @@
 		out.print( "\r\n	<h1>Change Email Confirmation</h1>\r\n	" );
 
 			String email = request.getParameter("email");
-			long userId = Long.valueOf(request.getParameter("user"));
 
 			Site site = Jtp.getSite(request);
-			User user = site.getUser(userId);
+			User user = Jtp.getUser(request);
+			if( user==null ) {
+				Jtp.login("You must login to change your email.",request,response);
+				return;
+			}
 			String newEmail = user.getProperty("_new_email");
 			int hash = Integer.parseInt(request.getParameter("h"));
 			user.setProperty("_new_email", null); // delete key
 			if (newEmail == null || !newEmail.equals(email) || hash != ChangeEmail.emailHash(newEmail))
 			{
 				
-		out.print( "\r\n<p><strong>We were unable to change your email address.</strong></p>\r\n<p>Please try <a href=\"ChangeEmail.jtp?user=" );
-		out.print( (user.getId()) );
-		out.print( "\">changing your email</a> again or <a href=\"/template/NamlServlet.jtp?macro=user_profile\">go back to menu</a>.</p>\r\n" );
+		out.print( "\r\n<p><strong>We were unable to change your email address.</strong></p>\r\n<p>Please try <a href=\"ChangeEmail.jtp\">changing your email</a> again or <a href=\"/template/NamlServlet.jtp?macro=user_profile\">go back to menu</a>.</p>\r\n" );
 
 			} else {
 				DbDatabase db = site.getDb();
--- a/src/nabble/view/web/user/ChangeEmail3.jtp	Tue Sep 17 05:01:59 2024 -0600
+++ b/src/nabble/view/web/user/ChangeEmail3.jtp	Wed Sep 18 03:51:47 2024 -0600
@@ -42,10 +42,13 @@
 			<h1>Change Email Confirmation</h1>
 			<%
 			String email = request.getParameter("email");
-			long userId = Long.valueOf(request.getParameter("user"));
 
 			Site site = Jtp.getSite(request);
-			User user = site.getUser(userId);
+			User user = Jtp.getUser(request);
+			if( user==null ) {
+				Jtp.login("You must login to change your email.",request,response);
+				return;
+			}
 			String newEmail = user.getProperty("_new_email");
 			int hash = Integer.parseInt(request.getParameter("h"));
 			user.setProperty("_new_email", null); // delete key
@@ -53,7 +56,7 @@
 			{
 				%>
 				<p><strong>We were unable to change your email address.</strong></p>
-				<p>Please try <a href="ChangeEmail.jtp?user=<%=user.getId()%>">changing your email</a> again or <a href="/template/NamlServlet.jtp?macro=user_profile">go back to menu</a>.</p>
+				<p>Please try <a href="ChangeEmail.jtp">changing your email</a> again or <a href="/template/NamlServlet.jtp?macro=user_profile">go back to menu</a>.</p>
 				<%
 			} else {
 				DbDatabase db = site.getDb();