diff options
| author | ben <ben@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2008-10-24 16:25:45 +0000 |
|---|---|---|
| committer | ben <ben@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2008-10-24 16:25:45 +0000 |
| commit | eafaae2327feb7244c37da3e94dbbc912be9db88 (patch) | |
| tree | 769644201baaf38c1b5a465a5fef5d7f81683151 | |
| parent | cfeaf074b33716d589cec274216bb003e0e925dd (diff) | |
| download | elgg-eafaae2327feb7244c37da3e94dbbc912be9db88.tar.gz elgg-eafaae2327feb7244c37da3e94dbbc912be9db88.tar.bz2 | |
The friend invite infrastructure is now secure.
git-svn-id: https://code.elgg.org/elgg/trunk@2310 36083f99-b078-4883-b0ff-0f9b5a30f544
| -rw-r--r-- | account/register.php | 3 | ||||
| -rw-r--r-- | actions/register.php | 5 | ||||
| -rw-r--r-- | engine/lib/users.php | 24 | ||||
| -rw-r--r-- | views/default/account/forms/register.php | 3 |
4 files changed, 27 insertions, 8 deletions
diff --git a/account/register.php b/account/register.php index 474e6edc6..ff03c7d70 100644 --- a/account/register.php +++ b/account/register.php @@ -17,10 +17,11 @@ require_once(dirname(dirname(__FILE__)) . "/engine/start.php");
$friend_guid = (int) get_input('friend_guid',0);
+ $invitecode = get_input('invitecode');
// If we're not logged in, display the registration page
if (!isloggedin()) {
- echo page_draw(elgg_echo('register'), elgg_view("account/forms/register", array('friend_guid' => $friend_guid)));
+ echo page_draw(elgg_echo('register'), elgg_view("account/forms/register", array('friend_guid' => $friend_guid, 'invitecode' => $invitecode)));
// Otherwise, forward to the index page
} else {
forward();
diff --git a/actions/register.php b/actions/register.php index a92f37f54..5cbb9afbf 100644 --- a/actions/register.php +++ b/actions/register.php @@ -23,6 +23,7 @@ $email = get_input('email');
$name = get_input('name');
$friend_guid = (int) get_input('friend_guid',0);
+ $invitecode = get_input('invitecode');
$admin = get_input('admin'); if (is_array($admin)) $admin = $admin[0]; @@ -38,7 +39,7 @@ (trim($password)!="") && (strcmp($password, $password2)==0) ) && - ($guid = register_user($username, $password, $name, $email, $friend_guid)) + ($guid = register_user($username, $password, $name, $email, false, $friend_guid, $invitecode)) ) { $new_user = get_entity($guid); @@ -69,7 +70,7 @@ $qs = explode('?',$_SERVER['HTTP_REFERER']); $qs = $qs[0]; - $qs .= "?u=" . urlencode($username) . "&e=" . urlencode($email) . "&n=" . urlencode($name); + $qs .= "?u=" . urlencode($username) . "&e=" . urlencode($email) . "&n=" . urlencode($name) . "&friend_guid=" . $friend_guid; forward($qs);
diff --git a/engine/lib/users.php b/engine/lib/users.php index 4f6a73626..bd212570c 100644 --- a/engine/lib/users.php +++ b/engine/lib/users.php @@ -1061,11 +1061,11 @@ * @param int $friend_guid Optionally, GUID of a user this user will friend once fully registered
* @return int|false The new user's GUID; false on failure
*/
- function register_user($username, $password, $name, $email, $allow_multiple_emails = false, $friend_guid = 0) {
+ function register_user($username, $password, $name, $email, $allow_multiple_emails = false, $friend_guid = 0, $invitecode = '') {
// Load the configuration
global $CONFIG; - +
$username = sanitise_string($username); $password = sanitise_string($password); $name = sanitise_string($name); @@ -1120,10 +1120,13 @@ $user->password = generate_user_password($user, $password);
$user->save();
- // If $friend_guid has been set
+ // If $friend_guid has been set, make mutual friends
if ($friend_guid) {
if ($friend_user = get_user($friend_guid)) {
- $user->addFriend($friend_guid);
+ if ($invitecode == generate_invite_code($friend_user->username)) {
+ $user->addFriend($friend_guid);
+ $friend_user->addFriend($user->guid);
+ }
}
}
@@ -1139,6 +1142,19 @@ }
/**
+ * Generates a unique invite code for a user
+ *
+ * @param string $username The username of the user sending the invitation
+ * @return string Invite code
+ */
+ function generate_invite_code($username) {
+
+ $secret = datalist_get('__site_secret__');
+ return md5($username . $secret);
+
+ }
+
+ /**
* Adds collection submenu items
*
*/
diff --git a/views/default/account/forms/register.php b/views/default/account/forms/register.php index b099ce8bf..cbc29f52b 100644 --- a/views/default/account/forms/register.php +++ b/views/default/account/forms/register.php @@ -29,7 +29,8 @@ if ($admin_option) $form_body .= elgg_view('input/checkboxes', array('internalname' => "admin", 'options' => array(elgg_echo('admin_option')))); - $form_body .= elgg_view('input/hidden', array('internalname' => 'friend_guid', 'value' => $vars['friend_guid'])); + $form_body .= elgg_view('input/hidden', array('internalname' => 'friend_guid', 'value' => $vars['friend_guid']));
+ $form_body .= elgg_view('input/hidden', array('internalname' => 'invitecode', 'value' => $vars['invitecode'])); $form_body .= elgg_view('input/hidden', array('internalname' => 'action', 'value' => 'register')); $form_body .= elgg_view('input/submit', array('internalname' => 'submit', 'value' => elgg_echo('register'))) . "</p>";
?>
|