aboutsummaryrefslogtreecommitdiff
path: root/mod/uservalidationbyemail/start.php
diff options
context:
space:
mode:
Diffstat (limited to 'mod/uservalidationbyemail/start.php')
-rw-r--r--mod/uservalidationbyemail/start.php216
1 files changed, 147 insertions, 69 deletions
diff --git a/mod/uservalidationbyemail/start.php b/mod/uservalidationbyemail/start.php
index 3ce7542c2..677fea231 100644
--- a/mod/uservalidationbyemail/start.php
+++ b/mod/uservalidationbyemail/start.php
@@ -1,36 +1,120 @@
<?php
/**
* Email user validation plugin.
- * Non-admin or admin created accounts are invalid until their email address is confirmed.
+ * Non-admin accounts are invalid until their email address is confirmed.
*
- * @package ElggUserValidationByEmail
- * @author Curverider Ltd
- * @link http://elgg.com/
+ * @package Elgg.Core.Plugin
+ * @subpackage UserValidationByEmail
*/
function uservalidationbyemail_init() {
global $CONFIG;
+ require_once dirname(__FILE__) . '/lib/functions.php';
+
// Register page handler to validate users
- // This isn't an action because security is handled by the validation codes.
+ // This doesn't need to be an action because security is handled by the validation codes.
register_page_handler('uservalidationbyemail', 'uservalidationbyemail_page_handler');
- // Register hook listening to new users.
- register_elgg_event_handler('validate', 'user', 'uservalidationbyemail_email_validation');
-
+ // mark users as unvalidated when they register
+ register_plugin_hook('register', 'user', 'uservalidationbyemail_disable_new_user');
+
+ // prevent users from logging in if they aren't validated
+ register_plugin_hook('action', 'login', 'uservalidationbyemail_check_login_attempt');
+
+ // when requesting a new password
+ register_plugin_hook('action', 'user/requestnewpassword', 'uservalidationbyemail_check_request_password');
+
+ // prevent the engine from logging in users via login()
+ register_elgg_event_handler('login', 'user', 'uservalidationbyemail_check_manual_login');
+
+ // make admin users always validated
+ register_elgg_event_handler('make_admin', 'user', 'uservalidationbyemail_validate_new_admin_user');
+
// register Walled Garden public pages
register_plugin_hook('public_pages', 'walled_garden', 'uservalidationbyemail_public_pages');
}
/**
- * Get security token, forward to action.
+ * Disables a user upon registration.
+ *
+ * @param unknown_type $hook
+ * @param unknown_type $type
+ * @param unknown_type $value
+ * @param unknown_type $params
+ */
+function uservalidationbyemail_disable_new_user($hook, $type, $value, $params) {
+ $user = elgg_get_array_value('user', $params);
+
+ // no clue what's going on, so don't react.
+ if (!$user instanceof ElggUser) {
+ return NULL;
+ }
+
+ // disable user to prevent showing up on the site
+ // Don't do a recursive disable. Any entities owned by the user at this point
+ // are products of plugins that hook into create user and might need
+ // access to the entities.
+ // @todo That ^ sounds like a specific case...would be nice to track it down...
+ $user->disable('uservalidationbyemail_new_user', FALSE);
+
+ // set user as unvalidated and send out validation email
+ uservalidationbyemail_set_user_validation_status($user->guid, FALSE);
+ uservalidationbyemail_request_validation($user->guid);
+
+ return TRUE;
+}
+
+/**
+ * Checks if a login failed because the user hasn't validated his account.
+ *
+ * @param unknown_type $hook
+ * @param unknown_type $type
+ * @param unknown_type $value
+ * @param unknown_type $params
+ */
+function uservalidationbyemail_check_login_attempt($hook, $type, $value, $params) {
+ // everything is only stored in the input at this point
+ $username = get_input('username');
+ $password = get_input("password");
+
+ if (empty($username) || empty($password)) {
+ // return true to let the original login action deal with it.
+ return TRUE;
+ }
+
+ // see if we need to resolve an email address to a username
+ if (strpos($username, '@') !== FALSE && ($users = get_user_by_email($username))) {
+ $username = $users[0]->username;
+ }
+
+ // See the users exists and isn't validated
+ $access_status = access_get_show_hidden_status();
+ access_show_hidden_entities(TRUE);
+
+ $user = get_user_by_username($username);
+
+ // only resend validation if the password is correct
+ if ($user && authenticate($username, $password) && !$user->validated) {
+ // show an error and resend validation email
+ uservalidationbyemail_request_validation($user->guid);
+ // halt action
+ $value = FALSE;
+ }
+
+ access_show_hidden_entities($access_status);
+
+ return $value;
+}
+
+/**
+ * Checks sent passed validation code and user guids and validates the user.
*
- * @param unknown_type $page
- * @return unknown_type
+ * @param array $page
*/
function uservalidationbyemail_page_handler($page) {
global $CONFIG;
-
+
if (isset($page[0]) && $page[0] == 'confirm') {
$code = sanitise_string(get_input('c', FALSE));
$user_guid = get_input('u', FALSE);
@@ -47,9 +131,7 @@ function uservalidationbyemail_page_handler($page) {
$user = get_entity($user_guid);
$user->enable();
-
- notify_user($user_guid, $CONFIG->site->guid, sprintf(elgg_echo('email:validate:success:subject'), $user->username), sprintf(elgg_echo('email:validate:success:body'), $user->name), NULL, 'email');
-
+ login($user);
} else {
register_error(elgg_echo('email:confirm:fail'));
}
@@ -66,84 +148,80 @@ function uservalidationbyemail_page_handler($page) {
}
/**
- * Request email validation.
+ * Make sure any admin users are automatically validated
+ *
+ * @param unknown_type $event
+ * @param unknown_type $type
+ * @param unknown_type $object
*/
-function uservalidationbyemail_email_validation($event, $object_type, $object) {
- if (($object) && ($object instanceof ElggUser)) {
- uservalidationbyemail_request_validation($object->guid);
+function uservalidationbyemail_validate_new_admin_user($event, $type, $user) {
+ if ($user instanceof ElggUser && !$user->validated) {
+ uservalidationbyemail_set_user_validation_status($user->guid, TRUE, 'admin_user');
}
- return true;
+ return TRUE;
}
/**
- * Generate an email activation code.
- *
- * @param int $user_guid The guid of the user
- * @param string $email_address Email address
- * @return string
+ * Registers public pages to allow in the case Private Network has been enabled.
*/
-function uservalidationbyemail_generate_code($user_guid, $email_address) {
- global $CONFIG;
-
- // Note I bind to site URL, this is important on multisite!
- return md5($user_guid . $email_address . $CONFIG->site->url . get_site_secret());
+function uservalidationbyemail_public_pages($hook, $type, $return_value, $params) {
+ $return_value[] = 'pg/uservalidationbyemail/confirm';
+ return $return_value;
}
/**
- * Request user validation email.
- * Send email out to the address and request a confirmation.
+ * Prevent a manual code login with login().
*
- * @param int $user_guid The user
- * @return mixed
+ * @param unknown_type $event
+ * @param unknown_type $type
+ * @param unknown_type $user
*/
-function uservalidationbyemail_request_validation($user_guid) {
- global $CONFIG;
-
- $user_guid = (int)$user_guid;
- $user = get_entity($user_guid);
+function uservalidationbyemail_check_manual_login($event, $type, $user) {
+ $access_status = access_get_show_hidden_status();
+ access_show_hidden_entities(TRUE);
- if (($user) && ($user instanceof ElggUser)) {
- // Work out validate link
- $code = uservalidationbyemail_generate_code($user_guid, $user->email);
- $link = "{$CONFIG->site->url}pg/uservalidationbyemail/confirm?u=$user_guid&c=$code";
+ // @todo register_error()?
+ $return = ($user instanceof ElggUser && !$user->validated) ? FALSE : NULL;
- // Send validation email
- $result = notify_user($user->guid, $CONFIG->site->guid, sprintf(elgg_echo('email:validate:subject'), $user->username), sprintf(elgg_echo('email:validate:body'), $user->name, $link), NULL, 'email');
- if ($result) {
- system_message(elgg_echo('uservalidationbyemail:registerok'));
- }
+ access_show_hidden_entities($access_status);
- return $result;
- }
-
- return FALSE;
+ return $return;
}
/**
- * Validate a user
+ * Deny requests to change password if the account isn't validated.
*
- * @param unknown_type $user_guid
- * @param unknown_type $code
- * @return unknown
+ * @todo This is needed because changing the password requires the entity to be enabled.
+ *
+ * @param unknown_type $hook
+ * @param unknown_type $type
+ * @param unknown_type $value
+ * @param unknown_type $params
*/
-function uservalidationbyemail_validate_email($user_guid, $code) {
- $user = get_entity($user_guid);
+function uservalidationbyemail_check_request_password($hook, $type, $value, $params) {
+ $username = get_input('username');
- if ($code == uservalidationbyemail_generate_code($user_guid, $user->email)) {
- return set_user_validation_status($user_guid, true, 'email');
+ // see if we need to resolve an email address to a username
+ if (strpos($username, '@') !== FALSE && ($users = get_user_by_email($username))) {
+ $username = $users[0]->username;
}
- return false;
-}
+ // See the users exists and isn't validated
+ $access_status = access_get_show_hidden_status();
+ access_show_hidden_entities(TRUE);
-/**
- * Registers public pages to allow in the case Private Network has been enabled.
- */
-function uservalidationbyemail_public_pages($hook, $type, $return_value, $params) {
- $return_value[] = 'pg/uservalidationbyemail/confirm';
- return $return_value;
+ $user = get_user_by_username($username);
+
+ // resend validation instead of resetting password
+ if ($user && !$user->validated) {
+ uservalidationbyemail_request_validation($user->guid);
+ $value = FALSE;
+ }
+
+ access_show_hidden_entities($access_status);
+
+ return $value;
}
-// Initialise
register_elgg_event_handler('init', 'system', 'uservalidationbyemail_init'); \ No newline at end of file