From eafaae2327feb7244c37da3e94dbbc912be9db88 Mon Sep 17 00:00:00 2001 From: ben Date: Fri, 24 Oct 2008 16:25:45 +0000 Subject: The friend invite infrastructure is now secure. git-svn-id: https://code.elgg.org/elgg/trunk@2310 36083f99-b078-4883-b0ff-0f9b5a30f544 --- account/register.php | 3 ++- actions/register.php | 5 +++-- engine/lib/users.php | 24 ++++++++++++++++++++---- views/default/account/forms/register.php | 3 ++- 4 files changed, 27 insertions(+), 8 deletions(-) diff --git a/account/register.php b/account/register.php index 474e6edc6..ff03c7d70 100644 --- a/account/register.php +++ b/account/register.php @@ -17,10 +17,11 @@ require_once(dirname(dirname(__FILE__)) . "/engine/start.php"); $friend_guid = (int) get_input('friend_guid',0); + $invitecode = get_input('invitecode'); // If we're not logged in, display the registration page if (!isloggedin()) { - echo page_draw(elgg_echo('register'), elgg_view("account/forms/register", array('friend_guid' => $friend_guid))); + echo page_draw(elgg_echo('register'), elgg_view("account/forms/register", array('friend_guid' => $friend_guid, 'invitecode' => $invitecode))); // Otherwise, forward to the index page } else { forward(); diff --git a/actions/register.php b/actions/register.php index a92f37f54..5cbb9afbf 100644 --- a/actions/register.php +++ b/actions/register.php @@ -23,6 +23,7 @@ $email = get_input('email'); $name = get_input('name'); $friend_guid = (int) get_input('friend_guid',0); + $invitecode = get_input('invitecode'); $admin = get_input('admin'); if (is_array($admin)) $admin = $admin[0]; @@ -38,7 +39,7 @@ (trim($password)!="") && (strcmp($password, $password2)==0) ) && - ($guid = register_user($username, $password, $name, $email, $friend_guid)) + ($guid = register_user($username, $password, $name, $email, false, $friend_guid, $invitecode)) ) { $new_user = get_entity($guid); @@ -69,7 +70,7 @@ $qs = explode('?',$_SERVER['HTTP_REFERER']); $qs = $qs[0]; - $qs .= "?u=" . urlencode($username) . "&e=" . urlencode($email) . "&n=" . urlencode($name); + $qs .= "?u=" . urlencode($username) . "&e=" . urlencode($email) . "&n=" . urlencode($name) . "&friend_guid=" . $friend_guid; forward($qs); diff --git a/engine/lib/users.php b/engine/lib/users.php index 4f6a73626..bd212570c 100644 --- a/engine/lib/users.php +++ b/engine/lib/users.php @@ -1061,11 +1061,11 @@ * @param int $friend_guid Optionally, GUID of a user this user will friend once fully registered * @return int|false The new user's GUID; false on failure */ - function register_user($username, $password, $name, $email, $allow_multiple_emails = false, $friend_guid = 0) { + function register_user($username, $password, $name, $email, $allow_multiple_emails = false, $friend_guid = 0, $invitecode = '') { // Load the configuration global $CONFIG; - + $username = sanitise_string($username); $password = sanitise_string($password); $name = sanitise_string($name); @@ -1120,10 +1120,13 @@ $user->password = generate_user_password($user, $password); $user->save(); - // If $friend_guid has been set + // If $friend_guid has been set, make mutual friends if ($friend_guid) { if ($friend_user = get_user($friend_guid)) { - $user->addFriend($friend_guid); + if ($invitecode == generate_invite_code($friend_user->username)) { + $user->addFriend($friend_guid); + $friend_user->addFriend($user->guid); + } } } @@ -1138,6 +1141,19 @@ return $user->getGUID(); } + /** + * Generates a unique invite code for a user + * + * @param string $username The username of the user sending the invitation + * @return string Invite code + */ + function generate_invite_code($username) { + + $secret = datalist_get('__site_secret__'); + return md5($username . $secret); + + } + /** * Adds collection submenu items * diff --git a/views/default/account/forms/register.php b/views/default/account/forms/register.php index b099ce8bf..cbc29f52b 100644 --- a/views/default/account/forms/register.php +++ b/views/default/account/forms/register.php @@ -29,7 +29,8 @@ if ($admin_option) $form_body .= elgg_view('input/checkboxes', array('internalname' => "admin", 'options' => array(elgg_echo('admin_option')))); - $form_body .= elgg_view('input/hidden', array('internalname' => 'friend_guid', 'value' => $vars['friend_guid'])); + $form_body .= elgg_view('input/hidden', array('internalname' => 'friend_guid', 'value' => $vars['friend_guid'])); + $form_body .= elgg_view('input/hidden', array('internalname' => 'invitecode', 'value' => $vars['invitecode'])); $form_body .= elgg_view('input/hidden', array('internalname' => 'action', 'value' => 'register')); $form_body .= elgg_view('input/submit', array('internalname' => 'submit', 'value' => elgg_echo('register'))) . "

"; ?> -- cgit v1.2.3