1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
|
<?php
/**
* Email user validation plugin.
* Non-admin accounts are invalid until their email address is confirmed.
*
* @package Elgg.Core.Plugin
* @subpackage UserValidationByEmail
*/
function uservalidationbyemail_init() {
global $CONFIG;
require_once dirname(__FILE__) . '/lib/functions.php';
// Register page handler to validate users
// This doesn't need to be an action because security is handled by the validation codes.
register_page_handler('uservalidationbyemail', 'uservalidationbyemail_page_handler');
// mark users as unvalidated when they register
register_plugin_hook('register', 'user', 'uservalidationbyemail_disable_new_user');
// prevent users from logging in if they aren't validated
register_plugin_hook('action', 'login', 'uservalidationbyemail_check_login_attempt');
// when requesting a new password
register_plugin_hook('action', 'user/requestnewpassword', 'uservalidationbyemail_check_request_password');
// prevent the engine from logging in users via login()
register_elgg_event_handler('login', 'user', 'uservalidationbyemail_check_manual_login');
// make admin users always validated
register_elgg_event_handler('make_admin', 'user', 'uservalidationbyemail_validate_new_admin_user');
// register Walled Garden public pages
register_plugin_hook('public_pages', 'walled_garden', 'uservalidationbyemail_public_pages');
}
/**
* Disables a user upon registration.
*
* @param unknown_type $hook
* @param unknown_type $type
* @param unknown_type $value
* @param unknown_type $params
*/
function uservalidationbyemail_disable_new_user($hook, $type, $value, $params) {
$user = elgg_get_array_value('user', $params);
// no clue what's going on, so don't react.
if (!$user instanceof ElggUser) {
return NULL;
}
// disable user to prevent showing up on the site
// Don't do a recursive disable. Any entities owned by the user at this point
// are products of plugins that hook into create user and might need
// access to the entities.
// @todo That ^ sounds like a specific case...would be nice to track it down...
$user->disable('uservalidationbyemail_new_user', FALSE);
// set user as unvalidated and send out validation email
uservalidationbyemail_set_user_validation_status($user->guid, FALSE);
uservalidationbyemail_request_validation($user->guid);
return TRUE;
}
/**
* Checks if a login failed because the user hasn't validated his account.
*
* @param unknown_type $hook
* @param unknown_type $type
* @param unknown_type $value
* @param unknown_type $params
*/
function uservalidationbyemail_check_login_attempt($hook, $type, $value, $params) {
// everything is only stored in the input at this point
$username = get_input('username');
$password = get_input("password");
if (empty($username) || empty($password)) {
// return true to let the original login action deal with it.
return TRUE;
}
// see if we need to resolve an email address to a username
if (strpos($username, '@') !== FALSE && ($users = get_user_by_email($username))) {
$username = $users[0]->username;
}
// See the users exists and isn't validated
$access_status = access_get_show_hidden_status();
access_show_hidden_entities(TRUE);
$user = get_user_by_username($username);
// only resend validation if the password is correct
if ($user && authenticate($username, $password) && !$user->validated) {
// show an error and resend validation email
uservalidationbyemail_request_validation($user->guid);
// halt action
$value = FALSE;
}
access_show_hidden_entities($access_status);
return $value;
}
/**
* Checks sent passed validation code and user guids and validates the user.
*
* @param array $page
*/
function uservalidationbyemail_page_handler($page) {
global $CONFIG;
if (isset($page[0]) && $page[0] == 'confirm') {
$code = sanitise_string(get_input('c', FALSE));
$user_guid = get_input('u', FALSE);
// new users are not enabled by default.
$access_status = access_get_show_hidden_status();
access_show_hidden_entities(true);
$user = get_entity($user_guid);
if (($code) && ($user)) {
if (uservalidationbyemail_validate_email($user_guid, $code)) {
system_message(elgg_echo('email:confirm:success'));
$user = get_entity($user_guid);
$user->enable();
login($user);
} else {
register_error(elgg_echo('email:confirm:fail'));
}
} else {
register_error(elgg_echo('email:confirm:fail'));
}
access_show_hidden_entities($access_status);
} else {
register_error(elgg_echo('email:confirm:fail'));
}
forward();
}
/**
* Make sure any admin users are automatically validated
*
* @param unknown_type $event
* @param unknown_type $type
* @param unknown_type $object
*/
function uservalidationbyemail_validate_new_admin_user($event, $type, $user) {
if ($user instanceof ElggUser && !$user->validated) {
uservalidationbyemail_set_user_validation_status($user->guid, TRUE, 'admin_user');
}
return TRUE;
}
/**
* Registers public pages to allow in the case Private Network has been enabled.
*/
function uservalidationbyemail_public_pages($hook, $type, $return_value, $params) {
$return_value[] = 'pg/uservalidationbyemail/confirm';
return $return_value;
}
/**
* Prevent a manual code login with login().
*
* @param unknown_type $event
* @param unknown_type $type
* @param unknown_type $user
*/
function uservalidationbyemail_check_manual_login($event, $type, $user) {
$access_status = access_get_show_hidden_status();
access_show_hidden_entities(TRUE);
// @todo register_error()?
$return = ($user instanceof ElggUser && !$user->validated) ? FALSE : NULL;
access_show_hidden_entities($access_status);
return $return;
}
/**
* Deny requests to change password if the account isn't validated.
*
* @todo This is needed because changing the password requires the entity to be enabled.
*
* @param unknown_type $hook
* @param unknown_type $type
* @param unknown_type $value
* @param unknown_type $params
*/
function uservalidationbyemail_check_request_password($hook, $type, $value, $params) {
$username = get_input('username');
// see if we need to resolve an email address to a username
if (strpos($username, '@') !== FALSE && ($users = get_user_by_email($username))) {
$username = $users[0]->username;
}
// See the users exists and isn't validated
$access_status = access_get_show_hidden_status();
access_show_hidden_entities(TRUE);
$user = get_user_by_username($username);
// resend validation instead of resetting password
if ($user && !$user->validated) {
uservalidationbyemail_request_validation($user->guid);
$value = FALSE;
}
access_show_hidden_entities($access_status);
return $value;
}
register_elgg_event_handler('init', 'system', 'uservalidationbyemail_init');
|
