From: Joshua Rüsweg Date: Wed, 15 May 2019 13:32:04 +0000 (+0200) Subject: Allow multiple calls of the link to set a new password X-Git-Tag: 5.2.0_Alpha_1~87^2 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=ca321187cb652abeb40b18a5f4817aa06cc8c103;p=GitHub%2FWoltLab%2FWCF.git Allow multiple calls of the link to set a new password See #2923 --- diff --git a/wcfsetup/install/files/lib/form/NewPasswordForm.class.php b/wcfsetup/install/files/lib/form/NewPasswordForm.class.php index 27e4e1694b..c6a7a85c2e 100644 --- a/wcfsetup/install/files/lib/form/NewPasswordForm.class.php +++ b/wcfsetup/install/files/lib/form/NewPasswordForm.class.php @@ -2,7 +2,6 @@ namespace wcf\form; use wcf\data\user\User; use wcf\data\user\UserAction; -use wcf\data\user\UserEditor; use wcf\system\exception\IllegalLinkException; use wcf\system\exception\NamedUserException; use wcf\system\exception\PermissionDeniedException; @@ -79,18 +78,20 @@ class NewPasswordForm extends AbstractForm { $this->throwInvalidLinkException(); } - (new UserEditor($this->user))->update([ - 'lastLostPasswordRequestTime' => 0, - 'lostPasswordKey' => null + WCF::getSession()->register('lostPasswordRequest', [ + 'userID' => $this->user->userID, + 'key' => $this->user->lostPasswordKey ]); - WCF::getSession()->register('lostPasswordRequest', $this->user->userID); } else { - if (!WCF::getSession()->getVar('lostPasswordRequest')) throw new PermissionDeniedException(); - $this->userID = intval(WCF::getSession()->getVar('lostPasswordRequest')); + if (!is_array(WCF::getSession()->getVar('lostPasswordRequest'))) throw new PermissionDeniedException(); + $this->userID = intval(WCF::getSession()->getVar('lostPasswordRequest')['userID']); $this->user = new User($this->userID); if (!$this->user->userID) throw new IllegalLinkException(); + if (!\hash_equals($this->user->lostPasswordKey, WCF::getSession()->getVar('lostPasswordRequest')['key'])) { + $this->throwInvalidLinkException(); + } } }