From ca321187cb652abeb40b18a5f4817aa06cc8c103 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Joshua=20R=C3=BCsweg?= Date: Wed, 15 May 2019 15:32:04 +0200 Subject: [PATCH] Allow multiple calls of the link to set a new password See #2923 --- .../files/lib/form/NewPasswordForm.class.php | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/wcfsetup/install/files/lib/form/NewPasswordForm.class.php b/wcfsetup/install/files/lib/form/NewPasswordForm.class.php index 27e4e1694b..c6a7a85c2e 100644 --- a/wcfsetup/install/files/lib/form/NewPasswordForm.class.php +++ b/wcfsetup/install/files/lib/form/NewPasswordForm.class.php @@ -2,7 +2,6 @@ namespace wcf\form; use wcf\data\user\User; use wcf\data\user\UserAction; -use wcf\data\user\UserEditor; use wcf\system\exception\IllegalLinkException; use wcf\system\exception\NamedUserException; use wcf\system\exception\PermissionDeniedException; @@ -79,18 +78,20 @@ class NewPasswordForm extends AbstractForm { $this->throwInvalidLinkException(); } - (new UserEditor($this->user))->update([ - 'lastLostPasswordRequestTime' => 0, - 'lostPasswordKey' => null + WCF::getSession()->register('lostPasswordRequest', [ + 'userID' => $this->user->userID, + 'key' => $this->user->lostPasswordKey ]); - WCF::getSession()->register('lostPasswordRequest', $this->user->userID); } else { - if (!WCF::getSession()->getVar('lostPasswordRequest')) throw new PermissionDeniedException(); - $this->userID = intval(WCF::getSession()->getVar('lostPasswordRequest')); + if (!is_array(WCF::getSession()->getVar('lostPasswordRequest'))) throw new PermissionDeniedException(); + $this->userID = intval(WCF::getSession()->getVar('lostPasswordRequest')['userID']); $this->user = new User($this->userID); if (!$this->user->userID) throw new IllegalLinkException(); + if (!\hash_equals($this->user->lostPasswordKey, WCF::getSession()->getVar('lostPasswordRequest')['key'])) { + $this->throwInvalidLinkException(); + } } } -- 2.20.1