Changeset 28668

Timestamp:

Jun 10, 2014, 1:40:40 PM (10 years ago)

Author:

mistic100

Message:

prevent merging account with webmaster account

Location:

extensions/oAuth

Files:

• include/public_events.inc.php (modified) (2 diffs)
• language/en_UK/plugin.lang.php (modified) (1 diff)
• language/fr_FR/plugin.lang.php (modified) (1 diff)
• main.inc.php (modified) (1 diff)

extensions/oAuth/include/public_events.inc.php

@@ -149 +149 @@
         }
         
-        if ( pwg_login(false, $_POST['username'], $_POST['password'], false) )
-        {
+        $user_id = get_userid($_POST['username']);
+        
+        if ($user_id === false)
+        {
+          $page['errors'][] = l10n('Invalid username or email');
+        }
+        else if ($user_id == $conf['webmaster_id'])
+        {
+          $page['errors'][] = l10n('For security reason, the main webmaster account can\'t be merged with a remote account, but you can use another webmaster account.');
+        }
+        else if (pwg_login(false, $_POST['username'], $_POST['password'], false))
+        {
+          // update oauth field
+          single_update(
+            USER_INFOS_TABLE,
+            array('oauth_id', $oauth_id),
+            array('user_id', $user['id'])
+            );
+
           pwg_unset_session_var('oauth_new_user');
-          
-          // update oauth field
-          $query = '
-UPDATE ' . USER_INFOS_TABLE . '
-  SET oauth_id = "' . $oauth_id . '"
-  WHERE user_id = ' . $user['id'] . '
-;';
-          pwg_query($query);
 
           redirect('profile.php');
@@ -168 +177 @@
         }
       }
+
+      // overwrite fields with remote datas
+      if ($provider == 'Persona')
+      {
+        $_POST['login'] = '';
+        $_POST['mail_address'] = $user_identifier;
+      }
       else
       {
-        // overwrite fields with remote datas
-        if ($provider == 'Persona')
-        {
-          $_POST['login'] = '';
-          $_POST['mail_address'] = $user_identifier;
-        }
-        else
-        {
-          $_POST['login'] = $remote_user->displayName;
-          $_POST['mail_address'] = $remote_user->email;
-        }
+        $_POST['login'] = $remote_user->displayName;
+        $_POST['mail_address'] = $remote_user->email;
       }
       

extensions/oAuth/language/en_UK/plugin.lang.php

@@ -30 +30 @@
 $lang['Associate with an existing account'] = 'Associate with an existing account';
 $lang['Allow users to merge existing account with new <i>Social Connect</i> identity'] = 'Allow users to merge existing account with new <i>Social Connect</i> identity';
+$lang['For security reason, the main webmaster account can\'t be merged with a remote account, but you can use another webmaster account.'] = 'For security reason, the main webmaster account can\'t be merged with a remote account, but you can use another webmaster account.';
 
 ?>

extensions/oAuth/language/fr_FR/plugin.lang.php

@@ -30 +30 @@
 $lang['Cancel'] = 'Annuler';
 $lang['Please enter your user ID'] = 'Veuillez entrer votre ID d\'utilisateur';
+$lang['For security reason, the main webmaster account can\'t be merged with a remote account, but you can use another webmaster account.'] = 'Pour des raisons de sécurité, le compte webmaster principal ne peut être associé avec un compte distant, mais vous pouvez utiliser un autre compte webmaster.';
+
 ?>

extensions/oAuth/main.inc.php

@@ -1 +1 @@
 <?php 
 /*
-Plugin Name: Social Connect (OAuth)
+Plugin Name: Social Connect
 Version: auto
 Description: Provides various ways to sign in your gallery (Twitter, Facebook, Google, etc.)