On registering and updating an email address, the user has to type their email address twice. Do not allow autocomplete and pasting in the verification field. Fixes FS#45792. Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> --- web/html/account.php | 17 +++++++++-------- web/html/register.php | 6 +++--- web/lib/acctfuncs.inc.php | 12 +++++++++--- web/template/account_edit_form.php | 11 +++++++++++ 4 files changed, 32 insertions(+), 14 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index adc2542..3452af3 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -32,10 +32,10 @@ if ($action == "UpdateAccount") { list($success, $update_account_message) = process_account_form( "edit", "UpdateAccount", in_request("U"), in_request("T"), in_request("S"), - in_request("E"), in_request("P"), in_request("C"), - in_request("R"), in_request("L"), in_request("I"), - in_request("K"), in_request("PK"), in_request("J"), - in_request("ID"), $row["Username"]); + in_request("E"), in_request("E2"), in_request("P"), + in_request("C"), in_request("R"), in_request("L"), + in_request("I"), in_request("K"), in_request("PK"), + in_request("J"), in_request("ID"), $row["Username"]); } } @@ -79,7 +79,7 @@ if (isset($_COOKIE["AURSID"])) { if (can_edit_account($row)) { display_account_form("UpdateAccount", $row["Username"], $row["AccountTypeID"], $row["Suspended"], $row["Email"], - "", "", $row["RealName"], $row["LangPreference"], + $row["Email"], "", "", $row["RealName"], $row["LangPreference"], $row["IRCNick"], $row["PGPKey"], $PK, $row["InactivityTS"] ? 1 : 0, $row["ID"], $row["Username"]); } else { @@ -115,9 +115,10 @@ if (isset($_COOKIE["AURSID"])) { if (!$success) { display_account_form("UpdateAccount", in_request("U"), in_request("T"), - in_request("S"), in_request("E"), in_request("P"), in_request("C"), - in_request("R"), in_request("L"), in_request("I"), in_request("K"), - in_request("PK"), in_request("J"), in_request("ID"), $row["Username"]); + in_request("S"), in_request("E"), in_request("E2"), in_request("P"), + in_request("C"), in_request("R"), in_request("L"), in_request("I"), + in_request("K"), in_request("PK"), in_request("J"), in_request("ID"), + $row["Username"]); } } else { diff --git a/web/html/register.php b/web/html/register.php index 9c5c1cc..483bc5e 100644 --- a/web/html/register.php +++ b/web/html/register.php @@ -21,7 +21,7 @@ echo '<h2>' . __('Register') . '</h2>'; if (in_request("Action") == "NewAccount") { list($success, $message) = process_account_form( "new", "NewAccount", in_request("U"), 1, 0, - in_request("E"), '', '', in_request("R"), + in_request("E"), in_request("E2"), '', '', in_request("R"), in_request("L"), in_request("I"), in_request("K"), in_request("PK")); @@ -29,13 +29,13 @@ if (in_request("Action") == "NewAccount") { if (!$success) { display_account_form("NewAccount", in_request("U"), 1, 0, - in_request("E"), '', '', in_request("R"), + in_request("E"), in_request("E2"), '', '', in_request("R"), in_request("L"), in_request("I"), in_request("K"), in_request("PK")); } } else { print '<p>' . __("Use this form to create an account.") . '</p>'; - display_account_form("NewAccount", "", "", "", "", "", "", "", $LANG); + display_account_form("NewAccount", "", "", "", "", "", "", "", "", $LANG); } echo '</div>'; diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index f718a77..942b7f8 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -47,6 +47,7 @@ function html_format_pgp_fingerprint($fingerprint) { * @param string $T The account type of the displayed user * @param string $S Whether the displayed user has a suspended account * @param string $E The e-mail address of the displayed user + * @param string $E2 The e-mail address of the user, verification field * @param string $P The password value of the displayed user * @param string $C The confirmed password value of the displayed user * @param string $R The real name of the displayed user @@ -60,7 +61,7 @@ function html_format_pgp_fingerprint($fingerprint) { * * @return void */ -function display_account_form($A,$U="",$T="",$S="",$E="",$P="",$C="",$R="", +function display_account_form($A,$U="",$T="",$S="",$E="",$E2="",$P="",$C="",$R="", $L="",$I="",$K="",$PK="",$J="",$UID=0,$N="") { global $SUPPORTED_LANGS; @@ -78,6 +79,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$P="",$C="",$R="", * @param string $T The account type for the user * @param string $S Whether or not the account is suspended * @param string $E The e-mail address for the user + * @param string $E2 The e-mail address for the user, verification field * @param string $P The password for the user * @param string $C The confirmed password for the user * @param string $R The real name of the user @@ -91,7 +93,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$P="",$C="",$R="", * * @return array Boolean indicating success and message to be printed */ -function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$P="",$C="", +function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$E2="",$P="",$C="", $R="",$L="",$I="",$K="",$PK="",$J="",$UID=0,$N="") { global $SUPPORTED_LANGS; @@ -114,10 +116,14 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$P="",$C="", $editor_user = null; } - if (empty($E) || empty($U)) { + if (empty($E) || empty($E2) || empty($U)) { $error = __("Missing a required field."); } + if ($E != $E2) { + $error = __("Entered email addresses do not match."); + } + if ($TYPE != "new" && !$UID) { $error = __("Missing User ID"); } diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php index 0aadb9d..1c1c1ab 100644 --- a/web/template/account_edit_form.php +++ b/web/template/account_edit_form.php @@ -72,6 +72,11 @@ <input type="text" size="30" maxlength="64" name="E" id="id_email" value="<?= htmlspecialchars($E,ENT_QUOTES) ?>" /> (<?= __("required") ?>) </p> + <p> + <label for="id_email_verify"><?= __("Verify Email Address") ?>:</label> + <input type="text" size="30" maxlength="64" name="E2" id="id_email_verify" autocomplete="off" value="<?= htmlspecialchars($E2,ENT_QUOTES) ?>" /> (<?= __("required") ?>) + </p> + <?php if ($A == "UpdateAccount"): ?> <p> <label for="id_passwd1"><?= __("Password") ?>:</label> @@ -136,3 +141,9 @@ </p> </fieldset> </form> +<script> +var verify_field = document.getElementById('id_email_verify'); +verify_field.addEventListener('paste', function (e) { + e.preventDefault(); +}, false); +</script> -- 2.5.0