Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[looks good] Other solution for #728 Encrypt user_id on account verification #780

Open
wants to merge 6 commits into
base: develop
Choose a base branch
from
Open

[looks good] Other solution for #728 Encrypt user_id on account verification #780

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
842ebe8
Merge pull request #7 from panique/develop
slaveek Jan 7, 2016
55d59e9
Merge pull request #8 from panique/develop
slaveek Jan 8, 2016
b46c7ea
Hash user's id and user's activation hash together.
Jan 10, 2016
e51d064
Added new method getUserDataByUserActivationHash()
Jan 10, 2016
e5e832f
Renamed parameter.
Jan 10, 2016
7223e83
Added hashes check
Jan 10, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Added hashes check 
If hashed user's id + user's activation code from data base is the same
as hash code from email, registration is passed.
  • Loading branch information
Slaveek committed Jan 10, 2016
commit 7223e83fc031694a684e4cfcf7323361f798bff3
42 changes: 33 additions & 9 deletions application/model/RegistrationModel.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -274,23 +274,47 @@ public static function sendVerificationEmail($user_id, $user_email, $user_activa
/**
* checks the email/verification code combination and set the user's activation status to true in the database
*
* @param int $user_id user id
* @param string $hashed_user_data Hashed user's id and user's activation verification code together.
* @param string $user_activation_verification_code verification token
*
* @return bool success status
*/
public static function verifyNewUser($user_id, $user_activation_verification_code)
public static function verifyNewUser($hashed_user_data, $user_activation_verification_code)
{
$database = DatabaseFactory::getFactory()->getConnection();

$sql = "UPDATE users SET user_active = 1, user_activation_hash = NULL
WHERE user_id = :user_id AND user_activation_hash = :user_activation_hash LIMIT 1";
$query = $database->prepare($sql);
$query->execute(array(':user_id' => $user_id, ':user_activation_hash' => $user_activation_verification_code));
// Get user data (id and user_activation_hash) by activation code sent by email to user
// Data from DB wiil be checked with parameters passed to method.
$user_data = UserModel::getUserDataByUserActivationHash($user_activation_verification_code);

if ($query->rowCount() == 1) {
Session::add('feedback_positive', Text::get('FEEDBACK_ACCOUNT_ACTIVATION_SUCCESSFUL'));
return true;
// No user with that verification code -> return false
if (!$user_data) {
Session::add('feedback_negative', Text::get('FEEDBACK_ACCOUNT_ACTIVATION_FAILED'));
return false;
}

// Hash user_id and user_activation_hash from DB the same way as sent in email (see line 255 in this file)
$user_db_data_hash = hash('sha256', $user_data->user_id . $user_data->user_activation_hash);

if ($user_db_data_hash === $hashed_user_data) {

$sql = "UPDATE users
SET user_active = 1,
user_activation_hash = NULL
WHERE user_id = :user_id
AND user_activation_hash = :user_activation_hash
LIMIT 1
";
$query = $database->prepare($sql);
$query->execute(array(
':user_id' => $user_data->user_id,
':user_activation_hash' => $user_data->user_activation_hash
));

if ($query->rowCount() == 1) {
Session::add('feedback_positive', Text::get('FEEDBACK_ACCOUNT_ACTIVATION_SUCCESSFUL'));
return true;
}
}

Session::add('feedback_negative', Text::get('FEEDBACK_ACCOUNT_ACTIVATION_FAILED'));
Expand Down