More fixes, addresses double activation attempt

git-svn-id: file:///svn/phpbb/branches/phpBB-2_0_0@2571 89ea8834-ac86-4346-8a33-228a782c2dd0

phpBB/common.php

@@ -153,7 +153,7 @@ if( getenv('HTTP_X_FORWARDED_FOR') != '' )
 
 	if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", getenv('HTTP_X_FORWARDED_FOR'), $ip_list) )
 	{
-		$private_ip = array('/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.16\..*/', '/^10..*/', '/^224..*/', '/^240..*/');
+		$private_ip = array('/^0\./', '/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.16\..*/', '/^10..*/', '/^224..*/', '/^240..*/');
 		$client_ip = preg_replace($private_ip, $client_ip, $ip_list[1]);
 	}
 }

phpBB/includes/usercp_activate.php

@@ -27,70 +27,81 @@ if ( !defined('IN_PHPBB') )
 	exit;
 }
 
-$sql = "SELECT user_id, user_email, user_newpasswd, user_lang  
+$sql = "SELECT user_active, user_id, user_email, user_newpasswd, user_lang, user_actkey 
 	FROM " . USERS_TABLE . "
-	WHERE user_actkey = '" . str_replace("\'", "''", $HTTP_GET_VARS['act_key']) . "'";
+	WHERE user_id = " . intval($HTTP_GET_VARS[POST_USERS_URL]);
-if ( $result = $db->sql_query($sql) )
+if ( !($result = $db->sql_query($sql)) )
-{
-	if ( $row = $db->sql_fetchrow($result) )
-	{
-		$sql_update_pass = ( $row['user_newpasswd'] != '' ) ? ", user_password = '" . str_replace("\'", "''", $row['user_newpasswd']) . "', user_newpasswd = ''" : "";
-
-		$sql = "UPDATE " . USERS_TABLE . "
-			SET user_active = 1, user_actkey = ''" . $sql_update_pass . " 
-			WHERE user_id = " . $row['user_id'];
-		if ( $result = $db->sql_query($sql) )
-		{
-			if ( $board_config['require_activation'] == USER_ACTIVATION_ADMIN && $sql_update_pass == '' )
-			{
-				include($phpbb_root_path . 'includes/emailer.'.$phpEx);
-				$emailer = new emailer($board_config['smtp_delivery']);
-
-				$email_headers = 'From: ' . $board_config['board_email'] . "\r\nReturn-Path: " . $board_config['board_email'] . "\r\n";
-
-				$emailer->use_template('admin_welcome_activated', $row['user_lang']);
-				$emailer->email_address($row['user_email']);
-				$emailer->set_subject();//$lang['Account_activated_subject']
-				$emailer->extra_headers($email_headers);
-
-				$emailer->assign_vars(array(
-					'SITENAME' => $board_config['sitename'], 
-					'USERNAME' => $username,
-					'PASSWORD' => $password_confirm,
-					'EMAIL_SIG' => str_replace('<br />', "\n", "-- \n" . $board_config['board_email_sig']))
-				);
-				$emailer->send();
-				$emailer->reset();
-
-				$template->assign_vars(array(
-					'META' => '<meta http-equiv="refresh" content="10;url=' . append_sid("index.$phpEx") . '">')
-				);
-
-				message_die(GENERAL_MESSAGE, $lang['Account_active_admin']);
-			}
-			else
-			{
-				$template->assign_vars(array(
-					'META' => '<meta http-equiv="refresh" content="10;url=' . append_sid("index.$phpEx") . '">')
-				);
-
-				$message = ( $sql_update_pass == '' ) ? $lang['Account_active'] : $lang['Password_activated']; 
-				message_die(GENERAL_MESSAGE, $message);
-			}
-		}
-		else
-		{
-			message_die(GENERAL_ERROR, 'Could not update users table', '', __LINE__, __FILE__, $sql_update);
-		}
-	}
-	else
-	{
-		message_die(GENERAL_MESSAGE, $lang['Wrong_activation']); //wrongactiv
-	}
-}
-else
 {
 	message_die(GENERAL_ERROR, 'Could not obtain user information', '', __LINE__, __FILE__, $sql);
 }
 
+if ( $row = $db->sql_fetchrow($result) )
+{
+	if ( $row['user_active'] && $row['user_actkey'] == '' )
+	{
+		$template->assign_vars(array(
+			'META' => '<meta http-equiv="refresh" content="10;url=' . append_sid("index.$phpEx") . '">')
+		);
+
+		message_die(GENERAL_MESSAGE, $lang['Already_activated']);
+	}
+	else if ( $row['user_actkey'] == $HTTP_GET_VARS['act_key'] )
+	{
+		$sql_update_pass = ( $row['user_newpasswd'] != '' ) ? ", user_password = '" . str_replace("\'", "''", $row['user_newpasswd']) . "', user_newpasswd = ''" : '';
+
+		$sql = "UPDATE " . USERS_TABLE . "
+			SET user_active = 1, user_actkey = ''" . $sql_update_pass . " 
+			WHERE user_id = " . $row['user_id']; 
+		if ( !($result = $db->sql_query($sql)) )
+		{
+			message_die(GENERAL_ERROR, 'Could not update users table', '', __LINE__, __FILE__, $sql_update);
+		}
+
+		if ( $board_config['require_activation'] == USER_ACTIVATION_ADMIN && $sql_update_pass == '' )
+		{
+			include($phpbb_root_path . 'includes/emailer.'.$phpEx);
+			$emailer = new emailer($board_config['smtp_delivery']);
+
+			$email_headers = 'From: ' . $board_config['board_email'] . "\r\nReturn-Path: " . $board_config['board_email'] . "\r\n";
+
+			$emailer->use_template('admin_welcome_activated', $row['user_lang']);
+			$emailer->email_address($row['user_email']);
+			$emailer->set_subject();//$lang['Account_activated_subject']
+			$emailer->extra_headers($email_headers);
+
+			$emailer->assign_vars(array(
+				'SITENAME' => $board_config['sitename'], 
+				'USERNAME' => $username,
+				'PASSWORD' => $password_confirm,
+				'EMAIL_SIG' => str_replace('<br />', "\n", "-- \n" . $board_config['board_email_sig']))
+			);
+			$emailer->send();
+			$emailer->reset();
+
+			$template->assign_vars(array(
+				'META' => '<meta http-equiv="refresh" content="10;url=' . append_sid("index.$phpEx") . '">')
+			);
+
+			message_die(GENERAL_MESSAGE, $lang['Account_active_admin']);
+		}
+		else
+		{
+			$template->assign_vars(array(
+				'META' => '<meta http-equiv="refresh" content="10;url=' . append_sid("index.$phpEx") . '">')
+			);
+
+			$message = ( $sql_update_pass == '' ) ? $lang['Account_active'] : $lang['Password_activated']; 
+			message_die(GENERAL_MESSAGE, $message);
+		}
+	}
+	else
+	{
+		message_die(GENERAL_MESSAGE, $lang['Wrong_activation']);
+	}
+}
+else
+{
+	message_die(GENERAL_MESSAGE, $lang['No_such_user']);
+}
+
 ?>

phpBB/includes/usercp_register.php

@@ -388,12 +388,13 @@ if ( isset($HTTP_POST_VARS['submit']) )
 
 		if ( $mode == 'editprofile' )
 		{
-			if ( $email != $current_email && ( $board_config['require_activation'] == USER_ACTIVATION_SELF || $board_config['require_activation'] == USER_ACTIVATION_ADMIN ) && $userdata['user_level'] != ADMIN )
+			if ( $email != $userdata['user_email'] && $board_config['require_activation'] != USER_ACTIVATION_NONE && $userdata['user_level'] != ADMIN )
 			{
 				$user_active = 0;
+
 				$user_actkey = gen_rand_string(true);
-				$key_len = 54 - (strlen($server_url));
+				$key_len = 54 - ( strlen($server_url) );
-				$key_len = ($key_len > 6) ? $key_len : 6;
+				$key_len = ( $key_len > 6 ) ? $key_len : 6;
 				$user_actkey = substr($user_actkey, 0, $key_len);
 
 				if ( $userdata['session_logged_in'] )
@@ -435,7 +436,7 @@ if ( isset($HTTP_POST_VARS['submit']) )
 					'USERNAME' => $username,
 					'EMAIL_SIG' => str_replace('<br />', "\n", "-- \n" . $board_config['board_email_sig']), 
 
-					'U_ACTIVATE' => $server_url . '?mode=activate&act_key=' . $user_actkey)
+					'U_ACTIVATE' => $server_url . '?mode=activate&' . POST_USERS_URL . '=' . $user_id . '&act_key=' . $user_actkey)
 				);
 				$emailer->send();
 				$emailer->reset();
@@ -558,8 +559,6 @@ if ( isset($HTTP_POST_VARS['submit']) )
 					'PASSWORD' => $password_confirm,
 					'EMAIL_SIG' => str_replace('<br />', "\n", "-- \n" . $board_config['board_email_sig']),
 
-					'U_ACTIVATE' => $server_url . '?mode=activate&act_key=' . $user_actkey,
-
 					'FAX_INFO' => $board_config['coppa_fax'],
 					'MAIL_INFO' => $board_config['coppa_mail'],
 					'EMAIL_ADDRESS' => $email,
@@ -582,7 +581,7 @@ if ( isset($HTTP_POST_VARS['submit']) )
 					'PASSWORD' => $password_confirm,
 					'EMAIL_SIG' => str_replace('<br />', "\n", "-- \n" . $board_config['board_email_sig']),
 
-					'U_ACTIVATE' => $server_url . '?mode=activate&act_key=' . $user_actkey)
+					'U_ACTIVATE' => $server_url . '?mode=activate&' . POST_USERS_URL . '=' . $user_id . '&act_key=' . $user_actkey)
 				);
 			}
 
@@ -600,7 +599,7 @@ if ( isset($HTTP_POST_VARS['submit']) )
 					'USERNAME' => $username,
 					'EMAIL_SIG' => str_replace('<br />', "\n", "-- \n" . $board_config['board_email_sig']),
 
-					'U_ACTIVATE' => $server_url . '?mode=activate&act_key=' . $user_actkey)
+					'U_ACTIVATE' => $server_url . '?mode=activate&' . POST_USERS_URL . '=' . $user_id . '&act_key=' . $user_actkey)
 				);
 				$emailer->send();
 				$emailer->reset();

phpBB/includes/usercp_sendpasswd.php

@@ -46,6 +46,7 @@ if ( isset($HTTP_POST_VARS['submit']) )
 			}
 
 			$username = $row['username'];
+			$user_id = $row['user_id'];
 
 			$user_actkey = gen_rand_string(true);
 			$key_len = 54 - strlen($server_url);
@@ -54,7 +55,7 @@ if ( isset($HTTP_POST_VARS['submit']) )
 			$user_password = gen_rand_string(false);
 			
 			$sql = "UPDATE " . USERS_TABLE . " 
-				SET user_newpasswd = '" .md5($user_password) . "', user_actkey = '$user_actkey' 
+				SET user_newpasswd = '" . md5($user_password) . "', user_actkey = '$user_actkey'  
 				WHERE user_id = " . $row['user_id'];
 			if ( !$db->sql_query($sql) )
 			{
@@ -77,7 +78,7 @@ if ( isset($HTTP_POST_VARS['submit']) )
 				'PASSWORD' => $user_password,
 				'EMAIL_SIG' => str_replace('<br />', "\n", "-- \n" . $board_config['board_email_sig']), 
 
-				'U_ACTIVATE' => $server_url . "?mode=activate&act_key=$user_actkey")
+				'U_ACTIVATE' => $server_url . '?mode=activate&' . POST_USERS_URL . '=' . $user_id . '&act_key=' . $user_actkey)
 			);
 			$emailer->send();
 			$emailer->reset();

phpBB/language/lang_english/lang_main.php

@@ -623,6 +623,7 @@ $lang['Account_inactive_admin'] = 'Your account has been created. However, this
 $lang['Account_active'] = 'Your account has now been activated. Thank you for registering';
 $lang['Account_active_admin'] = 'The account has now been activated';
 $lang['Reactivate'] = 'Reactivate your account!';
+$lang['Already_activated'] = 'You have already activated your account';
 $lang['COPPA'] = 'Your account has been created but has to be approved, please check your email for details.';
 
 $lang['Registration'] = 'Registration Agreement Terms';