fixes #414, deactivate auth keys on password change

2016-02-12 20:20:12 +01:00 · 2016-02-12 20:20:12 +01:00 · fbd90fa460
commit fbd90fa460
parent 25edfc2663
4 changed files with 27 additions and 0 deletions
--- a/include/functions_user.inc.php
+++ b/include/functions_user.inc.php
@ -1596,4 +1596,22 @@ SELECT
    return create_user_auth_key($user_id, $user_status);
  }
 }
+
+/**
+ * Deletes authentication keys
+ *
+ * @since 2.8
+ * @param int $user_id
+ * @return null
+ */
+function deactivate_user_auth_keys($user_id)
+{
+  $query = '
+UPDATE '.USER_AUTH_KEYS_TABLE.'
+  SET expired_on = NOW()
+  WHERE user_id = '.$user_id.'
+    AND expired_on > NOW()
+;';
+  pwg_query($query);
+}
 ?>
--- a/include/ws_functions/pwg.users.php
+++ b/include/ws_functions/pwg.users.php
@ -552,6 +552,11 @@ SELECT
    array($conf['user_fields']['id'] => $params['user_id'][0])
    );

+  if (isset($updates[ $conf['user_fields']['password'] ]))
+  {
+    deactivate_user_auth_keys($params['user_id'][0]);
+  }
+
  if (isset($update_status) and count($params['user_id_for_status']) > 0)
  {
    $query = '
--- a/password.php
+++ b/password.php
@ -260,6 +260,8 @@ function reset_password()
    array('user_id' => $user_id)
    );

+  deactivate_user_auth_keys($user_id);
+
  $page['infos'][] = l10n('Your password has been reset');
  $page['infos'][] = '<a href="'.get_root_url().'identification.php">'.l10n('Login').'</a>';

--- a/profile.php
+++ b/profile.php
@ -207,6 +207,8 @@ function save_profile_from_post($userdata, &$errors)
        $fields[] = $conf['user_fields']['password'];
        // password is hashed with function $conf['password_hash']
        $data{$conf['user_fields']['password']} = $conf['password_hash']($_POST['use_new_pwd']);
+
+        deactivate_user_auth_keys($userdata['id']);
      }
      
      // username is updated only if allowed