Jisko

Other users' mail addresses are revokable.

Bug #514071 reported by nayuki
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Jisko
Fix Released
Medium
Marcos Garcia
Jisko 2.0

Bug Description

jisko v2.0

1.My mail address is changed.

2.URL of the mail that has been sent is put on the message.

3.When the person who is logging it in clicks the URL, the mail address of the person who clicked is changed.

Stop-gap measure
settings.php
 case 'config':
  if ($_GET['uid'] && $_GET['key']) {
   $check = $db->checkEmailKey($_GET['key'], $_GET['uid']);
   if ($check) {
    $newEmail = $db->getEmailFromKey($_GET['key'], $_GET['uid']);
    $_USER['email'] = $newEmail;
    $db->updateMail($_USER['ID'], $newEmail);
    echo showStatus(__('Email changed!'), 'ok');
   }
  }
------------------------------------------------------------------------------------------------------------------
 case 'config':
  if ($_GET['uid'] && $_GET['key']) {
   $check = $db->checkEmailKey($_GET['key'], $_GET['uid']);
   if ($check) {
    $newEmail = $db->getEmailFromKey($_GET['key'], $_GET['uid']);
    $_USER['email'] = $newEmail;
    $db->updateMail($_GET['uid'], $newEmail);//Change part
    $db->deleteKey($_GET['key'], $_GET['uid']);//Addition
    echo showStatus(__('Email changed!'), 'ok');
   }
  }

Revision history for this message
Marcos Garcia (marcosgdf) wrote :

Fixed in last revision.

Sorry about this problem, and thanks for reporting and making Jisko better!

Regards, Marquitox.

Changed in jisko:
importance: Undecided → Medium
assignee: nobody → Marcos Garcia (marcosgdf)
milestone: none → 2.0
status: New → Confirmed
status: Confirmed → In Progress
Marcos Garcia (marcosgdf)
Changed in jisko:
status: In Progress → Fix Released
Revision history for this message
nayuki (kaji) wrote :

If here is mended and not put, e-mail of the person who clicked first is changed.

$db->updateMail($_USER['ID'], $newEmail);

$db->updateMail($_GET['uid'], $newEmail);

Revision history for this message
Marcos Garcia (marcosgdf) wrote : Re: [Bug 514071] Re: Other users' mail addresses are revokable.

Well...
I have to admit that the way Jisko confirms an email it's no the best way so
maybe it will change in Jisko 3.0 and not in 2.0.

Anyway, thanks for your interest in Jisko :)

El 29/01/2010 1:05, "nayuki" <email address hidden> escribió:

If here is mended and not put, e-mail of the person who clicked first is
changed.

$db->updateMail($_USER['ID'], $newEmail);

$db->updateMail($_GET['uid'], $newEmail);

--
Other users' mail addresses are revokable.
https://bugs.launchpad.net/bugs/514071
You received this bug notification because you are a bug assignee.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.