Fix bug where new_user_dialog email check could have been circumvented by deleting / abandoning session (#5929)

7 years ago · f9a5d03e5a
parent 2faf7185db
commit f9a5d03e5a
3 changed files with 8 additions and 10 deletions
--- a/1
+++ b/1
@ -69,6 +69,7 @@ CHANGELOG Roundcube Webmail
 - Handle inline images also inside multipart/mixed messages (#5905)
 - Allow style tags in HTML editor on composed/reply messages (#5751)
 - Use Github API as a fallback to fetch js dependencies to workaround throttling issues (#6248)
+- Fix bug where new_user_dialog email check could have been circumvented by deleting / abandoning session (#5929)
 - Fix skin extending for assets (#5115)
 - Fix handling of forwarded messages inside of a TNEF message (#5632)
 - Fix bug where attachment size wasn't visible when the filename was too long (#6033)
--- a/plugins/new_user_dialog/composer.json
+++ b/plugins/new_user_dialog/composer.json
@ -3,7 +3,7 @@
    "type": "roundcube-plugin",
    "description": "When a new user is created, this plugin checks the default identity and sets a session flag in case it is incomplete. An overlay box will appear on the screen until the user has reviewed/completed his identity.",
    "license": "GPLv3+",
-    "version": "2.3",
+    "version": "2.4",
    "authors": [
        {
            "name": "Thomas Bruederli",
--- a/plugins/new_user_dialog/new_user_dialog.php
+++ b/plugins/new_user_dialog/new_user_dialog.php
@ -20,12 +20,8 @@ class new_user_dialog extends rcube_plugin
    function init()
    {
        $this->add_hook('identity_create', array($this, 'create_identity'));
+        $this->add_hook('render_page', array($this, 'render_page'));
        $this->register_action('plugin.newusersave', array($this, 'save_data'));
-
-        // register additional hooks if session flag is set
-        if ($_SESSION['plugin.newuserdialog']) {
-            $this->add_hook('render_page', array($this, 'render_page'));
-        }
    }

    /**
@ -35,7 +31,8 @@ class new_user_dialog extends rcube_plugin
    {
        // set session flag when a new user was created and the default identity seems to be incomplete
        if ($p['login'] && !$p['complete']) {
-            $_SESSION['plugin.newuserdialog'] = true;
+            $rcmail = rcmail::get_instance();
+            $rcmail->user->save_prefs(array('newuserdialog' => true));
        }
    }

@ -45,10 +42,10 @@ class new_user_dialog extends rcube_plugin
     */
    function render_page($p)
    {
-        if ($_SESSION['plugin.newuserdialog']) {
+        $rcmail = rcmail::get_instance();
+        if ($p['template'] != 'login' && $rcmail->config->get('newuserdialog')) {
            $this->add_texts('localization');

-            $rcmail           = rcmail::get_instance();
            $identity         = $rcmail->user->get_identity();
            $identities_level = intval($rcmail->config->get('identities_level', 0));

@ -172,7 +169,7 @@ rcube_webmail.prototype.new_user_dialog_close = function() { newuserdialog.dialo
        else {
            // save data
            $rcmail->user->update_identity($identity['identity_id'], $save_data);
-            $rcmail->session->remove('plugin.newuserdialog');
+            $rcmail->user->save_prefs(array('newuserdialog' => null));
            // hide dialog
            $rcmail->output->command('new_user_dialog_close');
            $rcmail->output->show_message('successfullysaved', 'confirmation');