From f9a5d03e5a0fd9d68f77074a6a832a93fbe9debe Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Mon, 16 Apr 2018 17:15:26 +0200 Subject: [PATCH] Fix bug where new_user_dialog email check could have been circumvented by deleting / abandoning session (#5929) --- CHANGELOG | 1 + plugins/new_user_dialog/composer.json | 2 +- plugins/new_user_dialog/new_user_dialog.php | 15 ++++++--------- 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 7a33b50c0..0c26d513b 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -69,6 +69,7 @@ CHANGELOG Roundcube Webmail - Handle inline images also inside multipart/mixed messages (#5905) - Allow style tags in HTML editor on composed/reply messages (#5751) - Use Github API as a fallback to fetch js dependencies to workaround throttling issues (#6248) +- Fix bug where new_user_dialog email check could have been circumvented by deleting / abandoning session (#5929) - Fix skin extending for assets (#5115) - Fix handling of forwarded messages inside of a TNEF message (#5632) - Fix bug where attachment size wasn't visible when the filename was too long (#6033) diff --git a/plugins/new_user_dialog/composer.json b/plugins/new_user_dialog/composer.json index 4c79dea5d..34aeda0ea 100644 --- a/plugins/new_user_dialog/composer.json +++ b/plugins/new_user_dialog/composer.json @@ -3,7 +3,7 @@ "type": "roundcube-plugin", "description": "When a new user is created, this plugin checks the default identity and sets a session flag in case it is incomplete. An overlay box will appear on the screen until the user has reviewed/completed his identity.", "license": "GPLv3+", - "version": "2.3", + "version": "2.4", "authors": [ { "name": "Thomas Bruederli", diff --git a/plugins/new_user_dialog/new_user_dialog.php b/plugins/new_user_dialog/new_user_dialog.php index f16b492e9..57fc749eb 100644 --- a/plugins/new_user_dialog/new_user_dialog.php +++ b/plugins/new_user_dialog/new_user_dialog.php @@ -20,12 +20,8 @@ class new_user_dialog extends rcube_plugin function init() { $this->add_hook('identity_create', array($this, 'create_identity')); + $this->add_hook('render_page', array($this, 'render_page')); $this->register_action('plugin.newusersave', array($this, 'save_data')); - - // register additional hooks if session flag is set - if ($_SESSION['plugin.newuserdialog']) { - $this->add_hook('render_page', array($this, 'render_page')); - } } /** @@ -35,7 +31,8 @@ class new_user_dialog extends rcube_plugin { // set session flag when a new user was created and the default identity seems to be incomplete if ($p['login'] && !$p['complete']) { - $_SESSION['plugin.newuserdialog'] = true; + $rcmail = rcmail::get_instance(); + $rcmail->user->save_prefs(array('newuserdialog' => true)); } } @@ -45,10 +42,10 @@ class new_user_dialog extends rcube_plugin */ function render_page($p) { - if ($_SESSION['plugin.newuserdialog']) { + $rcmail = rcmail::get_instance(); + if ($p['template'] != 'login' && $rcmail->config->get('newuserdialog')) { $this->add_texts('localization'); - $rcmail = rcmail::get_instance(); $identity = $rcmail->user->get_identity(); $identities_level = intval($rcmail->config->get('identities_level', 0)); @@ -172,7 +169,7 @@ rcube_webmail.prototype.new_user_dialog_close = function() { newuserdialog.dialo else { // save data $rcmail->user->update_identity($identity['identity_id'], $save_data); - $rcmail->session->remove('plugin.newuserdialog'); + $rcmail->user->save_prefs(array('newuserdialog' => null)); // hide dialog $rcmail->output->command('new_user_dialog_close'); $rcmail->output->show_message('successfullysaved', 'confirmation');