? user/emailupdate.php Index: user/edit.php =================================================================== RCS file: /cvsroot/moodle/moodle/user/edit.php,v retrieving revision 1.167.2.5 diff -u -r1.167.2.5 edit.php --- user/edit.php 26 Feb 2008 12:45:32 -0000 1.167.2.5 +++ user/edit.php 1 Jul 2008 06:39:02 -0000 @@ -35,7 +35,7 @@ } // Guest can not be edited - if (isguestuser($user)) { + if (isguestuser($user)) { print_error('guestnoeditprofile'); } @@ -89,10 +89,27 @@ $userform = new user_edit_form(); $userform->set_data($user); + $email_changed = false; + if ($usernew = $userform->get_data()) { add_to_log($course->id, 'user', 'update', "view.php?id=$user->id&course=$course->id", ''); + $email_changed_html = ''; + + // Handle change of email carefully for non-trusted users + if ($user->email != $usernew->email && !has_capability('moodle/user:update', $systemcontext)) { + $a = new stdClass(); + $a->newemail = $usernew->preference_newemail = $usernew->email; + $usernew->preference_newemailkey = random_string(20); + $usernew->preference_newemailattemptsleft = 3; + $a->oldemail = $usernew->email = $user->email; + + $email_changed_html = print_box(get_string('auth_changingemailaddress', 'auth', $a), 'generalbox', 'notice', true); + $email_changed_html .= print_continue("$CFG->wwwroot/user/view.php?id=$user->id&course=$course->id", true); + $email_changed = true; + } + $authplugin = get_auth_plugin($user->auth); $usernew->timemodified = time(); @@ -131,6 +148,23 @@ // save custom profile fields data profile_save_data($usernew); + // If email was changed, send confirmation email now + if ($email_changed) { + $temp_user = fullclone($user); + $temp_user->email = $usernew->preference_newemail; + + $a = new stdClass(); + $a->url = $CFG->wwwroot . '/user/emailupdate.php?key=' . $usernew->preference_newemailkey . '&id=' . $user->id; + $a->site = $SITE->fullname; + + $emailupdatemessage = get_string('auth_emailupdatemessage', 'auth', $a); + $emailupdatetitle = get_string('auth_emailupdatetitle', 'auth', $a); + + if(!$mail_results = email_to_user($temp_user, get_admin(), $emailupdatetitle, $emailupdatemessage)) { + die("could not send email!"); + } + } + if ($USER->id == $user->id) { // Override old $USER session variable if needed $usernew = (array)get_record('user', 'id', $user->id); // reload from db @@ -139,7 +173,10 @@ } } events_trigger('user_updated', $usernew); - redirect("$CFG->wwwroot/user/view.php?id=$user->id&course=$course->id"); + + if (!$email_changed) { + redirect("$CFG->wwwroot/user/view.php?id=$user->id&course=$course->id"); + } } @@ -164,8 +201,12 @@ $currenttab = 'editprofile'; require('tabs.php'); -/// Finally display THE form - $userform->display(); + if ($email_changed) { + echo $email_changed_html; + } else { + /// Finally display THE form + $userform->display(); + } /// and proper footer print_footer($course); Index: lang/en_utf8/auth.php =================================================================== RCS file: /cvsroot/moodle/moodle/lang/en_utf8/auth.php,v retrieving revision 1.30.2.10 diff -u -r1.30.2.10 auth.php --- lang/en_utf8/auth.php 20 Mar 2008 12:19:26 -0000 1.30.2.10 +++ lang/en_utf8/auth.php 1 Jul 2008 06:39:03 -0000 @@ -114,12 +114,24 @@ // Email plugin $string['auth_emaildescription'] = 'Email confirmation is the default authentication method. When the user signs up, choosing their own new username and password, a confirmation email is sent to the user\'s email address. This email contains a secure link to a page where the user can confirm their account. Future logins just check the username and password against the stored values in the Moodle database.'; +$string['auth_emailnowexists'] = 'The email address you tried to assign to your profile has been assigned to someone else since your original request. Your request for change of email address is hereby cancelled, but you may try again with a different address.'; $string['auth_emailtitle'] = 'Email-based self-registration'; $string['auth_emailnoinsert'] = 'Could not add your record to the database!'; $string['auth_emailnoemail'] = 'Tried to send you an email but failed!'; $string['auth_emailrecaptcha'] = 'Adds a visual/audio confirmation form element to the signup page for email self-registering users. This protects your site against spammers and contributes to a worthwhile cause. See http://recaptcha.net/learnmore.html for more details.'; $string['auth_emailrecaptcha_key'] = 'Enable reCAPTCHA element'; $string['auth_emailsettings'] = 'Settings'; +$string['auth_emailupdatemessage'] = 'Dear $a->fullname, + +You have requested a change of your email address for your user account at $a->site. Please open the following URL in your browser in order to confirm this change. + +$a->url'; +$string['auth_emailupdatetitle'] = 'Confirmation of email update at $a->site'; +$string['auth_invalidnewemailkey'] = 'Error: if you are trying to confirm a change of email address, you may have made a mistake in copying the URL we sent you by email. Please copy the address and try again.'; +$string['auth_emailupdatesuccess'] = 'Your email address was successfully updated to $a->email.'; +$string['auth_outofnewemailupdateattempts'] = 'You have run out of allowed attempts to update your email address. Your update request has been cancelled.'; +$string['auth_emailupdate'] = 'Email address update'; +$string['auth_changingemailaddress'] = 'You have requested a change of email address, from $a->oldemail to $a->newemail. For security reasons, we are sending you an email message at the new address to confirm that it belongs to you. Your email address will be updated as soon as you open the URL sent to you in that message.'; // FirstClass plugin $string['auth_fccreators'] = 'List of groups whose members are allowed to create new courses. Separate multiple groups with \';\'. Names must be spelled exactly as on FirstClass server. System is case-sensitive.'; Index: user/emailupdate.php =================================================================== RCS file: user/emailupdate.php diff -N user/emailupdate.php --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ user/emailupdate.php 1 Jan 1970 00:00:00 -0000 @@ -0,0 +1,57 @@ +libdir.'/adminlib.php'); + +$key = required_param('key', PARAM_ALPHANUM); +$id = required_param('id', PARAM_INT); + +if (!$user = get_record('user', 'id', $id)) { + error("Unknown user ID"); +} + +$preferences = get_user_preferences(null, null, $id); + +$stremailupdate = get_string('auth_emailupdate', 'auth'); +print_header(format_string($SITE->fullname) . ": $stremailupdate", format_string($SITE->fullname) . ": $stremailupdate"); + +$cancel_email_update = false; + +if (empty($preferences['newemailattemptsleft'])) { + redirect("$CFG->wwwroot/user/view.php?id=$user->id"); + +} elseif ($preferences['newemailattemptsleft'] < 1) { + $cancel_email_update = true; + $stroutofattempts = get_string('auth_outofnewemailupdateattempts', 'auth'); + print_box($stroutofattempts, 'center'); + +} elseif ($key == $preferences['newemailkey']) { + $user->email = $preferences['newemail']; + + // Detect duplicate before saving + if (get_record('user', 'email', addslashes($user->email))) { + $stremailnowexists = get_string('auth_emailnowexists', 'auth'); + print_box($stremailnowexists, 'center'); + $cancel_email_update = true; + print_continue("$CFG->wwwroot/user/view.php?id=$user->id"); + } else { + // update user email + if (!set_field('user', 'email', addslashes($user->email), 'id', $user->id)) { + error('Error updating user record'); + + } else { + events_trigger('user_updated', $user); + $stremailupdatesuccess = get_string('auth_emailupdatesuccess', 'auth', $user); + print_box($stremailupdatesuccess, 'center'); + print_continue("$CFG->wwwroot/user/view.php?id=$user->id"); + + $cancel_email_update = true; + } + } + +} else { + $preferences['newemailattemptsleft']--; + set_user_preference('newemailattemptsleft', $preferences['newemailattemptsleft'], $user->id); + $strinvalidkey = get_string('auth_invalidnewemailkey', 'auth'); + print_box($strinvalidkey, 'center'); +} + +if ($cancel_email_update) { + unset_user_preference('newemail', $user->id); + unset_user_preference('newemailkey', $user->id); + unset_user_preference('newemailattemptsleft', $user->id); +} +print_footer('none'); +?>