Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

check password-set user token before redirecting to set password form: 

- this prevents the password reset process earlier (before the redirect)
- also now shows a notice informing the user that they need to log out
  of (other) account
This commit is contained in:
Rua Haszard 2020-10-14 12:26:51 +13:00
parent 1f5601f0fe
commit 5e3713da75
2 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
includes/class-wc-form-handler.php
View File

@ -49,6 +49,13 @@ class WC_Form_Handler {
$user_id = absint( $_GET['id'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
}
// If the reset token is not for the current user, ignore the reset request (don't redirect).
$logged_in_user_id = get_current_user_id();
if ( $logged_in_user_id && $logged_in_user_id !== $user_id ) {
wc_add_notice( __( 'This password reset key is for a different user account. Please log out and try again.', 'woocommerce' ), 'error' );
return;
}
$action = isset( $_GET['action'] ) ? sanitize_text_field( wp_unslash( $_GET['action'] ) ) : '';
$value = sprintf( '%d:%s', $user_id, wp_unslash( $_GET['key'] ) ); // phpcs:ignore
WC_Shortcode_My_Account::set_reset_password_cookie( $value );

7
includes/shortcodes/class-wc-shortcode-my-account.php
View File

@ -238,15 +238,12 @@ class WC_Shortcode_My_Account {
} elseif ( ! empty( $_GET['show-reset-form'] ) ) { // WPCS: input var ok, CSRF ok.
if ( isset( $_COOKIE[ 'wp-resetpass-' . COOKIEHASH ] ) && 0 < strpos( $_COOKIE[ 'wp-resetpass-' . COOKIEHASH ], ':' ) ) { // @codingStandardsIgnoreLine
list( $rp_id, $rp_key ) = array_map( 'wc_clean', explode( ':', wp_unslash( $_COOKIE[ 'wp-resetpass-' . COOKIEHASH ] ), 2 ) ); // @codingStandardsIgnoreLine
$rp_id = absint( $rp_id );
$userdata = get_userdata( $rp_id );
$userdata = get_userdata( absint( $rp_id ) );
$rp_login = $userdata ? $userdata->user_login : '';
$user = self::check_password_reset_key( $rp_key, $rp_login );
$logged_in_user_id = get_current_user_id();
// Reset key / login is correct, display reset password form with hidden key / login values.
// Only show reset form if logged-in user matches reset token or no user is logged in.
if ( is_object( $user ) && ( ! $logged_in_user_id || $logged_in_user_id === $rp_id ) ) {
if ( is_object( $user ) ) {
return wc_get_template(
'myaccount/form-reset-password.php',
array(