3e1aaebf89
Until now, AuthService used to check for empty e-mail in order to tell whether an account is activated. This was wrong for following scenario: 1. User doesn't enter any e-mail. 2. Because he is about to become the first user to register, he will become an administrator. 3. Administrators don't need to confirm their e-mail address. Activation e-mail is not sent, code for e-mail activation is run instead. 4. The user succeeds to create an e-mail-less administrator account. 5. The user fails to login due to unconfirmed e-mail. 6. The code that activates an e-mail just moves unconfirmed e-mail to primary e-mail. That was the bug, there's no e-mail to confirm. Things got (hopefully) simpler now, since I added separate column for indicating whether account is activated.
11 lines
282 B
PHP
11 lines
282 B
PHP
<?php
|
|
namespace Szurubooru\Upgrades;
|
|
|
|
class Upgrade02 implements IUpgrade
|
|
{
|
|
public function run(\Szurubooru\DatabaseConnection $databaseConnection)
|
|
{
|
|
$databaseConnection->getPDO()->exec('
|
|
ALTER TABLE "users" ADD COLUMN accountConfirmed BOOLEAN NOT NULL DEFAULT FALSE');
|
|
}
|
|
}
|