Patching from develop

* Allow account_create_character_create even if account_mail_verify is activated
* Fixes to account verify - do not allow login without verified email (Thanks @anyeor)

system/init.php

@@ -116,7 +116,7 @@ if(!isset($config['highscores_ids_hidden']) || count($config['highscores_ids_hid
 	$config['highscores_ids_hidden'] = array(0);
 }
 
-$config['account_create_character_create'] = config('account_create_character_create') && (!config('mail_enabled') || !config('account_mail_verify'));
+$config['account_mail_verify'] = config('account_mail_verify') && config('mail_enabled');
 
 // POT
 require_once SYSTEM . 'libs/pot/OTS.php';

system/login.php

@@ -88,28 +88,32 @@ else
 				&& (!isset($t) || $t['attempts'] < 5)
 				)
 			{
-				session_regenerate_id();
-				setSession('account', $account_logged->getId());
-				setSession('password', encrypt(($config_salt_enabled ? $account_logged->getCustomField('salt') : '') . $login_password));
-				if($remember_me) {
-					setSession('remember_me', true);
-				}
-
-				$logged = true;
-				$logged_flags = $account_logged->getWebFlags();
-
-				if(isset($_POST['admin']) && !admin()) {
-					$errors[] = 'This account has no admin privileges.';
-					unsetSession('account');
-					unsetSession('password');
-					unsetSession('remember_me');
-					$logged = false;
+				if (config('mail_enabled') && config('account_mail_verify') && (int)$account_logged->getCustomField('email_verified') !== 1) {
+					$errors[] = 'Your account is not verified. Please verify your email address. If the message is not coming check the SPAM folder in your E-Mail client.';
 				}
 				else {
-					$account_logged->setCustomField('web_lastlogin', time());
-				}
+					session_regenerate_id();
+					setSession('account', $account_logged->getId());
+					setSession('password', encrypt(($config_salt_enabled ? $account_logged->getCustomField('salt') : '') . $login_password));
+					if ($remember_me) {
+						setSession('remember_me', true);
+					}
 
-				$hooks->trigger(HOOK_LOGIN, array('account' => $account_logged, 'password' => $login_password, 'remember_me' => $remember_me));
+					$logged = true;
+					$logged_flags = $account_logged->getWebFlags();
+
+					if (isset($_POST['admin']) && !admin()) {
+						$errors[] = 'This account has no admin privileges.';
+						unsetSession('account');
+						unsetSession('password');
+						unsetSession('remember_me');
+						$logged = false;
+					} else {
+						$account_logged->setCustomField('web_lastlogin', time());
+					}
+
+					$hooks->trigger(HOOK_LOGIN, array('account' => $account_logged, 'password' => $login_password, 'remember_me' => $remember_me));
+				}
 			}
 			else
 			{

system/pages/account/confirm_email.php

@@ -29,11 +29,13 @@ else
 		$account = new OTS_Account();
 		$account->load($query['id']);
 		if ($account->isLoaded()) {
+			$db->update('accounts', ['email_verified' => '1'], ['email_hash' => $hash]);
+			success('You have now verified your e-mail, this will increase the security of your account. Thank you for doing this. You can now <a href=' . getLink('account/manage') . '>log in</a>.');
+
 			$hooks->trigger(HOOK_EMAIL_CONFIRMED, ['account' => $account]);
 		}
 	}
-
-	$db->update('accounts', array('email_verified' => '1'), array('email_hash' => $hash));
-	success('You have now verified your e-mail, this will increase the security of your account. Thank you for doing this.');
+	else {
+		error('Link has expired.');
+	}
 }
-?>

system/pages/createaccount.php

@@ -211,6 +211,9 @@ if($save)
 			if(_mail($email, 'New account on ' . $config['lua']['serverName'], $body_html))
 			{
 				echo 'Your account has been created.<br/><br/>';
+
+				warning("Before you can login - you need to verify your E-Mail. The verification link has been sent to $email. If the message is not coming - remember to check the SPAM folder.");
+
 				$twig->display('success.html.twig', array(
 					'title' => 'Account Created',
 					'description' => 'Your account ' . $account_type . ' is <b>' . $tmp_account . '</b><br/>You will need the account ' . $account_type . ' and your password to play on ' . configLua('serverName') . '.
@@ -227,15 +230,6 @@ if($save)
 		}
 		else
 		{
-			if(config('account_create_character_create')) {
-				// character creation
-				$character_created = $createCharacter->doCreate($character_name, $character_sex, $character_vocation, $character_town, $new_account, $errors);
-				if (!$character_created) {
-					error('There was an error creating your character. Please create your character later in account management page.');
-					error(implode(' ', $errors));
-				}
-			}
-
 			if($config['account_create_auto_login']) {
 				$_POST['account_login'] = USE_ACCOUNT_NAME ? $account_name : $account_id;
 				$_POST['password_login'] = $password2;
@@ -280,6 +274,15 @@ if($save)
 			}
 		}
 
+		if(config('account_create_character_create')) {
+			// character creation
+			$character_created = $createCharacter->doCreate($character_name, $character_sex, $character_vocation, $character_town, $new_account, $errors);
+			if (!$character_created) {
+				error('There was an error creating your character. Please create your character later in account management page.');
+				error(implode(' ', $errors));
+			}
+		}
+
 		return;
 	}
 }

system/templates/account.create.html.twig

@@ -130,7 +130,7 @@
 
 							{{ hook('HOOK_ACCOUNT_CREATE_BETWEEN_BOXES_1') }}
 
-							{% if (not config.mail_enabled or not config.account_mail_verify) and config.account_create_character_create %}
+							{% if config.account_create_character_create %}
 							<tr>
 								<td>
 									<div class="TableShadowContainerRightTop">