Fixes to account verify - do not allow login without verified email (Thanks @anyeor)

2025-04-26 09:19:22 +02:00 · 2024-07-09 23:05:36 +02:00 · 2024-07-09 23:05:36 +02:00 · fcb13f3c0f
commit fcb13f3c0f
parent d94828772c
4 changed files with 38 additions and 28 deletions
--- a/plugins/email-confirmed-reward/reward.php
+++ b/plugins/email-confirmed-reward/reward.php
@ -1,8 +1,6 @@
 <?php
 defined('MYAAC') or die('Direct access not allowed!');

-$reward = setting('core.account_mail_confirmed_reward');
-
 $hasCoinsColumn = $db->hasColumn('accounts', 'coins');
 $rewardCoins = setting('core.account_mail_confirmed_reward_coins');
 if ($rewardCoins > 0 && !$hasCoinsColumn) {
--- a/system/pages/account/confirm-email.php
+++ b/system/pages/account/confirm-email.php
@ -25,16 +25,20 @@ if(!Account::where('email_hash', $hash)->exists()) {
 }
 else
 {
-	if (Account::where('email_hash', $hash)->where('email_verified', 0)->exists()) {
-		$query = $query->fetch(PDO::FETCH_ASSOC);
+	$accountModel = Account::where('email_hash', $hash)->where('email_verified', 0)->first();
+	if ($accountModel) {
+		$accountModel->email_verified = 1;
+		$accountModel->save();
+
+		success('You have now verified your e-mail, this will increase the security of your account. Thank you for doing this. You can now <a href=' . getLink('account/manage') . '>log in</a>.');
+
 		$account = new OTS_Account();
-		$account->load($query['id']);
+		$account->load($accountModel->id);
 		if ($account->isLoaded()) {
 			$hooks->trigger(HOOK_EMAIL_CONFIRMED, ['account' => $account]);
 		}
 	}
-
-	Account::where('email_hash', $hash)->update('email_verified', 1);
-	success('You have now verified your e-mail, this will increase the security of your account. Thank you for doing this.');
+	else {
+		error('Link has expired.');
+	}
 }
-?>
--- a/system/pages/account/create.php
+++ b/system/pages/account/create.php
@ -236,6 +236,9 @@ if($save)
 			if(_mail($email, 'New account on ' . $config['lua']['serverName'], $body_html))
 			{
 				echo 'Your account has been created.<br/><br/>';
+
+				warning("Before you can login - you need to verify your E-Mail. The verification link has been sent to $email. If the message is not coming - remember to check the SPAM folder.");
+
 				$twig->display('success.html.twig', array(
 					'title' => 'Account Created',
 					'description' => 'Your account ' . $account_type . ' is <b>' . $tmp_account . '</b><br/>You will need the account ' . $account_type . ' and your password to play on ' . configLua('serverName') . '.
--- a/system/pages/account/login.php
+++ b/system/pages/account/login.php
@ -60,28 +60,33 @@ if(!empty($login_account) && !empty($login_password))
 		&& (!isset($t) || $t['attempts'] < 5)
 	)
 	{
-		session_regenerate_id();
-		setSession('account', $account_logged->getId());
-		setSession('password', encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $login_password));
-		if($remember_me) {
-			setSession('remember_me', true);
-		}
-
-		$logged = true;
-		$logged_flags = $account_logged->getWebFlags();
-
-		if(isset($_POST['admin']) && !admin()) {
-			$errors[] = 'This account has no admin privileges.';
-			unsetSession('account');
-			unsetSession('password');
-			unsetSession('remember_me');
-			$logged = false;
+		if (setting('core.account_mail_verify') && (int)$account_logged->getCustomField('email_verified') !== 1) {
+			$errors[] = 'Your account is not verified. Please verify your email address. If the message is not coming check the SPAM folder in your E-Mail client.';
 		}
 		else {
-			$account_logged->setCustomField('web_lastlogin', time());
-		}
+			session_regenerate_id();
+			setSession('account', $account_logged->getId());
+			setSession('password', encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $login_password));
+			if($remember_me) {
+				setSession('remember_me', true);
+			}

-		$hooks->trigger(HOOK_LOGIN, array('account' => $account_logged, 'password' => $login_password, 'remember_me' => $remember_me));
+			$logged = true;
+			$logged_flags = $account_logged->getWebFlags();
+
+			if(isset($_POST['admin']) && !admin()) {
+				$errors[] = 'This account has no admin privileges.';
+				unsetSession('account');
+				unsetSession('password');
+				unsetSession('remember_me');
+				$logged = false;
+			}
+			else {
+				$account_logged->setCustomField('web_lastlogin', time());
+			}
+
+			$hooks->trigger(HOOK_LOGIN, array('account' => $account_logged, 'password' => $login_password, 'remember_me' => $remember_me));
+		}
 	}
 	else
 	{