From 3610c59dae9c7ba231af68baaf01fecbbdc37593 Mon Sep 17 00:00:00 2001 From: Smriti Singh Date: Fri, 11 Mar 2016 01:49:41 +0530 Subject: [PATCH] User.php: Update 'setEmailWithConfirmation' for notification email In order to minimise the chances of successful account cracking, a notification email should be sent to the user on their previous registered email address, informing them of the change in the registered email address of their account. Bug: T31856 Change-Id: Ib1ef76d7eb45ed0fa7ee0c2e7e39af21289367d2 --- includes/user/User.php | 26 ++++++++++++++++++++++++-- languages/i18n/en.json | 4 ++++ languages/i18n/qqq.json | 4 ++++ 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/includes/user/User.php b/includes/user/User.php index 68a169a4ad..2e786bd798 100644 --- a/includes/user/User.php +++ b/includes/user/User.php @@ -2697,14 +2697,36 @@ class User implements IDBAccessObject { return Status::newGood( true ); } + $type = $oldaddr != '' ? 'changed' : 'set'; + $notificationResult = null; + + if ( $wgEmailAuthentication ) { + // Send the user an email notifying the user of the change in registered + // email address on their previous email address + if ( $type == 'changed' ) { + $change = $str != '' ? 'changed' : 'removed'; + $notificationResult = $this->sendMail( + wfMessage( 'notificationemail_subject_' . $change )->text(), + wfMessage( 'notificationemail_body_' . $change, + $this->getRequest()->getIP(), + $this->getName(), + $str )->text() + ); + } + } + $this->setEmail( $str ); if ( $str !== '' && $wgEmailAuthentication ) { // Send a confirmation request to the new address if needed - $type = $oldaddr != '' ? 'changed' : 'set'; $result = $this->sendConfirmationMail( $type ); + + if ( $notificationResult !== null ) { + $result->merge( $notificationResult ); + } + if ( $result->isGood() ) { - // Say to the caller that a confirmation mail has been sent + // Say to the caller that a confirmation and notification mail has been sent $result->value = 'eauth'; } } else { diff --git a/languages/i18n/en.json b/languages/i18n/en.json index fea9fbd4ca..5526e2e728 100644 --- a/languages/i18n/en.json +++ b/languages/i18n/en.json @@ -3344,6 +3344,10 @@ "confirmemail_body_set": "Someone, probably you, from IP address $1,\nhas set the email address of the account \"$2\" to this address on {{SITENAME}}.\n\nTo confirm that this account really does belong to you and activate\nemail features on {{SITENAME}}, open this link in your browser:\n\n$3\n\nIf the account does *not* belong to you, follow this link\nto cancel the email address confirmation:\n\n$5\n\nThis confirmation code will expire at $4.", "confirmemail_invalidated": "Email address confirmation canceled", "invalidateemail": "Cancel email confirmation", + "notificationemail_subject_changed": "{{SITENAME}} registered email address has been changed", + "notificationemail_subject_removed": "{{SITENAME}} registered email address has been removed", + "notificationemail_body_changed": "Someone, probably you, from IP address $1,\nhas changed the email address of the account \"$2\" to \"$3\" on {{SITENAME}}.\n\nIf this was not you, contact a site administrator immediately.", + "notificationemail_body_removed": "Someone, probably you, from IP address $1,\nhas removed the email address of the account \"$2\" on {{SITENAME}}.\n\nIf this was not you, contact a site administrator immediately.", "scarytranscludedisabled": "[Interwiki transcluding is disabled]", "scarytranscludefailed": "[Template fetch failed for $1]", "scarytranscludefailed-httpstatus": "[Template fetch failed for $1: HTTP $2]", diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json index 93a3e79662..301e5a6efe 100644 --- a/languages/i18n/qqq.json +++ b/languages/i18n/qqq.json @@ -784,6 +784,10 @@ "changeemail-submit": "Submit button on [[Special:ChangeEmail]]", "changeemail-throttled": "Error message shown at [[Special:ChangeEmail]] after the user has tried to login with incorrect password too many times.\n\nThe user has to wait a certain time before trying to log in again.\n\nParameters:\n* $1 - the time to wait before the next login attempt. Automatically formatted using the following duration messages:\n** {{msg-mw|Duration-millennia}}\n** {{msg-mw|Duration-centuries}}\n** {{msg-mw|Duration-decades}}\n** {{msg-mw|Duration-years}}\n** {{msg-mw|Duration-weeks}}\n** {{msg-mw|Duration-days}}\n** {{msg-mw|Duration-hours}}\n** {{msg-mw|Duration-minutes}}\n** {{msg-mw|Duration-seconds}}\n\nThis is a protection against robots trying to find the password by trying lots of them.\nThe number of attempts and waiting time are configured via [[mw:Manual:$wgPasswordAttemptThrottle|$wgPasswordAttemptThrottle]].\nThis message is used in html.\n\nSee also:\n* {{msg-mw|Changepassword-throttled}}", "changeemail-nochange": "Error message shown on [[Special:ChangeEmail]] if the old email address was entered in the new email address field.", + "notificationemail_subject_changed": "Subject of the email sent on the previously registered email address notifying them about the change in the registered email address.", + "notificationemail_subject_removed": "Subject of the email sent on the previously registered email address notifying them about the removal of the registered email address.", + "notificationemail_body_changed": "Body of the email sent on the previously registered email address notifying them about the change in the registered email address.", + "notificationemail_body_removed": "Body of the email sent on the previously registered email address notifying them about the removal of the registered email address.", "resettokens": "{{doc-special|ResetTokens}}\nIn this case \"token\" may be translated as \"key\", or similar.\n{{Identical|Reset token}}", "resettokens-summary": "{{ignored}}", "resettokens-text": "Text on [[Special:ResetTokens]].", -- 2.20.1