bachir/popsu-d7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security update core+modules

Browse Source
This commit is contained in:
Bachir Soussi Chiadmi
2015-04-26 18:38:56 +02:00
parent 2f45ea820a
commit 7c96373038
1022 changed files with 30319 additions and 11259 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/user/tests/user_form_test.info
View File

@@ -4,3 +4,9 @@ package = Testing
version = VERSION
core = 7.x
hidden = TRUE
; Information added by Drupal.org packaging script on 2015-04-02
version = "7.36"
project = "drupal"
datestamp = "1427943826"

17
modules/user/user.admin.inc
View File

@@ -5,6 +5,21 @@
* Admin page callback file for the user module.
*/
/**
* Page callback: Generates the appropriate user administration form.
*
* This function generates the user registration, multiple user cancellation,
* or filtered user list admin form, depending on the argument and the POST
* form values.
*
* @param string $callback_arg
* (optional) Indicates which form to build. Defaults to '', which will
* trigger the user filter form. If the POST value 'op' is present, this
* function uses that value as the callback argument.
*
* @return string
* A renderable form array for the respective request.
*/
function user_admin($callback_arg = '') {
$op = isset($_POST['op']) ? $_POST['op'] : $callback_arg;
@@ -391,7 +406,7 @@ function user_admin_settings() {
$form['personalization']['pictures']['settings']['user_picture_style'] = array(
'#type' => 'select',
'#title' => t('Picture display style'),
'#options' => image_style_options(TRUE),
'#options' => image_style_options(TRUE, PASS_THROUGH),
'#default_value' => variable_get('user_picture_style', ''),
'#description' => t('The style selected will be used on display, while the original image is retained. Styles may be configured in the <a href="!url">Image styles</a> administration area.', array('!url' => url('admin/config/media/image-styles'))),
);

22
modules/user/user.api.php
View File

@@ -214,9 +214,11 @@ function hook_user_categories() {
* to have their data serialized on save.
*
* @param $edit
* The array of form values submitted by the user.
* The array of form values submitted by the user. Assign values to this
* array to save changes in the database.
* @param $account
* The user object on which the operation is performed.
* The user object on which the operation is performed. Values assigned in
* this object will not be saved in the database.
* @param $category
* The active category of user information being edited.
*
@@ -325,14 +327,6 @@ function hook_user_logout($account) {
* The module should format its custom additions for display and add them to the
* $account->content array.
*
* Note that when this hook is invoked, the changes have not yet been written to
* the database, because a database transaction is still in progress. The
* transaction is not finalized until the save operation is entirely completed
* and user_save() goes out of scope. You should not rely on data in the
* database at this time as it is not updated yet. You should also note that any
* write/update database queries executed from this hook are also not committed
* immediately. Check user_save() and db_transaction() for more info.
*
* @param $account
* The user object on which the operation is being performed.
* @param $view_mode
@@ -384,7 +378,7 @@ function hook_user_view_alter(&$build) {
}
/**
* Inform other modules that a user role is about to be saved.
* Act on a user role being inserted or updated.
*
* Modules implementing this hook can act on the user role object before
* it has been saved to the database.
@@ -403,7 +397,7 @@ function hook_user_role_presave($role) {
}
/**
* Inform other modules that a user role has been added.
* Respond to creation of a new user role.
*
* Modules implementing this hook can act on the user role object when saved to
* the database. It's recommended that you implement this hook if your module
@@ -424,7 +418,7 @@ function hook_user_role_insert($role) {
}
/**
* Inform other modules that a user role has been updated.
* Respond to updates to a user role.
*
* Modules implementing this hook can act on the user role object when updated.
* It's recommended that you implement this hook if your module adds additional
@@ -445,7 +439,7 @@ function hook_user_role_update($role) {
}
/**
* Inform other modules that a user role has been deleted.
* Respond to user role deletion.
*
* This hook allows you act when a user role has been deleted.
* If your module stores references to roles, it's recommended that you

6
modules/user/user.info
View File

@@ -8,3 +8,9 @@ files[] = user.test
required = TRUE
configure = admin/config/people
stylesheets[all][] = user.css
; Information added by Drupal.org packaging script on 2015-04-02
version = "7.36"
project = "drupal"
datestamp = "1427943826"

16
modules/user/user.install
View File

@@ -81,7 +81,7 @@ function user_schema() {
),
'foreign keys' => array(
'role' => array(
'table' => 'roles',
'table' => 'role',
'columns' => array('rid' => 'rid'),
),
),
@@ -278,7 +278,7 @@ function user_schema() {
'columns' => array('uid' => 'uid'),
),
'role' => array(
'table' => 'roles',
'table' => 'role',
'columns' => array('rid' => 'rid'),
),
),
@@ -356,11 +356,13 @@ function user_update_dependencies() {
'filter' => 7000,
);
// user_update_7012() uses the file API, which relies on the {file_managed}
// table, so it must run after system_update_7034(), which creates that
// table.
// user_update_7012() uses the file API and inserts records into the
// {file_managed} table, so it therefore must run after system_update_7061(),
// which inserts files with specific IDs into the table and therefore relies
// on the table being empty (otherwise it would accidentally overwrite
// existing records).
$dependencies['user'][7012] = array(
'system' => 7034,
'system' => 7061,
);
// user_update_7013() uses the file usage API, which relies on the
@@ -535,7 +537,7 @@ function user_update_7002(&$sandbox) {
if ($sandbox['user_from'] == $sandbox['user_count']) {
if ($sandbox['user_not_migrated'] > 0) {
variable_set('empty_timezone_message', 1);
drupal_set_message('Some user time zones have been emptied and need to be set to the correct values. Use the new ' . l('time zone options', 'admin/config/regional/settings') . ' to choose whether to remind users at login to set the correct time zone.', 'warning');
drupal_set_message(format_string('Some user time zones have been emptied and need to be set to the correct values. Use the new <a href="@config-url">time zone options</a> to choose whether to remind users at login to set the correct time zone.', array('@config-url' => url('admin/config/regional/settings'))), 'warning');
}
return t('Migrated user time zones');
}

213
modules/user/user.module
View File

@@ -32,7 +32,7 @@ define('USER_REGISTER_VISITORS', 1);
define('USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL', 2);
/**
* Implement hook_help().
* Implements hook_help().
*/
function user_help($path, $arg) {
global $user;
@@ -187,7 +187,7 @@ function user_entity_info() {
}
/**
* Entity URI callback.
* Implements callback_entity_info_uri().
*/
function user_uri($user) {
return array(
@@ -321,7 +321,7 @@ class UserController extends DrupalDefaultEntityController {
}
// Add the full file objects for user pictures if enabled.
if (!empty($picture_fids) && variable_get('user_pictures', 1) == 1) {
if (!empty($picture_fids) && variable_get('user_pictures', 0)) {
$pictures = file_load_multiple($picture_fids);
foreach ($queried_users as $account) {
if (!empty($account->picture) && isset($pictures[$account->picture])) {
@@ -501,12 +501,17 @@ function user_save($account, $edit = array(), $category = 'account') {
file_usage_delete($account->original->picture, 'user', 'user', $account->uid);
file_delete($account->original->picture);
}
// Save the picture object, if it is set. drupal_write_record() expects
// $account->picture to be a FID.
$picture = empty($account->picture) ? NULL : $account->picture;
$account->picture = empty($account->picture->fid) ? 0 : $account->picture->fid;
// Do not allow 'uid' to be changed.
$account->uid = $account->original->uid;
// Save changes to the user table.
$success = drupal_write_record('users', $account, 'uid');
// Restore the picture object.
$account->picture = $picture;
if ($success === FALSE) {
// The query failed - better to abort the save than risk further
// data loss.
@@ -589,16 +594,16 @@ function user_save($account, $edit = array(), $category = 'account') {
user_module_invoke('insert', $edit, $account, $category);
module_invoke_all('entity_insert', $account, 'user');
// Save user roles.
if (count($account->roles) > 1) {
// Save user roles. Skip built-in roles, and ones that were already saved
// to the database during hook calls.
$rids_to_skip = array_merge(array(DRUPAL_ANONYMOUS_RID, DRUPAL_AUTHENTICATED_RID), db_query('SELECT rid FROM {users_roles} WHERE uid = :uid', array(':uid' => $account->uid))->fetchCol());
if ($rids_to_save = array_diff(array_keys($account->roles), $rids_to_skip)) {
$query = db_insert('users_roles')->fields(array('uid', 'rid'));
foreach (array_keys($account->roles) as $rid) {
if (!in_array($rid, array(DRUPAL_ANONYMOUS_RID, DRUPAL_AUTHENTICATED_RID))) {
$query->values(array(
'uid' => $account->uid,
'rid' => $rid,
));
}
foreach ($rids_to_save as $rid) {
$query->values(array(
'uid' => $account->uid,
'rid' => $rid,
));
}
$query->execute();
}
@@ -717,10 +722,14 @@ function user_password($length = 10) {
// Loop the number of times specified by $length.
for ($i = 0; $i < $length; $i++) {
do {
// Find a secure random number within the range needed.
$index = ord(drupal_random_bytes(1));
} while ($index > $len);
// Each iteration, pick a random character from the
// allowable string and append it to the password:
$pass .= $allowable_characters[mt_rand(0, $len)];
$pass .= $allowable_characters[$index];
}
return $pass;
@@ -733,8 +742,9 @@ function user_password($length = 10) {
* An array whose keys are the role IDs of interest, such as $user->roles.
*
* @return
* An array indexed by role ID. Each value is an array whose keys are the
* permission strings for the given role ID.
* If $roles is a non-empty array, an array indexed by role ID is returned.
* Each value is an array whose keys are the permission strings for the given
* role ID. If $roles is empty nothing is returned.
*/
function user_role_permissions($roles = array()) {
$cache = &drupal_static(__FUNCTION__, array());
@@ -838,6 +848,26 @@ function user_is_blocked($name) {
->execute()->fetchObject();
}
/**
* Checks if a user has a role.
*
* @param int $rid
* A role ID.
*
* @param object|null $account
* (optional) A user account. Defaults to the current user.
*
* @return bool
* TRUE if the user has the role, or FALSE if not.
*/
function user_has_role($rid, $account = NULL) {
if (!$account) {
$account = $GLOBALS['user'];
}
return isset($account->roles[$rid]);
}
/**
* Implements hook_permission().
*/
@@ -1083,6 +1113,9 @@ function user_account_form(&$form, &$form_state) {
'#access' => !empty($protected_values),
'#description' => $current_pass_description,
'#weight' => -5,
// Do not let web browsers remember this password, since we are trying
// to confirm that the person submitting the form actually knows the
// current one.
'#attributes' => array('autocomplete' => 'off'),
);
$form['#validate'][] = 'user_validate_current_pass';
@@ -1517,15 +1550,33 @@ function theme_user_list($variables) {
return theme('item_list', array('items' => $items, 'title' => $title));
}
/**
* Determines if the current user is anonymous.
*
* @return bool
* TRUE if the user is anonymous, FALSE if the user is authenticated.
*/
function user_is_anonymous() {
// Menu administrators can see items for anonymous when administering.
return !$GLOBALS['user']->uid || !empty($GLOBALS['menu_admin']);
}
/**
* Determines if the current user is logged in.
*
* @return bool
* TRUE if the user is logged in, FALSE if the user is anonymous.
*/
function user_is_logged_in() {
return (bool) $GLOBALS['user']->uid;
}
/**
* Determines if the current user has access to the user registration page.
*
* @return bool
* TRUE if the user is not already logged in and can register for an account.
*/
function user_register_access() {
return user_is_anonymous() && variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL);
}
@@ -1707,14 +1758,14 @@ function user_menu() {
// Administration pages.
$items['admin/config/people'] = array(
'title' => 'People',
'description' => 'Configure user accounts.',
'position' => 'left',
'weight' => -20,
'page callback' => 'system_admin_menu_block_page',
'access arguments' => array('access administration pages'),
'file' => 'system.admin.inc',
'file path' => drupal_get_path('module', 'system'),
'title' => 'People',
'description' => 'Configure user accounts.',
'position' => 'left',
'weight' => -20,
'page callback' => 'system_admin_menu_block_page',
'access arguments' => array('access administration pages'),
'file' => 'system.admin.inc',
'file path' => drupal_get_path('module', 'system'),
);
$items['admin/config/people/accounts'] = array(
'title' => 'Account settings',
@@ -2097,7 +2148,7 @@ function user_login_default_validators() {
* A FAPI validate handler. Sets an error if supplied username has been blocked.
*/
function user_login_name_validate($form, &$form_state) {
if (isset($form_state['values']['name']) && user_is_blocked($form_state['values']['name'])) {
if (!empty($form_state['values']['name']) && user_is_blocked($form_state['values']['name'])) {
// Blocked in user administration.
form_set_error('name', t('The username %name has not been activated or is blocked.', array('%name' => $form_state['values']['name'])));
}
@@ -2174,7 +2225,7 @@ function user_login_final_validate($form, &$form_state) {
}
}
else {
form_set_error('name', t('Sorry, unrecognized username or password. <a href="@password">Have you forgotten your password?</a>', array('@password' => url('user/password'))));
form_set_error('name', t('Sorry, unrecognized username or password. <a href="@password">Have you forgotten your password?</a>', array('@password' => url('user/password', array('query' => array('name' => $form_state['values']['name']))))));
watchdog('user', 'Login attempt failed for %user.', array('%user' => $form_state['values']['name']));
}
}
@@ -2220,7 +2271,12 @@ function user_authenticate($name, $password) {
* Finalize the login process. Must be called when logging in a user.
*
* The function records a watchdog message about the new session, saves the
* login timestamp, calls hook_user op 'login' and generates a new session. *
* login timestamp, calls hook_user_login(), and generates a new session.
*
* @param array $edit
* The array of form values submitted by the user.
*
* @see hook_user_login()
*/
function user_login_finalize(&$edit = array()) {
global $user;
@@ -2288,7 +2344,10 @@ function user_external_login_register($name, $module) {
* Generates a unique URL for a user to login and reset their password.
*
* @param object $account
* An object containing the user account.
* An object containing the user account, which must contain at least the
* following properties:
* - uid: The user ID number.
* - login: The UNIX timestamp of the user's last login.
*
* @return
* A unique URL that provides a one-time log in for the user, from which
@@ -2296,7 +2355,7 @@ function user_external_login_register($name, $module) {
*/
function user_pass_reset_url($account) {
$timestamp = REQUEST_TIME;
return url("user/reset/$account->uid/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login), array('absolute' => TRUE));
return url("user/reset/$account->uid/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login, $account->uid), array('absolute' => TRUE));
}
/**
@@ -2305,9 +2364,9 @@ function user_pass_reset_url($account) {
* @param object $account
* The user account object, which must contain at least the following
* properties:
* - uid: The user uid number.
* - uid: The user ID number.
* - pass: The hashed user password string.
* - login: The user login name.
* - login: The UNIX timestamp of the user's last login.
*
* @return
* A unique URL that may be used to confirm the cancellation of the user
@@ -2318,7 +2377,7 @@ function user_pass_reset_url($account) {
*/
function user_cancel_url($account) {
$timestamp = REQUEST_TIME;
return url("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login), array('absolute' => TRUE));
return url("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login, $account->uid), array('absolute' => TRUE));
}
/**
@@ -2329,21 +2388,42 @@ function user_cancel_url($account) {
* order to validate the URL, the same hash can be generated again, from the
* same information, and compared to the hash value from the URL. The URL
* normally contains both the time stamp and the numeric user ID. The login
* name and hashed password are retrieved from the database as necessary. For a
* usage example, see user_cancel_url() and user_cancel_confirm().
* timestamp and hashed password are retrieved from the database as necessary.
* For a usage example, see user_cancel_url() and user_cancel_confirm().
*
* @param $password
* @param string $password
* The hashed user account password value.
* @param $timestamp
* A unix timestamp.
* @param $login
* The user account login name.
* @param int $timestamp
* A UNIX timestamp, typically REQUEST_TIME.
* @param int $login
* The UNIX timestamp of the user's last login.
* @param int $uid
* The user ID of the user account.
*
* @return
* A string that is safe for use in URLs and SQL statements.
*/
function user_pass_rehash($password, $timestamp, $login) {
return drupal_hmac_base64($timestamp . $login, drupal_get_hash_salt() . $password);
function user_pass_rehash($password, $timestamp, $login, $uid) {
// Backwards compatibility: Try to determine a $uid if one was not passed.
// (Since $uid is a required parameter to this function, a PHP warning will
// be generated if it's not provided, which is an indication that the calling
// code should be updated. But the code below will try to generate a correct
// hash in the meantime.)
if (!isset($uid)) {
$uids = db_query_range('SELECT uid FROM {users} WHERE pass = :password AND login = :login AND uid > 0', 0, 2, array(':password' => $password, ':login' => $login))->fetchCol();
// If exactly one user account matches the provided password and login
// timestamp, proceed with that $uid.
if (count($uids) == 1) {
$uid = reset($uids);
}
// Otherwise there is no safe hash to return, so return a random string
// that will never be treated as a valid token.
else {
return drupal_random_key();
}
}
return drupal_hmac_base64($timestamp . $login . $uid, drupal_get_hash_salt() . $password);
}
/**
@@ -2393,6 +2473,14 @@ function user_cancel($edit, $uid, $method) {
array('_user_cancel', array($edit, $account, $method)),
),
);
// After cancelling account, ensure that user is logged out.
if ($account->uid == $user->uid) {
// Batch API stores data in the session, so use the finished operation to
// manipulate the current user's session id.
$batch['finished'] = '_user_cancel_session_regenerate';
}
batch_set($batch);
// Batch processing is either handled via Form API or has to be invoked
@@ -2435,16 +2523,29 @@ function _user_cancel($edit, $account, $method) {
break;
}
// After cancelling account, ensure that user is logged out.
// After cancelling account, ensure that user is logged out. We can't destroy
// their session though, as we might have information in it, and we can't
// regenerate it because batch API uses the session ID, we will regenerate it
// in _user_cancel_session_regenerate().
if ($account->uid == $user->uid) {
// Destroy the current session, and reset $user to the anonymous user.
session_destroy();
$user = drupal_anonymous_user();
}
// Clear the cache for anonymous users.
cache_clear_all();
}
/**
* Finished batch processing callback for cancelling a user account.
*
* @see user_cancel()
*/
function _user_cancel_session_regenerate() {
// Regenerate the users session instead of calling session_destroy() as we
// want to preserve any messages that might have been set.
drupal_session_regenerate();
}
/**
* Delete a user.
*
@@ -2578,12 +2679,7 @@ function user_build_content($account, $view_mode = 'full', $langcode = NULL) {
$account->content = array();
// Allow modules to change the view mode.
$context = array(
'entity_type' => 'user',
'entity' => $account,
'langcode' => $langcode,
);
drupal_alter('entity_view_mode', $view_mode, $context);
$view_mode = key(entity_view_mode_prepare('user', array($account->uid => $account), $view_mode, $langcode));
// Build fields content.
field_attach_prepare_view('user', array($account->uid => $account), $view_mode, $langcode);
@@ -2787,7 +2883,7 @@ Your account on [site:name] has been canceled.
* An associative array of token replacement values. If the 'user' element
* exists, it must contain a user account object with the following
* properties:
* - login: The account login name.
* - login: The UNIX timestamp of the user's last login.
* - pass: The hashed account login password.
* @param $options
* Unused parameter required by the token_replace() function.
@@ -3353,7 +3449,7 @@ function user_filters() {
$options = array();
foreach (module_implements('permission') as $module) {
$function = $module . '_permission';
if ($permissions = $function('permission')) {
if ($permissions = $function()) {
asort($permissions);
foreach ($permissions as $permission => $description) {
$options[t('@module module', array('@module' => $module))][$permission] = t($permission);
@@ -3623,7 +3719,14 @@ function user_action_info() {
}
/**
* Blocks the current user.
* Blocks a specific user or the current user, if one is not specified.
*
* @param $entity
* (optional) An entity object; if it is provided and it has a uid property,
* the user with that ID is blocked.
* @param $context
* (optional) An associative array; if no user ID is found in $entity, the
* 'uid' element of this array determines the user to block.
*
* @ingroup actions
*/
@@ -3654,7 +3757,7 @@ function user_block_user_action(&$entity, $context = array()) {
function user_form_field_ui_field_edit_form_alter(&$form, &$form_state, $form_id) {
$instance = $form['#instance'];
if ($instance['entity_type'] == 'user') {
if ($instance['entity_type'] == 'user' && !$form['#field']['locked']) {
$form['instance']['settings']['user_register_form'] = array(
'#type' => 'checkbox',
'#title' => t('Display on user registration form.'),
@@ -3711,8 +3814,8 @@ function user_register_form($form, &$form_state) {
// inside the submit function interferes with form processing and breaks
// hook_form_alter().
$form['administer_users'] = array(
'#type' => 'value',
'#value' => $admin,
'#type' => 'value',
'#value' => $admin,
);
// If we aren't admin but already logged on, go to the user page instead.

28
modules/user/user.pages.inc
View File

@@ -36,6 +36,7 @@ function user_pass() {
'#size' => 60,
'#maxlength' => max(USERNAME_MAX_LENGTH, EMAIL_MAX_LENGTH),
'#required' => TRUE,
'#default_value' => isset($_GET['name']) ? $_GET['name'] : '',
);
// Allow logged in users to request this also.
if ($user->uid > 0) {
@@ -125,18 +126,18 @@ function user_pass_reset($form, &$form_state, $uid, $timestamp, $hashed_pass, $a
drupal_set_message(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));
drupal_goto('user/password');
}
elseif ($account->uid && $timestamp >= $account->login && $timestamp <= $current && $hashed_pass == user_pass_rehash($account->pass, $timestamp, $account->login)) {
elseif ($account->uid && $timestamp >= $account->login && $timestamp <= $current && $hashed_pass == user_pass_rehash($account->pass, $timestamp, $account->login, $account->uid)) {
// First stage is a confirmation form, then login
if ($action == 'login') {
watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp));
// Set the new user.
$user = $account;
// user_login_finalize() also updates the login timestamp of the
// user, which invalidates further use of the one-time login link.
user_login_finalize();
watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp));
drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password.'));
// Let the user's password be changed without the current password check.
$token = drupal_hash_base64(drupal_random_bytes(55));
$token = drupal_random_key();
$_SESSION['pass_reset_' . $user->uid] = $token;
drupal_goto('user/' . $user->uid . '/edit', array('query' => array('pass-reset-token' => $token)));
}
@@ -158,6 +159,7 @@ function user_pass_reset($form, &$form_state, $uid, $timestamp, $hashed_pass, $a
// Deny access, no more clues.
// Everything will be in the watchdog's URL for the administrator to check.
drupal_access_denied();
drupal_exit();
}
}
}
@@ -181,8 +183,11 @@ function user_logout() {
/**
* Process variables for user-profile.tpl.php.
*
* The $variables array contains the following arguments:
* - $account
* @param array $variables
* An associative array containing:
* - elements: An associative array containing the user information and any
* fields attached to the user. Properties used:
* - #account: The user account of the profile being viewed.
*
* @see user-profile.tpl.php
*/
@@ -354,7 +359,6 @@ function user_cancel_confirm_form($form, &$form_state, $account) {
$form['_account'] = array('#type' => 'value', '#value' => $account);
// Display account cancellation method selection, if allowed.
$default_method = variable_get('user_cancel_method', 'user_cancel_block');
$admin_access = user_access('administer users');
$can_select_method = $admin_access || user_access('select account cancellation method');
$form['user_cancel_method'] = array(
@@ -518,7 +522,7 @@ function user_cancel_confirm($account, $timestamp = 0, $hashed_pass = '') {
// Basic validation of arguments.
if (isset($account->data['user_cancel_method']) && !empty($timestamp) && !empty($hashed_pass)) {
// Validate expiration and hashed password/login.
if ($timestamp <= $current && $current - $timestamp < $timeout && $account->uid && $timestamp >= $account->login && $hashed_pass == user_pass_rehash($account->pass, $timestamp, $account->login)) {
if ($timestamp <= $current && $current - $timestamp < $timeout && $account->uid && $timestamp >= $account->login && $hashed_pass == user_pass_rehash($account->pass, $timestamp, $account->login, $account->uid)) {
$edit = array(
'user_cancel_notify' => isset($account->data['user_cancel_notify']) ? $account->data['user_cancel_notify'] : variable_get('user_mail_status_canceled_notify', FALSE),
);
@@ -533,14 +537,20 @@ function user_cancel_confirm($account, $timestamp = 0, $hashed_pass = '') {
drupal_goto("user/$account->uid/cancel");
}
}
drupal_access_denied();
return MENU_ACCESS_DENIED;
}
/**
* Access callback for path /user.
* Page callback: Displays the user page.
*
* Displays user profile if user is logged in, or login form for anonymous
* users.
*
* @return
* A render array for either a user profile or a login form.
*
* @see user_view_page()
* @see user_login()
*/
function user_page() {
global $user;

499
modules/user/user.test
View File

File diff suppressed because it is too large Load Diff