|
1 | 1 | <?php |
2 | 2 | /* For license terms, see /license.txt */ |
3 | 3 |
|
| 4 | +use Chamilo\CoreBundle\Entity\User; |
4 | 5 | use Chamilo\CoreBundle\Framework\Container; |
5 | 6 |
|
6 | 7 | require_once __DIR__.'/../inc/global.inc.php'; |
7 | 8 |
|
8 | | -$token = $_GET['token'] ?? ''; |
| 9 | +$token = (string) ($_GET['token'] ?? ''); |
| 10 | +$token = trim($token); |
9 | 11 |
|
10 | | -if (!ctype_alnum($token)) { |
| 12 | +// Allow typical tokens (alnum, "_" and "-") to avoid rejecting UUID-like tokens. |
| 13 | +if ($token === '' || !preg_match('/^[a-zA-Z0-9_-]+$/', $token)) { |
11 | 14 | $token = ''; |
12 | 15 | } |
13 | 16 |
|
14 | | -/** @var \Chamilo\CoreBundle\Entity\User $user */ |
15 | | -$user = Container::getUserRepository()->findUserByConfirmationToken($token); |
| 17 | +/** @var User|null $user */ |
| 18 | +$user = null; |
| 19 | +if ($token !== '') { |
| 20 | + $user = Container::getUserRepository()->findOneBy(['confirmationToken' => $token]); |
| 21 | +} |
16 | 22 |
|
17 | 23 | if ($user) { |
18 | | - $user->setActive(1); // Set to 1 to activate the user |
| 24 | + $user->setActive(1); |
19 | 25 | $user->setConfirmationToken(null); |
20 | 26 |
|
21 | 27 | Database::getManager()->persist($user); |
22 | 28 | Database::getManager()->flush(); |
23 | 29 |
|
24 | | - // See where to redirect the user to, if any redirection has been set |
| 30 | + // Default redirect |
25 | 31 | $url = api_get_path(WEB_PATH); |
26 | 32 |
|
27 | | - if (!empty($_GET['c'])) { |
28 | | - $courseCode = Security::remove_XSS($_GET['c']); |
29 | | - } |
30 | | - if (!empty($_GET['s'])) { |
31 | | - $sessionId = (int) $_GET['s']; |
| 33 | + $courseId = !empty($_GET['c']) ? (int) $_GET['c'] : 0; |
| 34 | + $sessionId = !empty($_GET['s']) ? (int) $_GET['s'] : 0; |
| 35 | + |
| 36 | + $courseCode = ''; |
| 37 | + if ($courseId > 0) { |
| 38 | + $courseInfo = api_get_course_info_by_id($courseId); |
| 39 | + $courseCode = (string) ($courseInfo['code'] ?? $courseInfo['course_code'] ?? $courseInfo['directory'] ?? ''); |
32 | 40 | } |
33 | 41 |
|
34 | | - // Get URL to a course, to a session, or an empty string |
| 42 | + // Get URL to a course (in session), to a session, or empty. |
35 | 43 | $courseUrl = api_get_course_url($courseCode, $sessionId); |
36 | 44 | if (!empty($courseUrl)) { |
37 | 45 | $url = $courseUrl; |
|
47 | 55 | Display::addFlash( |
48 | 56 | Display::return_message(get_lang('User confirmed. Now you can login the platform.'), 'success') |
49 | 57 | ); |
| 58 | + |
50 | 59 | header('Location: '.$url); |
51 | 60 | exit; |
52 | | -} else { |
53 | | - Display::addFlash( |
54 | | - Display::return_message(get_lang('Link expired, please try again.')) |
55 | | - ); |
56 | | - header('Location: '.api_get_path(WEB_PATH)); |
57 | | - exit; |
58 | 61 | } |
| 62 | + |
| 63 | +Display::addFlash( |
| 64 | + Display::return_message(get_lang('Link expired, please try again.')) |
| 65 | +); |
| 66 | +header('Location: '.api_get_path(WEB_PATH)); |
| 67 | +exit; |
0 commit comments