Make Special:PasswordReset obey returnto and returntoquery parameters

[lhc/web/wiklou.git] / includes / specials / SpecialConfirmemail.php

diff --git a/includes/specials/SpecialConfirmemail.php b/includes/specials/SpecialConfirmemail.php
index 47808d1..6757990 100644 (file)
--- a/includes/specials/SpecialConfirmemail.php
+++ b/includes/specials/SpecialConfirmemail.php
@@ -31,7 +31,7 @@
  */
 class EmailConfirmation extends UnlistedSpecialPage {
        public function __construct() {
-               parent::__construct( 'Confirmemail' );
+               parent::__construct( 'Confirmemail', 'editmyprivateinfo' );
        }
 
        /**
@@ -43,6 +43,13 @@ class EmailConfirmation extends UnlistedSpecialPage {
                $this->setHeaders();
 
                $this->checkReadOnly();
+               $this->checkPermissions();
+
+               // This could also let someone check the current email address, so
+               // require both permissions.
+               if ( !$this->getUser()->isAllowed( 'viewmyprivateinfo' ) ) {
+                       throw new PermissionsError( 'viewmyprivateinfo' );
+               }
 
                if ( $code === null || $code === '' ) {
                        if ( $this->getUser()->isLoggedIn() ) {
@@ -83,19 +90,17 @@ class EmailConfirmation extends UnlistedSpecialPage {
                        } else {
                                $out->addWikiText( $status->getWikiText( 'confirmemail_sendfailed' ) );
                        }
+               } elseif ( $user->isEmailConfirmed() ) {
+                       // date and time are separate parameters to facilitate localisation.
+                       // $time is kept for backward compat reasons.
+                       // 'emailauthenticated' is also used in SpecialPreferences.php
+                       $lang = $this->getLanguage();
+                       $emailAuthenticated = $user->getEmailAuthenticationTimestamp();
+                       $time = $lang->userTimeAndDate( $emailAuthenticated, $user );
+                       $d = $lang->userDate( $emailAuthenticated, $user );
+                       $t = $lang->userTime( $emailAuthenticated, $user );
+                       $out->addWikiMsg( 'emailauthenticated', $time, $d, $t );
                } else {
-                       if ( $user->isEmailConfirmed() ) {
-                               // date and time are separate parameters to facilitate localisation.
-                               // $time is kept for backward compat reasons.
-                               // 'emailauthenticated' is also used in SpecialPreferences.php
-                               $lang = $this->getLanguage();
-                               $emailAuthenticated = $user->getEmailAuthenticationTimestamp();
-                               $time = $lang->userTimeAndDate( $emailAuthenticated, $user );
-                               $d = $lang->userDate( $emailAuthenticated, $user );
-                               $t = $lang->userTime( $emailAuthenticated, $user );
-                               $out->addWikiMsg( 'emailauthenticated', $time, $d, $t );
-                       }
-
                        if ( $user->isEmailConfirmationPending() ) {
                                $out->wrapWikiMsg(
                                        "<div class=\"error mw-confirmemail-pending\">\n$1\n</div>",
@@ -149,12 +154,13 @@ class EmailConfirmation extends UnlistedSpecialPage {
  */
 class EmailInvalidation extends UnlistedSpecialPage {
        public function __construct() {
-               parent::__construct( 'Invalidateemail' );
+               parent::__construct( 'Invalidateemail', 'editmyprivateinfo' );
        }
 
        function execute( $code ) {
                $this->setHeaders();
                $this->checkReadOnly();
+               $this->checkPermissions();
                $this->attemptInvalidate( $code );
        }