From 2a578478167174b328352e0eafe8a4fdbe0fb68d Mon Sep 17 00:00:00 2001 From: Friendika Date: Wed, 29 Jun 2011 00:59:21 -0700 Subject: don't allow blocked/unverified users to reset their password. --- mod/lostpass.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'mod') diff --git a/mod/lostpass.php b/mod/lostpass.php index e0bf6eed7..3453a0db4 100644 --- a/mod/lostpass.php +++ b/mod/lostpass.php @@ -7,12 +7,16 @@ function lostpass_post(&$a) { if(! $email) goaway($a->get_baseurl()); - $r = q("SELECT * FROM `user` WHERE ( `email` = '%s' OR `nickname` = '%s' ) LIMIT 1", + $r = q("SELECT * FROM `user` WHERE ( `email` = '%s' OR `nickname` = '%s' ) AND `verified` = 1 AND `blocked` = 0 LIMIT 1", dbesc($email), dbesc($email) ); - if(! count($r)) + + if(! count($r)) { + notice( t('No valid account found.') . EOL); goaway($a->get_baseurl()); + } + $uid = $r[0]['uid']; $username = $r[0]['username']; -- cgit v1.2.3