mirror of
https://github.com/flarum/framework.git
synced 2025-05-22 14:49:57 +08:00
9896378b59
- Use cookies + CSRF token for API authentication in the default client. This mitigates potential XSS attacks by making the token unavailable to JavaScript. The Authorization header is still supported, but not used by default. - Make sensitive/destructive actions (editing a user, permanently deleting anything, visiting the admin CP) require the user to re-enter their password if they haven't entered it in the last 30 minutes. - Refactor and clean up the authentication middleware. - Add an `onhide` hook to the Modal component. (+1 squashed commit)
98 lines
2.8 KiB
JavaScript
98 lines
2.8 KiB
JavaScript
import Modal from 'flarum/components/Modal';
|
|
import Button from 'flarum/components/Button';
|
|
|
|
/**
|
|
* The `ChangeEmailModal` component shows a modal dialog which allows the user
|
|
* to change their email address.
|
|
*/
|
|
export default class ChangeEmailModal extends Modal {
|
|
init() {
|
|
super.init();
|
|
|
|
/**
|
|
* Whether or not the email has been changed successfully.
|
|
*
|
|
* @type {Boolean}
|
|
*/
|
|
this.success = false;
|
|
|
|
/**
|
|
* The value of the email input.
|
|
*
|
|
* @type {function}
|
|
*/
|
|
this.email = m.prop(app.session.user.email());
|
|
}
|
|
|
|
className() {
|
|
return 'ChangeEmailModal Modal--small';
|
|
}
|
|
|
|
title() {
|
|
return app.translator.trans('core.forum.change_email.title');
|
|
}
|
|
|
|
content() {
|
|
if (this.success) {
|
|
return (
|
|
<div className="Modal-body">
|
|
<div className="Form Form--centered">
|
|
<p className="helpText">{app.translator.trans('core.forum.change_email.confirmation_message', {email: <strong>{this.email()}</strong>})}</p>
|
|
<div className="Form-group">
|
|
<Button className="Button Button--primary Button--block" onclick={this.hide.bind(this)}>
|
|
{app.translator.trans('core.forum.change_email.dismiss_button')}
|
|
</Button>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
);
|
|
}
|
|
|
|
return (
|
|
<div className="Modal-body">
|
|
<div className="Form Form--centered">
|
|
<div className="Form-group">
|
|
<input type="email" name="email" className="FormControl"
|
|
placeholder={app.session.user.email()}
|
|
value={this.email()}
|
|
onchange={m.withAttr('value', this.email)}
|
|
disabled={this.loading}/>
|
|
</div>
|
|
<div className="Form-group">
|
|
{Button.component({
|
|
className: 'Button Button--primary Button--block',
|
|
type: 'submit',
|
|
loading: this.loading,
|
|
children: app.translator.trans('core.forum.change_email.submit_button')
|
|
})}
|
|
</div>
|
|
</div>
|
|
</div>
|
|
);
|
|
}
|
|
|
|
onsubmit(e) {
|
|
e.preventDefault();
|
|
|
|
// If the user hasn't actually entered a different email address, we don't
|
|
// need to do anything. Woot!
|
|
if (this.email() === app.session.user.email()) {
|
|
this.hide();
|
|
return;
|
|
}
|
|
|
|
const oldEmail = app.session.user.email();
|
|
|
|
this.loading = true;
|
|
|
|
app.session.user.save({email: this.email()}, {errorHandler: this.onerror.bind(this)})
|
|
.then(() => this.success = true)
|
|
.finally(this.loaded.bind(this));
|
|
|
|
// The save method will update the cached email address on the user model...
|
|
// But in the case of a "sudo" password prompt, we'll still want to have
|
|
// the old email address on file for the purposes of logging in.
|
|
app.session.user.pushAttributes({email: oldEmail});
|
|
}
|
|
}
|