Fix: do not pass email/username in URL parameters

fisharebest · Sep 5, 2021 · ad53165 · ad53165
1 parent dbecb40
commit ad53165
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 16 deletions.
diff --git a/app/Http/RequestHandlers/RegisterAction.php b/app/Http/RequestHandlers/RegisterAction.php
@@ -30,6 +30,7 @@
 use Fisharebest\Webtrees\Services\CaptchaService;
 use Fisharebest\Webtrees\Services\EmailService;
 use Fisharebest\Webtrees\Services\UserService;
+use Fisharebest\Webtrees\Session;
 use Fisharebest\Webtrees\Site;
 use Fisharebest\Webtrees\SiteUser;
 use Fisharebest\Webtrees\Tree;
@@ -87,7 +88,7 @@ public function handle(ServerRequestInterface $request): ResponseInterface
 
         $params = (array) $request->getParsedBody();
 
-        $comment  = $params['comment'] ?? '';
+        $comments = $params['comments'] ?? '';
         $email    = $params['email'] ?? '';
         $password = $params['password'] ?? '';
         $realname = $params['realname'] ?? '';
@@ -98,16 +99,21 @@ public function handle(ServerRequestInterface $request): ResponseInterface
                 throw new Exception(I18N::translate('Please try again.'));
             }
 
-            $this->doValidateRegistration($request, $username, $email, $realname, $comment, $password);
+            $this->doValidateRegistration($request, $username, $email, $realname, $comments, $password);
+
+            Session::forget('register_comments');
+            Session::forget('register_email');
+            Session::forget('register_realname');
+            Session::forget('register_username');
         } catch (Exception $ex) {
             FlashMessages::addMessage($ex->getMessage(), 'danger');
 
-            return redirect(route(RegisterPage::class, [
-                'comment'  => $comment,
-                'email'    => $email,
-                'realname' => $realname,
-                'username' => $username,
-            ]));
+            Session::put('register_comments', $comments);
+            Session::put('register_email', $email);
+            Session::put('register_realname', $realname);
+            Session::put('register_username', $username);
+
+            return redirect(route(RegisterPage::class));
         }
 
         Log::addAuthenticationLog('User registration requested for: ' . $username);
@@ -122,7 +128,7 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         $user->setPreference(UserInterface::PREF_TIMESTAMP_REGISTERED, date('U'));
         $user->setPreference(UserInterface::PREF_VERIFICATION_TOKEN, $token);
         $user->setPreference(UserInterface::PREF_CONTACT_METHOD, 'messaging2');
-        $user->setPreference(UserInterface::PREF_NEW_ACCOUNT_COMMENT, $comment);
+        $user->setPreference(UserInterface::PREF_NEW_ACCOUNT_COMMENT, $comments);
         $user->setPreference(UserInterface::PREF_IS_VISIBLE_ONLINE, '1');
         $user->setPreference(UserInterface::PREF_AUTO_ACCEPT_EDITS, '');
         $user->setPreference(UserInterface::PREF_IS_ADMINISTRATOR, '');
@@ -157,14 +163,14 @@ public function handle(ServerRequestInterface $request): ResponseInterface
 
             $body_text = view('emails/register-notify-text', [
                 'user'     => $user,
-                'comments' => $comment,
+                'comments' => $comments,
                 'base_url' => $base_url,
                 'tree'     => $tree,
             ]);
 
             $body_html = view('emails/register-notify-html', [
                 'user'     => $user,
-                'comments' => $comment,
+                'comments' => $comments,
                 'base_url' => $base_url,
                 'tree'     => $tree,
             ]);

diff --git a/app/Http/RequestHandlers/RegisterPage.php b/app/Http/RequestHandlers/RegisterPage.php
@@ -23,6 +23,7 @@
 use Fisharebest\Webtrees\Http\ViewResponseTrait;
 use Fisharebest\Webtrees\I18N;
 use Fisharebest\Webtrees\Services\CaptchaService;
+use Fisharebest\Webtrees\Session;
 use Fisharebest\Webtrees\Site;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
@@ -57,10 +58,10 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         $this->checkRegistrationAllowed();
 
         $tree     = $request->getAttribute('tree');
-        $comments = $request->getQueryParams()['comments'] ?? '';
-        $email    = $request->getQueryParams()['email'] ?? '';
-        $realname = $request->getQueryParams()['realname'] ?? '';
-        $username = $request->getQueryParams()['username'] ?? '';
+        $comments = Session::get('register_comments', '');
+        $email    = Session::get('register_email', '');
+        $realname = Session::get('register_realname', '');
+        $username = Session::get('register_username', '');
 
         $show_caution = Site::getPreference('SHOW_REGISTER_CAUTION') === '1';
 

diff --git a/resources/views/register-page.phtml b/resources/views/register-page.phtml
@@ -84,7 +84,7 @@ use Fisharebest\Webtrees\View;
             <?= I18N::translate('Comments') ?>
         </label>
         <div class="col-sm-9 wt-page-options-value">
-            <textarea class="form-control" id="comment" name="comment" placeholder="<?php /* I18N: placeholder text for registration-comments field */
+            <textarea class="form-control" id="comments" name="comments" placeholder="<?php /* I18N: placeholder text for registration-comments field */
             I18N::translate('Explain why you are requesting an account.') ?>" rows="4" maxlength="255" dir="auto" required="required"><?= e($comments) ?></textarea>
             <div class="form-text">
                 <?= I18N::translate('Use this field to tell the site administrator why you are requesting an account and how you are related to the genealogy displayed on this site. You can also use this to enter any other comments you may have for the site administrator.') ?>