Commit 3535cc53 authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Require username as well as token for mobile uploads


Signed-off-by: default avatarRichard Mansfield <richard.mansfield@catalyst.net.nz>
parent 6839a281
......@@ -263,7 +263,7 @@ class User {
*
* @throws AuthUnknownUserException If the user cannot be found.
*/
public function find_by_mobileuploadtoken($token) {
public function find_by_mobileuploadtoken($token, $username) {
if (!is_string($token)) {
throw new InvalidArgumentException('Input parameters must be strings to create a User object from token');
......@@ -280,10 +280,10 @@ class User {
FROM
{usr} u
LEFT JOIN {usr_account_preference} p ON u.id = p.usr
WHERE p.field=\'mobileuploadtoken\' and p.value = ?
WHERE p.field=\'mobileuploadtoken\' AND p.value = ? AND u.username = ?
';
$user = get_record_sql($sql, array($token));
$user = get_record_sql($sql, array($token, $username));
if (false == $user) {
throw new AuthUnknownUserException("User with mobile upload token \"$token\" is not known");
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment