Commit 91cc873f authored by Aaron Wells's avatar Aaron Wells

Whitelist the $user properties sent to email_user() (Bug 1488697)

The old code passes every value from the form into email_user(), which
has wound up causing problems because email_user() thinks $user->id
refers to the user's ID, but in our case id refers to the usr_registration
record. (There is no user created yet at this point)

behatnotneeded: No infrastructure to test email yet

Change-Id: I0d862c2d1b2fdba5d5a1dc0068ce594207ecace9
parent f101aac5
......@@ -140,19 +140,36 @@ function approveregistration_submit(Pieform $form, $values) {
update_record('usr_registration', $values, array('email' => $values['email']));
// send the user the official account completion email
$user = (object) $values;
$user->admin = 0;
$user->staff = 0;
email_user($user, null,
get_string('registeredemailsubject', 'auth.internal', get_config('sitename')),
get_string('registeredemailmessagetext', 'auth.internal',
$user->firstname, get_config('sitename'), get_config('wwwroot'),
$user->key, get_config('sitename')),
get_string('registeredemailmessagehtml', 'auth.internal',
$user->firstname, get_config('sitename'), get_config('wwwroot'),
$user->key, get_config('wwwroot'), $user->key, get_config('sitename'))
);
$user = new stdClass();
$user->firstname = $values['firstname'];
$user->lastname = $values['lastname'];
$user->email = $values['email'];
email_user(
$user,
null,
get_string('registeredemailsubject', 'auth.internal', get_config('sitename')),
get_string(
'registeredemailmessagetext',
'auth.internal',
$user->firstname,
get_config('sitename'),
get_config('wwwroot'),
$values['key'],
get_config('sitename')
),
get_string(
'registeredemailmessagehtml',
'auth.internal',
$user->firstname,
get_config('sitename'),
get_config('wwwroot'),
$values['key'],
get_config('wwwroot'),
$values['key'],
get_config('sitename')
)
);
$SESSION->add_ok_msg(get_string('registrationapprovedsuccessfully', 'admin'));
redirect('/admin/users/pendingregistrations.php?institution='.$user->institution);
redirect('/admin/users/pendingregistrations.php?institution=' . $values['institution']);
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment