save old token to use in case we error out

public/include/pages/account/edit.inc.php

@@ -4,13 +4,27 @@
 if (!defined('SECURITY'))
   die('Hacking attempt');
 
-// 2fa tpl stuff
 $cp_editable = $wf_editable = $ea_editable = $wf_sent = $ea_sent = $cp_sent = 0;
-$ea_token = (!isset($_GET['ea_token'])) ? '' : $_GET['ea_token'];
+
-$cp_token = (!isset($_GET['cp_token'])) ? '' : $_GET['cp_token'];
+// stupid hack to fix input when an error happened with a valid token
-$wf_token = (!isset($_GET['wf_token'])) ? '' : $_GET['wf_token'];
+$ea_token = (!isset($_POST['ea_token'])) ? '' : $_POST['ea_token'];
+$cp_token = (!isset($_POST['cp_token'])) ? '' : $_POST['cp_token'];
+$wf_token = (!isset($_POST['wf_token'])) ? '' : $_POST['wf_token'];
+// set old token and type so we can use it later
+$old_token = "";
+$old_token_type = 0;
+if ($ea_token !== "") {
+  $old_token = $ea_token;
+  $old_token_type = 5;
+} else if ($wf_token !== "") {
+  $old_token = $wf_token;
+  $old_token_type = 7;
+} else if ($cp_token !== "") {
+  $old_token_type = 6;
+  $old_token = $cp_token;
+}
+
 if ($user->isAuthenticated()) {
-  // update 2f tpl stuff
   if ($config['twofactor']['enabled']) {
     $popupmsg = 'E-mail confirmations are required for ';
     $popuptypes = array();
@@ -59,10 +73,6 @@ if ($user->isAuthenticated()) {
         if ($isvalid) {
           $ctype = strip_tags($_POST['utype']);
           $send = $user->sendChangeConf($ctype, $_SESSION['USERDATA']['id']);
-          // set to sent for this pageload
-          if ($ctype == 'account_edit') $ea_sent = 1;
-          if ($ctype == 'change_pw') $cp_sent = 1;
-          if ($ctype == 'withdraw_funds') $wf_sent = 1;
           if ($send) {
             $_SESSION['POPUP'][] = array('CONTENT' => 'A confirmation was sent to your e-mail, follow that link to continue', 'TYPE' => 'success');
           } else {
@@ -70,9 +80,18 @@ if ($user->isAuthenticated()) {
           }
         }
       } else {
-        $ea_token = (!isset($_POST['ea_token'])) ? '' : $_POST['ea_token'];
+        // back to get, was only post to fix for stupid hack
-        $cp_token = (!isset($_POST['cp_token'])) ? '' : $_POST['cp_token'];
+        $ea_token = (!isset($_GET['ea_token'])) ? '' : $_GET['ea_token'];
-        $wf_token = (!isset($_POST['wf_token'])) ? '' : $_POST['wf_token'];
+        $cp_token = (!isset($_GET['cp_token'])) ? '' : $_GET['cp_token'];
+        $wf_token = (!isset($_GET['wf_token'])) ? '' : $_GET['wf_token'];
+        if ($ea_token == '' && isset($_POST['ea_token']) && strlen($_POST['ea_token']) > 1) {
+          $ea_token = $_POST['ea_token'];
+        } else if ($ea_token == '' && isset($_POST['cp_token']) && strlen($_POST['cp_token']) > 1) {
+          $cp_token = $_POST['cp_token'];
+        } else if ($wf_token == '' && isset($_POST['wf_token']) && strlen($_POST['wf_token']) > 1) {
+          $wf_token = $_POST['wf_token'];
+        }
+        
         switch (@$_POST['do']) {
           case 'cashOut':
         	if ($setting->getValue('disable_payouts') == 1 || $setting->getValue('disable_manual_payouts') == 1) {
@@ -83,7 +102,6 @@ if ($user->isAuthenticated()) {
         	  if ($dBalance > $config['txfee']) {
         	    if (!$oPayout->isPayoutActive($_SESSION['USERDATA']['id'])) {
         	      if ($iPayoutId = $oPayout->createPayout($_SESSION['USERDATA']['id'], $wf_token)) {
-        	        $wf_sent = 0;
         	        $_SESSION['POPUP'][] = array('CONTENT' => 'Created new manual payout request with ID #' . $iPayoutId);
         	      } else {
         	        $_SESSION['POPUP'][] = array('CONTENT' => $iPayoutId->getError(), 'TYPE' => 'errormsg');
@@ -99,7 +117,6 @@ if ($user->isAuthenticated()) {
         
           case 'updateAccount':
         	if ($user->updateAccount($_SESSION['USERDATA']['id'], $_POST['paymentAddress'], $_POST['payoutThreshold'], $_POST['donatePercent'], $_POST['email'], $_POST['is_anonymous'], $ea_token)) {
-        	  $ea_sent = 0;
         	  $_SESSION['POPUP'][] = array('CONTENT' => 'Account details updated', 'TYPE' => 'success');
         	} else {
         	  $_SESSION['POPUP'][] = array('CONTENT' => 'Failed to update your account: ' . $user->getError(), 'TYPE' => 'errormsg');
@@ -108,7 +125,6 @@ if ($user->isAuthenticated()) {
         
           case 'updatePassword':
         	if ($user->updatePassword($_SESSION['USERDATA']['id'], $_POST['currentPassword'], $_POST['newPassword'], $_POST['newPassword2'], $cp_token)) {
-        	  $cp_sent = 0;
         	  $_SESSION['POPUP'][] = array('CONTENT' => 'Password updated', 'TYPE' => 'success');
         	} else {
         	  $_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg');
@@ -119,17 +135,16 @@ if ($user->isAuthenticated()) {
     }
   }
 }
-// one last time so we can sync with changes we made during this page
+// 2fa - one last time so we can sync with changes we made during this page
 if ($user->isAuthenticated() && $config['twofactor']['enabled']) {
-  // stupid little hack because different request types
+  // stupid hack part deux
-  if (@$_POST['do'] !== 'genPin' || isset($_POST['unlock'])) {
+  // set the token to be the old token so we still have it if it errors out
-    $ea_token = (!isset($_GET['ea_token'])) ? '' : $_GET['ea_token'];
+  if ($old_token_type == 5) {
-    $cp_token = (!isset($_GET['cp_token'])) ? '' : $_GET['cp_token'];
+    $ea_token = $old_token;
-    $wf_token = (!isset($_GET['wf_token'])) ? '' : $_GET['wf_token'];
+  } else if ($old_token_type == 7) {
-  } else {
+    $wf_token = $old_token;
-    $ea_token = (!isset($_POST['ea_token'])) ? '' : $_POST['ea_token'];
+  } else if ($old_token_type == 6) {
-    $cp_token = (!isset($_POST['cp_token'])) ? '' : $_POST['cp_token'];
+    $cp_token = $old_token;
-    $wf_token = (!isset($_POST['wf_token'])) ? '' : $_POST['wf_token'];
   }
   if ($config['twofactor']['options']['details']) {
     $ea_editable = $user->token->isTokenValid($_SESSION['USERDATA']['id'], $ea_token, 5);