public function action_parse_request()
{
if (!isset($_GET[self::GET_EMAIL_VERIFY])) {
return;
}
$rebuffal_title = __('Verification failed', 'vip-support');
$rebuffal_message = __('This email verification link is not for your account, was not recognised, has been invalidated, or has already been used.', 'vip-support');
$user_login = $_GET[self::GET_EMAIL_USER_LOGIN];
$user = get_user_by('login', $user_login);
if (!$user) {
// 403 Forbidden – The server understood the request, but is refusing to fulfill it.
// Authorization will not help and the request SHOULD NOT be repeated.
wp_die($rebuffal_message, $rebuffal_title, array('response' => 403));
}
// We only want the user who was sent the email to be able to verify their email
// (i.e. not another logged in or anonymous user clicking the link).
// @FIXME: Should we expire the link at this point, so an attacker cannot iterate the IDs?
if (get_current_user_id() != $user->ID) {
wp_die($rebuffal_message, $rebuffal_title, array('response' => 403));
}
if (!$this->is_a8c_email($user->user_email)) {
wp_die($rebuffal_message, $rebuffal_title, array('response' => 403));
}
$stored_verification_code = $this->get_user_email_verification_code($user->ID);
$hash_sent = (string) sanitize_text_field($_GET[self::GET_EMAIL_VERIFY]);
$check_hash = $this->create_check_hash(get_current_user_id(), $stored_verification_code, $user->user_email);
if ($check_hash !== $hash_sent) {
wp_die($rebuffal_message, $rebuffal_title, array('response' => 403));
}
// It's all looking good. Verify the email.
$this->mark_user_email_verified($user->ID, $user->user_email);
// If the user is an A12n, add them to the support role
if ($this->is_a8c_email($user->user_email)) {
$this->promote_user_to_vip_support($user->ID);
}
$message = sprintf(__('Your email has been verified as %s', 'vip-support'), $user->user_email);
$title = __('Verification succeeded', 'vip-support');
wp_die($message, $title, array('response' => 200));
}
