From afeaeb4a4bc25b08e1cb986a99464bfe73a0e16f Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Mon, 10 Apr 2017 14:17:14 +0200
Subject: [PATCH] Verify account only if a request is in progress

The account verification page should only proceed and allow updating the
user's profile (including resetting their password) when there is an
active activation token.
---
 verify.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/verify.php b/verify.php
index 6c17059..abd0328 100644
--- a/verify.php
+++ b/verify.php
@@ -69,7 +69,7 @@ if( auth_is_user_authenticated() ) {
 
 $t_token_confirm_hash = token_get_value( TOKEN_ACCOUNT_ACTIVATION, $f_user_id );
 
-if( $f_confirm_hash != $t_token_confirm_hash ) {
+if( $t_token_confirm_hash == null || $f_confirm_hash != $t_token_confirm_hash ) {
 	trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );
 }
 
-- 
1.9.1