Index: modules/contact/contact.js =================================================================== RCS file: /cvs/drupal/drupal/modules/contact/contact.js,v retrieving revision 1.1 diff -u -p -r1.1 contact.js --- modules/contact/contact.js 9 Oct 2009 15:39:12 -0000 1.1 +++ modules/contact/contact.js 11 Oct 2009 14:38:56 -0000 @@ -4,9 +4,10 @@ Drupal.behaviors.contact = { attach: function(context) { $.each(['name', 'mail'], function () { - var cookie = $.cookie('Drupal.user.' + this); + var cookie = $.cookie('Drupal.visitor.' + this); if (cookie) { $('#contact-site-form input[name=' + this + ']', context).once('comment').val(cookie); + $('#contact-personal-form input[name=' + this + ']', context).once('comment').val(cookie); } }); } Index: modules/contact/contact.module =================================================================== RCS file: /cvs/drupal/drupal/modules/contact/contact.module,v retrieving revision 1.133 diff -u -p -r1.133 contact.module --- modules/contact/contact.module 11 Oct 2009 01:06:27 -0000 1.133 +++ modules/contact/contact.module 11 Oct 2009 14:38:56 -0000 @@ -45,6 +45,10 @@ function contact_permission() { 'title' => t('Access site-wide contact form'), 'description' => t('Send e-mails to administrator-defined recipients using the site-wide contact form.'), ), + 'access user contact forms' => array( + 'title' => t('Access user contact forms'), + 'description' => t('Send e-mails to users using their contact forms.'), + ), ); } @@ -117,8 +121,8 @@ function contact_menu() { function _contact_personal_tab_access(stdClass $account) { global $user; - // Anonymous users cannot use or have contact forms. - if (!$user->uid || !$account->uid) { + // Anonymous users cannot have contact forms. + if (!$account->uid) { return FALSE; } @@ -138,7 +142,7 @@ function _contact_personal_tab_access(st return FALSE; } - return TRUE; + return user_access('access user contact forms'); } /** @@ -168,38 +172,35 @@ function contact_mail($key, &$message, $ $variables = array( '!site-name' => variable_get('site_name', 'Drupal'), '!subject' => $params['subject'], - '!category' => isset($params['contact']['category']) ? $params['contact']['category'] : '', + '!category' => isset($params['category']['category']) ? $params['category']['category'] : '', '!form-url' => url($_GET['q'], array('absolute' => TRUE, 'language' => $language)), + '!sender-name' => $params['sender']->name, + '!sender-url' => $params['sender']->uid ? url('user/' . $params['sender']->uid, array('absolute' => TRUE, 'language' => $language)) : $params['sender']->mail, ); switch ($key) { case 'page_mail': case 'page_copy': - $variables += array( - '!sender-name' => $params['name'], - ); $message['subject'] .= t('[!category] !subject', $variables, array('langcode' => $language->language)); - $message['body'][] = t("!sender-name sent a message using the contact form at !form-url.", $variables, array('langcode' => $language->language)); + $message['body'][] = t("!sender-name (!sender-url) sent a message using the contact form at !form-url.", $variables, array('langcode' => $language->language)); $message['body'][] = $params['message']; break; case 'page_autoreply': $message['subject'] .= t('[!category] !subject', $variables, array('langcode' => $language->language)); - $message['body'][] = $params['contact']['reply']; + $message['body'][] = $params['category']['reply']; break; case 'user_mail': case 'user_copy': $variables += array( - '!user-name' => $params['account']->name, - '!user-edit-url' => url('user/' . $params['account']->uid . '/edit', array('absolute' => TRUE, 'language' => $language)), - '!sender-name' => $params['user']->name, - '!sender-url' => url('user/' . $params['user']->uid, array('absolute' => TRUE, 'language' => $language)), + '!recipient-name' => $params['recipient']->name, + '!recipient-edit-url' => url('user/' . $params['recipient']->uid . '/edit', array('absolute' => TRUE, 'language' => $language)), ); $message['subject'] .= t('[!site-name] !subject', $variables, array('langcode' => $language->language)); - $message['body'][] = t('!user-name,', $variables, array('langcode' => $language->language)); - $message['body'][] = t("!sender-name (!sender-name-url) has sent you a message via your contact form (!form-url) at !site.", $variables, array('langcode' => $language->language)); - $message['body'][] = t("If you don't want to receive such e-mails, you can change your settings at !user-edit-url.", $variables, array('langcode' => $language->language)); + $message['body'][] = t('!recipient-name,', $variables, array('langcode' => $language->language)); + $message['body'][] = t("!sender-name (!sender-url) has sent you a message via your contact form (!form-url) at !site-name.", $variables, array('langcode' => $language->language)); + $message['body'][] = t("If you don't want to receive such e-mails, you can change your settings at !recipient-edit-url.", $variables, array('langcode' => $language->language)); $message['body'][] = t('Message:', array(), array('langcode' => $language->language)); $message['body'][] = $params['message']; break; Index: modules/contact/contact.pages.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/contact/contact.pages.inc,v retrieving revision 1.31 diff -u -p -r1.31 contact.pages.inc --- modules/contact/contact.pages.inc 11 Oct 2009 01:06:27 -0000 1.31 +++ modules/contact/contact.pages.inc 11 Oct 2009 14:38:56 -0000 @@ -8,6 +8,9 @@ /** * Form builder; the site-wide contact form. + * + * @see contact_site_form_validate() + * @see contact_site_form_submit() */ function contact_site_form($form, &$form_state) { global $user; @@ -19,7 +22,7 @@ function contact_site_form($form, &$form drupal_set_message(t("You cannot send more than %limit messages in @interval. Please try again later.", array('%limit' => $limit, '@interval' => format_interval($window))), 'error'); return drupal_access_denied(); } - + // Get an array of the categories and the current default category. $categories = db_query("SELECT cid, category FROM {contact} ORDER BY weight, category")->fetchAllKeyed(); $default_category = db_query("SELECT cid FROM {contact} WHERE selected = 1")->fetchField(); @@ -118,22 +121,22 @@ function contact_site_form_submit($form, global $user, $language; $values = $form_state['values']; + $values['sender'] = $user; + $values['sender']->name = $values['name']; + $values['sender']->mail = $values['mail']; + $values['category'] = contact_load($values['cid']); // Save the anonymous user information to a cookie for reuse. if (!$user->uid) { user_cookie_save($values); } - // E-mail address of the sender: as the form field is a text field, - // all instances of \r and \n have been automatically stripped from it. - $from = $values['mail']; - - // Load category properties and save form values for email composition. - $contact = contact_load($values['cid']); - $values['contact'] = $contact; + // Get the to and from e-mail addresses. + $to = $values['category']['recipients']; + $from = $values['sender']->mail; // Send the e-mail to the recipients using the site default language. - drupal_mail('contact', 'page_mail', $contact['recipients'], language_default(), $values, $from); + drupal_mail('contact', 'page_mail', $to, language_default(), $values, $from); // If the user requests it, send a copy using the current language. if ($values['copy']) { @@ -141,21 +144,24 @@ function contact_site_form_submit($form, } // Send an auto-reply if necessary using the current language. - if ($contact['reply']) { - drupal_mail('contact', 'page_autoreply', $from, $language, $values, $contact['recipients']); + if ($values['category']['reply']) { + drupal_mail('contact', 'page_autoreply', $from, $language, $values, $to); } flood_register_event('contact'); - watchdog('mail', '%name-from sent an e-mail regarding %category.', array('%name-from' => $values['name'] . " [$from]", '%category' => $contact['category'])); - drupal_set_message(t('Your message has been sent.')); + watchdog('mail', '%sender-name (@sender-from) sent an e-mail regarding %category.', array('%sender-name' => $values['name'], '@sender-from' => $from, '%category' => $values['category']['category'])); // Jump to home page rather than back to contact page to avoid // contradictory messages if flood control has been activated. + drupal_set_message(t('Your message has been sent.')); $form_state['redirect'] = ''; } /** * Form builder; the personal contact form. + * + * @see contact_personal_form_validate() + * @see contact_personal_form_submit() */ function contact_personal_form($form, &$form_state, stdClass $recipient) { global $user; @@ -167,18 +173,32 @@ function contact_personal_form($form, &$ drupal_set_message(t("You cannot send more than %limit messages in @interval. Please try again later.", array('%limit' => $limit, '@interval' => format_interval($window))), 'error'); return drupal_access_denied(); } - + drupal_set_title(t('Contact @username', array('@username' => $recipient->name)), PASS_THROUGH); - - $form['#token'] = $user->name . $user->mail; + + if (!$user->uid) { + $form['#attached']['library'][] = array('system', 'cookie'); + $form['#attached']['js'][] = drupal_get_path('module', 'contact') . '/contact.js'; + } + + $form['#token'] = $user->uid ? $user->name . $user->mail : ''; $form['recipient'] = array( '#type' => 'value', '#value' => $recipient, ); - $form['from'] = array( - '#type' => 'item', - '#title' => t('From'), - '#markup' => theme('username', array('account' => $user)) . ' <' . check_plain($user->mail) . '>', + $form['name'] = array( + '#type' => 'textfield', + '#title' => t('Your name'), + '#maxlength' => 255, + '#default_value' => $user->uid ? $user->name : '', + '#required' => TRUE, + ); + $form['mail'] = array( + '#type' => 'textfield', + '#title' => t('Your e-mail address'), + '#maxlength' => 255, + '#default_value' => $user->uid ? $user->mail : '', + '#required' => TRUE, ); $form['to'] = array( '#type' => 'item', @@ -197,9 +217,12 @@ function contact_personal_form($form, &$ '#rows' => 15, '#required' => TRUE, ); + // We do not allow anonymous users to send themselves a copy + // because it can be abused to spam people. $form['copy'] = array( '#type' => 'checkbox', '#title' => t('Send yourself a copy.'), + '#access' => $user->uid, ); $form['submit'] = array( '#type' => 'submit', @@ -209,34 +232,50 @@ function contact_personal_form($form, &$ } /** + * Form validation handler for contact_personal_form(). + * + * @see contact_personal_form() + */ +function contact_personal_form_validate($form, &$form_state) { + if (!valid_email_address($form_state['values']['mail'])) { + form_set_error('mail', t('You must enter a valid e-mail address.')); + } +} + +/** * Form submission handler for contact_personal_form(). + * + * @see contact_personal_form() */ function contact_personal_form_submit($form, &$form_state) { global $user, $language; - $account = $form_state['values']['recipient']; + $values = $form_state['values']; + $values['sender'] = $user; + $values['sender']->name = $values['name']; + $values['sender']->mail = $values['mail']; - // Send from the current user to the requested user. - $to = $account->mail; - $from = $user->mail; + // Save the anonymous user information to a cookie for reuse. + if (!$user->uid) { + user_cookie_save($values); + } - // Save both users and all form values for email composition. - $values = $form_state['values']; - $values['account'] = $account; - $values['user'] = $user; + // Get the to and from e-mail addresses. + $to = $values['recipient']->mail; + $from = $values['sender']->mail; // Send the e-mail in the requested user language. - drupal_mail('contact', 'user_mail', $to, user_preferred_language($account), $values, $from); + drupal_mail('contact', 'user_mail', $to, user_preferred_language($values['recipient']), $values, $from); // Send a copy if requested, using current page language. - if ($form_state['values']['copy']) { + if ($values['copy']) { drupal_mail('contact', 'user_copy', $from, $language, $values, $from); } flood_register_event('contact'); - watchdog('mail', '%name-from sent %name-to an e-mail.', array('%name-from' => $user->name, '%name-to' => $account->name)); - drupal_set_message(t('Your message has been sent.')); + watchdog('mail', '%sender-name (@sender-from) sent %recipient-name an e-mail.', array('%sender-name' => $values['name'], '@sender-from' => $from, '%recipient-name' => $values['recipient']->name)); - // Back to the requested users profile page. - $form_state['redirect'] = "user/$account->uid"; + // Jump to the contacted user's profile page. + drupal_set_message(t('Your message has been sent.')); + $form_state['redirect'] = user_access('access user profiles') ? 'user/' . $values['recipient']->uid : ''; } Index: modules/contact/contact.test =================================================================== RCS file: /cvs/drupal/drupal/modules/contact/contact.test,v retrieving revision 1.36 diff -u -p -r1.36 contact.test --- modules/contact/contact.test 10 Oct 2009 19:54:15 -0000 1.36 +++ modules/contact/contact.test 11 Oct 2009 14:38:56 -0000 @@ -294,9 +294,8 @@ class ContactPersonalTestCase extends Dr // Create some normal users with their contact forms enabled by default. variable_set('contact_default_status', TRUE); - $this->web_user = $this->drupalCreateUser(); + $this->web_user = $this->drupalCreateUser(array('access user contact forms')); $this->contact_user = $this->drupalCreateUser(); - variable_set('contact_default_status', FALSE); } /** @@ -316,6 +315,17 @@ class ContactPersonalTestCase extends Dr $this->drupalGet('user/0/contact'); $this->assertResponse(403); + // Test that anonymous users can access the contact form. + $this->drupalLogout(); + user_role_grant_permissions(DRUPAL_ANONYMOUS_RID, array('access user contact forms')); + $this->drupalGet('user/' . $this->contact_user->uid . '/contact'); + $this->assertResponse(200); + + // Revoke the personal contact permission for the anonymous user. + user_role_revoke_permissions(DRUPAL_ANONYMOUS_RID, array('access user contact forms')); + $this->drupalGet('user/' . $this->contact_user->uid . '/contact'); + $this->assertResponse(403); + // Disable the personal contact form. $this->drupalLogin($this->admin_user); $edit = array('contact_default_status' => FALSE);