Fixes #726 - Forgotten password clean-up. Now functional on BS themes. (Thanks Jimmi08!)

2025-07-31 03:40:37 +02:00 · 2014-08-16 01:04:32 +02:00
parent 3cae2aa4ef
commit 4f8cec4af1
2 changed files with 103 additions and 74 deletions
--- a/e107_languages/English/lan_fpw.php
+++ b/e107_languages/English/lan_fpw.php
@@ -1,14 +1,11 @@
 <?php
 /*
-+ ----------------------------------------------------------------------------+
-|     e107 website system - Language File.
-|
-|     $Source: /cvs_backup/e107_0.8/e107_languages/English/lan_fpw.php,v $
-|     $Revision$
-|     $Date$
-|     $Author$
-+----------------------------------------------------------------------------+
+ * Copyright e107 Inc e107.org, Licensed under GNU GPL (http://www.gnu.org/licenses/gpl.txt)
+ *
+ * Forgotten password language file - Password reset
+ *
 */
+
 define("PAGE_NAME", "Password Reset");

 define("LAN_02", "Sorry, unable to send email - please contact the main site administrator.");
--- a/fpw.php
+++ b/fpw.php
@@ -12,7 +12,6 @@

 require_once('class2.php');

-//include_lan(e_LANGUAGEDIR.e_LANGUAGE.'/lan_'.e_PAGE); 
 e107::coreLan('fpw'); 

 $tp = e107::getParser();
@@ -36,8 +35,7 @@ else


 class fpw_shortcodes extends e_shortcode
-{
-	
+{	
 	private $secImg;
 	
 	function __construct()
@@ -46,10 +44,10 @@ class fpw_shortcodes extends e_shortcode
 		$this->secImg = $sec_img;	
 	}

-	function sc_fpw_username($parm='') // TODO check if this is still used/needed
+	function sc_fpw_username($parm='') // used when email login is disabled
 	{
 		// return "<input class='tbox' type='text' name='username' size='40' value='' maxlength='100' />";	
-		return e107::getForm()->text('username');
+		return e107::getForm()->text('username'); // $frm->userpicker()?
 	}

 	function sc_fpw_useremail($parm='') 
@@ -96,12 +94,9 @@ class fpw_shortcodes extends e_shortcode
 	{
 		return deftrue('LAN_FPW_101',"Not to worry. Just enter your email address below and we'll send you an instruction email for recovery.");	
 	}
-
-
 }


-
 if ($pref['membersonly_enabled'])
 {
 	$sc = array (
@@ -129,8 +124,15 @@ require_once(HEADERF);

 function fpw_error($txt)
 {
-	global $ns;
-	$ns->tablerender(LAN_03, "<div class='fpw-page'>".$txt."</div>", 'fpw');
+	if(deftrue('BOOTSTRAP'))
+	{
+		e107::getMessage()->addError($txt);
+		e107::getRender()->tablerender(LAN_03, e107::getMessage()->render());
+		require_once(FOOTERF);
+		exit;
+	}
+
+	e107::getRender()->tablerender(LAN_03, "<div class='fpw-page'>".$txt."</div>", 'fpw');
 	require_once(FOOTERF);
 	exit;
 }
@@ -140,29 +142,41 @@ define('FPW_SEPARATOR', '#');
 //$fpw_sep = '#';


-if (e_QUERY)
-{	// User has clicked on the emailed link
+// User has clicked on the emailed link
+if(e_QUERY)
+{	
+	// Make sure login menu is not giving any troubles
 	define('FPW_ACTIVE','TRUE');
+
+	// Verify the password reset code syntax
 	$tmpinfo = preg_replace("#[\W_]#", "", e107::getParser()->toDB(e_QUERY, true));			// query part is a 'random' number
 	if ($tmpinfo != e_QUERY)
 	{
-		die();			// Shouldn't be any characters that toDB() changes
+		// Shouldn't be any characters that toDB() changes
+		//die();			
+		e107::getRedirect()->redirect(SITEURL);
 	}
+
+	// Verify the password reset code
 	if ($sql->select('tmp', '*', "`tmp_ip`='pwreset' AND `tmp_info` LIKE '%".FPW_SEPARATOR.$tmpinfo."' "))
 	{
 		$row = $sql->fetch();
+
+		// Delete the record 
 		$sql->delete('tmp', "`tmp_time` = ".$row['tmp_time']." AND `tmp_info` = '".$row['tmp_info']."' ");

 		list($loginName, $md5) = explode(FPW_SEPARATOR, $row['tmp_info']);
 		$loginName = $tp->toDB($loginName, true);

-		if ($md5 != $tmpinfo)
+		// This should never happen! 
+		if($md5 != $tmpinfo)
 		{
-			die('Random mismatch!');			// This should never happen!
+			e107::getRedirect()->redirect(SITEURL);	
 		}

-		$newpw 		= $user_info->generateRandomString(str_repeat('*', rand(8, 12)));		// Generate new temporary password
-		$mdnewpw 	= $user_info->HashPassword($newpw,$loginName);
+		// Generate new temporary password
+		$newpw 		= $user_info->generateRandomString(str_repeat('*', rand(8, 12)));		
+		$mdnewpw 	= $user_info->HashPassword($newpw, $loginName);

 		// Details for admin log
 		$do_log['password_action'] = LAN_FPW21;
@@ -172,8 +186,10 @@ if (e_QUERY)
 		$do_log['user_password'] = $mdnewpw;
 		$admin_log->user_audit(USER_AUDIT_PW_RES,$do_log,0,$do_log['user_name']);

+		// Update password in database
 		$sql->update('user', "`user_password`='{$mdnewpw}' WHERE `user_loginname`='".$loginName."' ");
 		
+		// Prepare new information to display to user
 		if((integer) e107::getPref('allowEmailLogin') > 0)
 		{
 			// always show email when possible
@@ -183,30 +199,34 @@ if (e_QUERY)
 			unset($tmp);
 		}

+		// Reset login cookie/session (?)
 		cookie($pref['cookie_name'], '', (time()-2592000));
 		$_SESSION[$pref['cookie_name']] = '';

+		// Display success message containing new login information
 		$txt = "<div class='fpw-message'>".LAN_FPW8."</div>
 		<table class='fpw-info'>
 		<tr><td>".LAN_218."</td><td style='font-weight:bold'>{$loginName}</td></tr>
 		<tr><td>".LAN_FPW9."</td><td style='font-weight:bold'>{$newpw}</td></tr>
 		</table>
 		<br /><br />".LAN_FPW10." <a href='".e_LOGIN."'>".LAN_FPW11."</a> ".LAN_FPW12;
-		fpw_error($txt);
-
+		
+		e107::getMessage()->addSuccess($txt);
+		e107::getRender()->tablerender(LAN_03, e107::getMessage()->render());
+		require_once(FOOTERF);
+		exit;
 	}
+	// The password reset code was not found
 	else
 	{
-		fpw_error(LAN_FPW7);		// No 'forgot password' entry found
+		fpw_error(LAN_FPW7);		
 	}
 }


 // Request to reset password
-//--------------------------
 if (isset($_POST['pwsubmit']))
 {	
-	// Request for password reset submitted
 	require_once(e_HANDLER.'mail.php');
 	
 	if ($pref['fpwcode'] && extension_loaded('gd'))
@@ -226,78 +246,92 @@ if (isset($_POST['pwsubmit']))
 	$query .= (isset($_POST['username'])) ? " AND `user_loginname`='{$clean_username}'" : "";

 	if($sql->select('user', '*', $query))
-	{	// Found user in DB
+	{	
+		// Found user in DB
 		$row = $sql->fetch();

+		// Main admin expected to be competent enough to never forget password! (And its a security check - so warn them)
+		// Sending email to admin alerting them of attempted admin password reset, and redirect user to homepage. 
 		if (($row['user_admin'] == 1) && (($row['user_perms'] == '0')  OR ($row['user_perms'] == '0.')))
-		{	// Main admin expected to be competent enough to never forget password! (And its a security check - so warn them)
+		{	
 			sendemail($pref['siteadminemail'], LAN_06, LAN_07.' ['.e107::getIPHandler()->getIP(FALSE).'] '.e107::getIPHandler()->getIP(TRUE).' '.LAN_08);
-			echo "<script type='text/javascript'>document.location.href='index.php'</script>\n";
-			die();
+			e107::getRedirect()->redirect(SITEURL);
 		}

-		switch ($row['user_ban'])
-		{	// Banned user, or not validated
-			case USER_BANNED :
-				die();
-			case USER_VALIDATED :
+		// Banned user, or not validated
+		switch($row['user_ban'])
+		{	
+			case USER_BANNED:
+				e107::getRedirect()->redirect(SITEURL);
+			case USER_VALIDATED:
 				break;
-			default :
-				fpw_error(LAN_FPW22.':'.$row['user_ban']);		// Intentionally rather a vague message
+			default:
+				fpw_error(LAN_02.':'.$row['user_ban']);		// Intentionally rather a vague message
 				exit;
 		}

+		// Check if password reset was already requested
 		if ($result = $sql->select('tmp', '*', "`tmp_ip` = 'pwreset' AND `tmp_info` LIKE '".$row['user_loginname'].FPW_SEPARATOR."%'"))
 		{
-			fpw_error(LAN_FPW4);		// Password reset already requested
+			fpw_error(LAN_FPW4);		
 			exit;
 		}

+		// Set unique reset code
 		mt_srand ((double)microtime() * 1000000);
-		$maxran = 1000000;
-		$rand_num = mt_rand(0, $maxran);
-		$datekey = date('r');
-		$rcode = md5($_SERVER['HTTP_USER_AGENT'] . serialize($pref). $rand_num . $datekey);
+		$maxran 	= 1000000;
+		$rand_num 	= mt_rand(0, $maxran);
+		$datekey 	= date('r');
+		$rcode 		= md5($_SERVER['HTTP_USER_AGENT'] . serialize($pref). $rand_num . $datekey);

-		$link = SITEURL.'fpw.php?'.$rcode;
-		$message = LAN_FPW5.' '.SITENAME.' '.LAN_FPW14.': '.e107::getIPHandler()->getIP(TRUE).".\n\n".LAN_FPW15."\n\n".LAN_FPW16."\n\n".LAN_FPW17."\n\n{$link}";
+		// Prepare email
+		$link 		= SITEURL.'fpw.php?'.$rcode;
+		$message 	= LAN_FPW5.' '.SITENAME.' '.LAN_FPW14.': '.e107::getIPHandler()->getIP(TRUE).".\n\n".LAN_FPW15."\n\n".LAN_FPW16."\n\n".LAN_FPW17."\n\n{$link}";

-		$deltime = time()+86400 * 2;			//Set timestamp two days ahead so it doesn't get auto-deleted
-		$sql->db_Insert('tmp', "'pwreset',{$deltime},'".$row['user_loginname'].FPW_SEPARATOR.$rcode."'");
+		// Set timestamp two days ahead so it doesn't get auto-deleted
+		$deltime = time()+86400 * 2;			
+		
+		// Insert the password reset request into the database 
+		$sql->insert('tmp', "'pwreset',{$deltime},'".$row['user_loginname'].FPW_SEPARATOR.$rcode."'");

-		$do_log['password_action'] = LAN_FPW18;
-		$do_log['user_id'] = $row['user_id'];
-		$do_log['user_name'] = $row['user_name'];
-		$do_log['user_loginname'] = $row['user_loginname'];
-		$do_log['activation_code'] = $rcode;
+		// Setup the information to log
+		$do_log['password_action'] 	= LAN_FPW18;
+		$do_log['user_id'] 			= $row['user_id'];
+		$do_log['user_name'] 		= $row['user_name'];
+		$do_log['user_loginname'] 	= $row['user_loginname'];
+		$do_log['activation_code'] 	= $rcode;

-		if (sendemail($_POST['email'], "".LAN_09."".SITENAME, $message))
+		// Try to send the email 
+		if(sendemail($_POST['email'], "".LAN_09."".SITENAME, $message))
 		{
-		  $text = "<div style='text-align:center'>".LAN_FPW6."</div>";
-		  $do_log['password_result'] = LAN_FPW20;
+			e107::getMessage()->addInfo(LAN_FPW6);
+			$do_log['password_result'] = LAN_FPW20;
 		}
 		else
 		{
-		  $text = "<div style='text-align:center'>".LAN_02."</div>";
-		  $do_log['password_result'] = LAN_FPW19;
+			//$text = "<div style='text-align:center'>".LAN_02."</div>";
+			$do_log['password_result'] = LAN_FPW19;
+		  	fpw_error(LAN_02); 
 		}
-		$admin_log->user_audit(USER_AUDIT_PW_RES,$do_log,$row['user_id'],$row['user_name']);

-		$ns->tablerender(LAN_03, $text);
+		// Log to user audit log
+		e107::getAdminLog()->user_audit(USER_AUDIT_PW_RES, $do_log, $row['user_id'], $row['user_name']);
+
+		$ns->tablerender(LAN_03, $text.e107::getMessage()->render());
 		require_once(FOOTERF);
 		exit;
 	}
 	else
 	{
-		$text = LAN_213;
-		$ns->tablerender(LAN_214, "<div style='text-align:center'>".$text."</div>");
+		//$text = LAN_213;
+		//$ns->tablerender(LAN_214, "<div style='text-align:center'>".$text."</div>");
+		e107::getMessage()->addError(LAN_213); 
+		$ns->tablerender(LAN_214, e107::getMessage()->render()); 
 	}
 }


-$sc = array();
-
-
+$sc = array(); // needed?


 /*
@@ -314,10 +348,13 @@ if (USE_IMAGECODE)

 if(deftrue('BOOTSTRAP'))
 {
-	$FPW_TABLE = e107::getCoreTemplate('fpw','form');	
+	// TODO do we want the <form> element outside the template?
+	$FPW_TABLE = "<form method='post' action='".SITEURL."fpw.php' autocomplete='off'>";
+	$FPW_TABLE .= e107::getCoreTemplate('fpw','form');	
+	$FPW_TABLE .= "</form>"; 
 	$caption = deftrue('LAN_FPW_100',"Forgot your password?");	
 }	
-elseif (!$FPW_TABLE)
+elseif(!$FPW_TABLE)
 {
 	require_once (e107::coreTemplatePath('fpw')); //correct way to load a core template.
 	$caption = LAN_03;
@@ -337,9 +374,4 @@ $text = $tp->parseTemplate($FPW_TABLE, true, $sc);
 $ns->tablerender($caption, $text);
 require_once(FOOTERF);

-
-
-
-
-
 ?>