From 4f8cec4af196a126875041208fee168bc8ae7fa0 Mon Sep 17 00:00:00 2001 From: Moc Date: Sat, 16 Aug 2014 01:04:32 +0200 Subject: [PATCH] Fixes #726 - Forgotten password clean-up. Now functional on BS themes. (Thanks Jimmi08!) --- e107_languages/English/lan_fpw.php | 13 +-- fpw.php | 164 +++++++++++++++++------------ 2 files changed, 103 insertions(+), 74 deletions(-) diff --git a/e107_languages/English/lan_fpw.php b/e107_languages/English/lan_fpw.php index 06e5dc17a..1bcbd4c48 100644 --- a/e107_languages/English/lan_fpw.php +++ b/e107_languages/English/lan_fpw.php @@ -1,14 +1,11 @@ secImg = $sec_img; } - function sc_fpw_username($parm='') // TODO check if this is still used/needed + function sc_fpw_username($parm='') // used when email login is disabled { // return ""; - return e107::getForm()->text('username'); + return e107::getForm()->text('username'); // $frm->userpicker()? } function sc_fpw_useremail($parm='') @@ -96,12 +94,9 @@ class fpw_shortcodes extends e_shortcode { return deftrue('LAN_FPW_101',"Not to worry. Just enter your email address below and we'll send you an instruction email for recovery."); } - - } - if ($pref['membersonly_enabled']) { $sc = array ( @@ -129,8 +124,15 @@ require_once(HEADERF); function fpw_error($txt) { - global $ns; - $ns->tablerender(LAN_03, "
".$txt."
", 'fpw'); + if(deftrue('BOOTSTRAP')) + { + e107::getMessage()->addError($txt); + e107::getRender()->tablerender(LAN_03, e107::getMessage()->render()); + require_once(FOOTERF); + exit; + } + + e107::getRender()->tablerender(LAN_03, "
".$txt."
", 'fpw'); require_once(FOOTERF); exit; } @@ -140,29 +142,41 @@ define('FPW_SEPARATOR', '#'); //$fpw_sep = '#'; -if (e_QUERY) -{ // User has clicked on the emailed link +// User has clicked on the emailed link +if(e_QUERY) +{ + // Make sure login menu is not giving any troubles define('FPW_ACTIVE','TRUE'); + + // Verify the password reset code syntax $tmpinfo = preg_replace("#[\W_]#", "", e107::getParser()->toDB(e_QUERY, true)); // query part is a 'random' number if ($tmpinfo != e_QUERY) { - die(); // Shouldn't be any characters that toDB() changes + // Shouldn't be any characters that toDB() changes + //die(); + e107::getRedirect()->redirect(SITEURL); } + + // Verify the password reset code if ($sql->select('tmp', '*', "`tmp_ip`='pwreset' AND `tmp_info` LIKE '%".FPW_SEPARATOR.$tmpinfo."' ")) { $row = $sql->fetch(); + + // Delete the record $sql->delete('tmp', "`tmp_time` = ".$row['tmp_time']." AND `tmp_info` = '".$row['tmp_info']."' "); list($loginName, $md5) = explode(FPW_SEPARATOR, $row['tmp_info']); $loginName = $tp->toDB($loginName, true); - if ($md5 != $tmpinfo) + // This should never happen! + if($md5 != $tmpinfo) { - die('Random mismatch!'); // This should never happen! + e107::getRedirect()->redirect(SITEURL); } - $newpw = $user_info->generateRandomString(str_repeat('*', rand(8, 12))); // Generate new temporary password - $mdnewpw = $user_info->HashPassword($newpw,$loginName); + // Generate new temporary password + $newpw = $user_info->generateRandomString(str_repeat('*', rand(8, 12))); + $mdnewpw = $user_info->HashPassword($newpw, $loginName); // Details for admin log $do_log['password_action'] = LAN_FPW21; @@ -172,8 +186,10 @@ if (e_QUERY) $do_log['user_password'] = $mdnewpw; $admin_log->user_audit(USER_AUDIT_PW_RES,$do_log,0,$do_log['user_name']); + // Update password in database $sql->update('user', "`user_password`='{$mdnewpw}' WHERE `user_loginname`='".$loginName."' "); + // Prepare new information to display to user if((integer) e107::getPref('allowEmailLogin') > 0) { // always show email when possible @@ -183,30 +199,34 @@ if (e_QUERY) unset($tmp); } + // Reset login cookie/session (?) cookie($pref['cookie_name'], '', (time()-2592000)); $_SESSION[$pref['cookie_name']] = ''; + // Display success message containing new login information $txt = "
".LAN_FPW8."
".LAN_218."{$loginName}
".LAN_FPW9."{$newpw}


".LAN_FPW10." ".LAN_FPW11." ".LAN_FPW12; - fpw_error($txt); - + + e107::getMessage()->addSuccess($txt); + e107::getRender()->tablerender(LAN_03, e107::getMessage()->render()); + require_once(FOOTERF); + exit; } + // The password reset code was not found else { - fpw_error(LAN_FPW7); // No 'forgot password' entry found + fpw_error(LAN_FPW7); } } // Request to reset password -//-------------------------- if (isset($_POST['pwsubmit'])) { - // Request for password reset submitted require_once(e_HANDLER.'mail.php'); if ($pref['fpwcode'] && extension_loaded('gd')) @@ -226,78 +246,92 @@ if (isset($_POST['pwsubmit'])) $query .= (isset($_POST['username'])) ? " AND `user_loginname`='{$clean_username}'" : ""; if($sql->select('user', '*', $query)) - { // Found user in DB + { + // Found user in DB $row = $sql->fetch(); + // Main admin expected to be competent enough to never forget password! (And its a security check - so warn them) + // Sending email to admin alerting them of attempted admin password reset, and redirect user to homepage. if (($row['user_admin'] == 1) && (($row['user_perms'] == '0') OR ($row['user_perms'] == '0.'))) - { // Main admin expected to be competent enough to never forget password! (And its a security check - so warn them) + { sendemail($pref['siteadminemail'], LAN_06, LAN_07.' ['.e107::getIPHandler()->getIP(FALSE).'] '.e107::getIPHandler()->getIP(TRUE).' '.LAN_08); - echo "\n"; - die(); + e107::getRedirect()->redirect(SITEURL); } - switch ($row['user_ban']) - { // Banned user, or not validated - case USER_BANNED : - die(); - case USER_VALIDATED : + // Banned user, or not validated + switch($row['user_ban']) + { + case USER_BANNED: + e107::getRedirect()->redirect(SITEURL); + case USER_VALIDATED: break; - default : - fpw_error(LAN_FPW22.':'.$row['user_ban']); // Intentionally rather a vague message + default: + fpw_error(LAN_02.':'.$row['user_ban']); // Intentionally rather a vague message exit; } + // Check if password reset was already requested if ($result = $sql->select('tmp', '*', "`tmp_ip` = 'pwreset' AND `tmp_info` LIKE '".$row['user_loginname'].FPW_SEPARATOR."%'")) { - fpw_error(LAN_FPW4); // Password reset already requested + fpw_error(LAN_FPW4); exit; } + // Set unique reset code mt_srand ((double)microtime() * 1000000); - $maxran = 1000000; - $rand_num = mt_rand(0, $maxran); - $datekey = date('r'); - $rcode = md5($_SERVER['HTTP_USER_AGENT'] . serialize($pref). $rand_num . $datekey); + $maxran = 1000000; + $rand_num = mt_rand(0, $maxran); + $datekey = date('r'); + $rcode = md5($_SERVER['HTTP_USER_AGENT'] . serialize($pref). $rand_num . $datekey); - $link = SITEURL.'fpw.php?'.$rcode; - $message = LAN_FPW5.' '.SITENAME.' '.LAN_FPW14.': '.e107::getIPHandler()->getIP(TRUE).".\n\n".LAN_FPW15."\n\n".LAN_FPW16."\n\n".LAN_FPW17."\n\n{$link}"; + // Prepare email + $link = SITEURL.'fpw.php?'.$rcode; + $message = LAN_FPW5.' '.SITENAME.' '.LAN_FPW14.': '.e107::getIPHandler()->getIP(TRUE).".\n\n".LAN_FPW15."\n\n".LAN_FPW16."\n\n".LAN_FPW17."\n\n{$link}"; - $deltime = time()+86400 * 2; //Set timestamp two days ahead so it doesn't get auto-deleted - $sql->db_Insert('tmp', "'pwreset',{$deltime},'".$row['user_loginname'].FPW_SEPARATOR.$rcode."'"); + // Set timestamp two days ahead so it doesn't get auto-deleted + $deltime = time()+86400 * 2; + + // Insert the password reset request into the database + $sql->insert('tmp', "'pwreset',{$deltime},'".$row['user_loginname'].FPW_SEPARATOR.$rcode."'"); - $do_log['password_action'] = LAN_FPW18; - $do_log['user_id'] = $row['user_id']; - $do_log['user_name'] = $row['user_name']; - $do_log['user_loginname'] = $row['user_loginname']; - $do_log['activation_code'] = $rcode; + // Setup the information to log + $do_log['password_action'] = LAN_FPW18; + $do_log['user_id'] = $row['user_id']; + $do_log['user_name'] = $row['user_name']; + $do_log['user_loginname'] = $row['user_loginname']; + $do_log['activation_code'] = $rcode; - if (sendemail($_POST['email'], "".LAN_09."".SITENAME, $message)) + // Try to send the email + if(sendemail($_POST['email'], "".LAN_09."".SITENAME, $message)) { - $text = "
".LAN_FPW6."
"; - $do_log['password_result'] = LAN_FPW20; + e107::getMessage()->addInfo(LAN_FPW6); + $do_log['password_result'] = LAN_FPW20; } else { - $text = "
".LAN_02."
"; - $do_log['password_result'] = LAN_FPW19; + //$text = "
".LAN_02."
"; + $do_log['password_result'] = LAN_FPW19; + fpw_error(LAN_02); } - $admin_log->user_audit(USER_AUDIT_PW_RES,$do_log,$row['user_id'],$row['user_name']); - $ns->tablerender(LAN_03, $text); + // Log to user audit log + e107::getAdminLog()->user_audit(USER_AUDIT_PW_RES, $do_log, $row['user_id'], $row['user_name']); + + $ns->tablerender(LAN_03, $text.e107::getMessage()->render()); require_once(FOOTERF); exit; } else { - $text = LAN_213; - $ns->tablerender(LAN_214, "
".$text."
"); + //$text = LAN_213; + //$ns->tablerender(LAN_214, "
".$text."
"); + e107::getMessage()->addError(LAN_213); + $ns->tablerender(LAN_214, e107::getMessage()->render()); } } -$sc = array(); - - +$sc = array(); // needed? /* @@ -314,10 +348,13 @@ if (USE_IMAGECODE) if(deftrue('BOOTSTRAP')) { - $FPW_TABLE = e107::getCoreTemplate('fpw','form'); + // TODO do we want the
element outside the template? + $FPW_TABLE = ""; + $FPW_TABLE .= e107::getCoreTemplate('fpw','form'); + $FPW_TABLE .= "
"; $caption = deftrue('LAN_FPW_100',"Forgot your password?"); } -elseif (!$FPW_TABLE) +elseif(!$FPW_TABLE) { require_once (e107::coreTemplatePath('fpw')); //correct way to load a core template. $caption = LAN_03; @@ -337,9 +374,4 @@ $text = $tp->parseTemplate($FPW_TABLE, true, $sc); $ns->tablerender($caption, $text); require_once(FOOTERF); - - - - - ?> \ No newline at end of file