mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-01 20:30:39 +02:00
Code Issues Releases Wiki Activity

Fixes #726 - Forgotten password clean-up. Now functional on BS themes. (Thanks Jimmi08!)

Browse Source
This commit is contained in:
Moc
2014-08-16 01:04:32 +02:00
parent 3cae2aa4ef
commit 4f8cec4af1
2 changed files with 103 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
e107_languages/English/lan_fpw.php
View File

@@ -1,14 +1,11 @@
<?php <?php
/* /*
+ ----------------------------------------------------------------------------+ * Copyright e107 Inc e107.org, Licensed under GNU GPL (http://www.gnu.org/licenses/gpl.txt)
| e107 website system - Language File. *
| * Forgotten password language file - Password reset
| $Source: /cvs_backup/e107_0.8/e107_languages/English/lan_fpw.php,v $ *
| $Revision$
| $Date$
| $Author$
+----------------------------------------------------------------------------+
*/ */
define("PAGE_NAME", "Password Reset"); define("PAGE_NAME", "Password Reset");
define("LAN_02", "Sorry, unable to send email - please contact the main site administrator."); define("LAN_02", "Sorry, unable to send email - please contact the main site administrator.");

134
fpw.php
View File

@@ -12,7 +12,6 @@
require_once('class2.php'); require_once('class2.php');
//include_lan(e_LANGUAGEDIR.e_LANGUAGE.'/lan_'.e_PAGE);
e107::coreLan('fpw'); e107::coreLan('fpw');
$tp = e107::getParser(); $tp = e107::getParser();
@@ -37,7 +36,6 @@ else
class fpw_shortcodes extends e_shortcode class fpw_shortcodes extends e_shortcode
{ {
private $secImg; private $secImg;
function __construct() function __construct()
@@ -46,10 +44,10 @@ class fpw_shortcodes extends e_shortcode
$this->secImg = $sec_img; $this->secImg = $sec_img;
} }
function sc_fpw_username($parm='') // TODO check if this is still used/needed function sc_fpw_username($parm='') // used when email login is disabled
{ {
// return "<input class='tbox' type='text' name='username' size='40' value='' maxlength='100' />"; // return "<input class='tbox' type='text' name='username' size='40' value='' maxlength='100' />";
return e107::getForm()->text('username'); return e107::getForm()->text('username'); // $frm->userpicker()?
} }
function sc_fpw_useremail($parm='') function sc_fpw_useremail($parm='')
@@ -96,12 +94,9 @@ class fpw_shortcodes extends e_shortcode
{ {
return deftrue('LAN_FPW_101',"Not to worry. Just enter your email address below and we'll send you an instruction email for recovery."); return deftrue('LAN_FPW_101',"Not to worry. Just enter your email address below and we'll send you an instruction email for recovery.");
} }
} }
if ($pref['membersonly_enabled']) if ($pref['membersonly_enabled'])
{ {
$sc = array ( $sc = array (
@@ -129,8 +124,15 @@ require_once(HEADERF);
function fpw_error($txt) function fpw_error($txt)
{ {
global $ns; if(deftrue('BOOTSTRAP'))
$ns->tablerender(LAN_03, "<div class='fpw-page'>".$txt."</div>", 'fpw'); {
e107::getMessage()->addError($txt);
e107::getRender()->tablerender(LAN_03, e107::getMessage()->render());
require_once(FOOTERF);
exit;
}
e107::getRender()->tablerender(LAN_03, "<div class='fpw-page'>".$txt."</div>", 'fpw');
require_once(FOOTERF); require_once(FOOTERF);
exit; exit;
} }
@@ -140,29 +142,41 @@ define('FPW_SEPARATOR', '#');
//$fpw_sep = '#'; //$fpw_sep = '#';
if (e_QUERY) // User has clicked on the emailed link
{ // User has clicked on the emailed link if(e_QUERY)
{
// Make sure login menu is not giving any troubles
define('FPW_ACTIVE','TRUE'); define('FPW_ACTIVE','TRUE');
// Verify the password reset code syntax
$tmpinfo = preg_replace("#[\W_]#", "", e107::getParser()->toDB(e_QUERY, true)); // query part is a 'random' number $tmpinfo = preg_replace("#[\W_]#", "", e107::getParser()->toDB(e_QUERY, true)); // query part is a 'random' number
if ($tmpinfo != e_QUERY) if ($tmpinfo != e_QUERY)
{ {
die(); // Shouldn't be any characters that toDB() changes // Shouldn't be any characters that toDB() changes
//die();
e107::getRedirect()->redirect(SITEURL);
} }
// Verify the password reset code
if ($sql->select('tmp', '*', "`tmp_ip`='pwreset' AND `tmp_info` LIKE '%".FPW_SEPARATOR.$tmpinfo."' ")) if ($sql->select('tmp', '*', "`tmp_ip`='pwreset' AND `tmp_info` LIKE '%".FPW_SEPARATOR.$tmpinfo."' "))
{ {
$row = $sql->fetch(); $row = $sql->fetch();
// Delete the record
$sql->delete('tmp', "`tmp_time` = ".$row['tmp_time']." AND `tmp_info` = '".$row['tmp_info']."' "); $sql->delete('tmp', "`tmp_time` = ".$row['tmp_time']." AND `tmp_info` = '".$row['tmp_info']."' ");
list($loginName, $md5) = explode(FPW_SEPARATOR, $row['tmp_info']); list($loginName, $md5) = explode(FPW_SEPARATOR, $row['tmp_info']);
$loginName = $tp->toDB($loginName, true); $loginName = $tp->toDB($loginName, true);
if ($md5 != $tmpinfo) // This should never happen!
if($md5 != $tmpinfo)
{ {
die('Random mismatch!'); // This should never happen! e107::getRedirect()->redirect(SITEURL);
} }
$newpw = $user_info->generateRandomString(str_repeat('*', rand(8, 12))); // Generate new temporary password // Generate new temporary password
$mdnewpw = $user_info->HashPassword($newpw,$loginName); $newpw = $user_info->generateRandomString(str_repeat('*', rand(8, 12)));
$mdnewpw = $user_info->HashPassword($newpw, $loginName);
// Details for admin log // Details for admin log
$do_log['password_action'] = LAN_FPW21; $do_log['password_action'] = LAN_FPW21;
@@ -172,8 +186,10 @@ if (e_QUERY)
$do_log['user_password'] = $mdnewpw; $do_log['user_password'] = $mdnewpw;
$admin_log->user_audit(USER_AUDIT_PW_RES,$do_log,0,$do_log['user_name']); $admin_log->user_audit(USER_AUDIT_PW_RES,$do_log,0,$do_log['user_name']);
// Update password in database
$sql->update('user', "`user_password`='{$mdnewpw}' WHERE `user_loginname`='".$loginName."' "); $sql->update('user', "`user_password`='{$mdnewpw}' WHERE `user_loginname`='".$loginName."' ");
// Prepare new information to display to user
if((integer) e107::getPref('allowEmailLogin') > 0) if((integer) e107::getPref('allowEmailLogin') > 0)
{ {
// always show email when possible // always show email when possible
@@ -183,30 +199,34 @@ if (e_QUERY)
unset($tmp); unset($tmp);
} }
// Reset login cookie/session (?)
cookie($pref['cookie_name'], '', (time()-2592000)); cookie($pref['cookie_name'], '', (time()-2592000));
$_SESSION[$pref['cookie_name']] = ''; $_SESSION[$pref['cookie_name']] = '';
// Display success message containing new login information
$txt = "<div class='fpw-message'>".LAN_FPW8."</div> $txt = "<div class='fpw-message'>".LAN_FPW8."</div>
<table class='fpw-info'> <table class='fpw-info'>
<tr><td>".LAN_218."</td><td style='font-weight:bold'>{$loginName}</td></tr> <tr><td>".LAN_218."</td><td style='font-weight:bold'>{$loginName}</td></tr>
<tr><td>".LAN_FPW9."</td><td style='font-weight:bold'>{$newpw}</td></tr> <tr><td>".LAN_FPW9."</td><td style='font-weight:bold'>{$newpw}</td></tr>
</table> </table>
<br /><br />".LAN_FPW10." <a href='".e_LOGIN."'>".LAN_FPW11."</a> ".LAN_FPW12; <br /><br />".LAN_FPW10." <a href='".e_LOGIN."'>".LAN_FPW11."</a> ".LAN_FPW12;
fpw_error($txt);
e107::getMessage()->addSuccess($txt);
e107::getRender()->tablerender(LAN_03, e107::getMessage()->render());
require_once(FOOTERF);
exit;
} }
// The password reset code was not found
else else
{ {
fpw_error(LAN_FPW7); // No 'forgot password' entry found fpw_error(LAN_FPW7);
} }
} }
// Request to reset password // Request to reset password
//--------------------------
if (isset($_POST['pwsubmit'])) if (isset($_POST['pwsubmit']))
{ {
// Request for password reset submitted
require_once(e_HANDLER.'mail.php'); require_once(e_HANDLER.'mail.php');
if ($pref['fpwcode'] && extension_loaded('gd')) if ($pref['fpwcode'] && extension_loaded('gd'))
@@ -226,78 +246,92 @@ if (isset($_POST['pwsubmit']))
$query .= (isset($_POST['username'])) ? " AND `user_loginname`='{$clean_username}'" : ""; $query .= (isset($_POST['username'])) ? " AND `user_loginname`='{$clean_username}'" : "";
if($sql->select('user', '*', $query)) if($sql->select('user', '*', $query))
{ // Found user in DB {
// Found user in DB
$row = $sql->fetch(); $row = $sql->fetch();
// Main admin expected to be competent enough to never forget password! (And its a security check - so warn them)
// Sending email to admin alerting them of attempted admin password reset, and redirect user to homepage.
if (($row['user_admin'] == 1) && (($row['user_perms'] == '0') OR ($row['user_perms'] == '0.'))) if (($row['user_admin'] == 1) && (($row['user_perms'] == '0') OR ($row['user_perms'] == '0.')))
{ // Main admin expected to be competent enough to never forget password! (And its a security check - so warn them) {
sendemail($pref['siteadminemail'], LAN_06, LAN_07.' ['.e107::getIPHandler()->getIP(FALSE).'] '.e107::getIPHandler()->getIP(TRUE).' '.LAN_08); sendemail($pref['siteadminemail'], LAN_06, LAN_07.' ['.e107::getIPHandler()->getIP(FALSE).'] '.e107::getIPHandler()->getIP(TRUE).' '.LAN_08);
echo "<script type='text/javascript'>document.location.href='index.php'</script>\n"; e107::getRedirect()->redirect(SITEURL);
die();
} }
switch ($row['user_ban']) // Banned user, or not validated
{ // Banned user, or not validated switch($row['user_ban'])
case USER_BANNED : {
die(); case USER_BANNED:
case USER_VALIDATED : e107::getRedirect()->redirect(SITEURL);
case USER_VALIDATED:
break; break;
default : default:
fpw_error(LAN_FPW22.':'.$row['user_ban']); // Intentionally rather a vague message fpw_error(LAN_02.':'.$row['user_ban']); // Intentionally rather a vague message
exit; exit;
} }
// Check if password reset was already requested
if ($result = $sql->select('tmp', '*', "`tmp_ip` = 'pwreset' AND `tmp_info` LIKE '".$row['user_loginname'].FPW_SEPARATOR."%'")) if ($result = $sql->select('tmp', '*', "`tmp_ip` = 'pwreset' AND `tmp_info` LIKE '".$row['user_loginname'].FPW_SEPARATOR."%'"))
{ {
fpw_error(LAN_FPW4); // Password reset already requested fpw_error(LAN_FPW4);
exit; exit;
} }
// Set unique reset code
mt_srand ((double)microtime() * 1000000); mt_srand ((double)microtime() * 1000000);
$maxran = 1000000; $maxran = 1000000;
$rand_num = mt_rand(0, $maxran); $rand_num = mt_rand(0, $maxran);
$datekey = date('r'); $datekey = date('r');
$rcode = md5($_SERVER['HTTP_USER_AGENT'] . serialize($pref). $rand_num . $datekey); $rcode = md5($_SERVER['HTTP_USER_AGENT'] . serialize($pref). $rand_num . $datekey);
// Prepare email
$link = SITEURL.'fpw.php?'.$rcode; $link = SITEURL.'fpw.php?'.$rcode;
$message = LAN_FPW5.' '.SITENAME.' '.LAN_FPW14.': '.e107::getIPHandler()->getIP(TRUE).".\n\n".LAN_FPW15."\n\n".LAN_FPW16."\n\n".LAN_FPW17."\n\n{$link}"; $message = LAN_FPW5.' '.SITENAME.' '.LAN_FPW14.': '.e107::getIPHandler()->getIP(TRUE).".\n\n".LAN_FPW15."\n\n".LAN_FPW16."\n\n".LAN_FPW17."\n\n{$link}";
$deltime = time()+86400 * 2; //Set timestamp two days ahead so it doesn't get auto-deleted // Set timestamp two days ahead so it doesn't get auto-deleted
$sql->db_Insert('tmp', "'pwreset',{$deltime},'".$row['user_loginname'].FPW_SEPARATOR.$rcode."'"); $deltime = time()+86400 * 2;
// Insert the password reset request into the database
$sql->insert('tmp', "'pwreset',{$deltime},'".$row['user_loginname'].FPW_SEPARATOR.$rcode."'");
// Setup the information to log
$do_log['password_action'] = LAN_FPW18; $do_log['password_action'] = LAN_FPW18;
$do_log['user_id'] = $row['user_id']; $do_log['user_id'] = $row['user_id'];
$do_log['user_name'] = $row['user_name']; $do_log['user_name'] = $row['user_name'];
$do_log['user_loginname'] = $row['user_loginname']; $do_log['user_loginname'] = $row['user_loginname'];
$do_log['activation_code'] = $rcode; $do_log['activation_code'] = $rcode;
if (sendemail($_POST['email'], "".LAN_09."".SITENAME, $message)) // Try to send the email
if(sendemail($_POST['email'], "".LAN_09."".SITENAME, $message))
{ {
$text = "<div style='text-align:center'>".LAN_FPW6."</div>"; e107::getMessage()->addInfo(LAN_FPW6);
$do_log['password_result'] = LAN_FPW20; $do_log['password_result'] = LAN_FPW20;
} }
else else
{ {
$text = "<div style='text-align:center'>".LAN_02."</div>"; //$text = "<div style='text-align:center'>".LAN_02."</div>";
$do_log['password_result'] = LAN_FPW19; $do_log['password_result'] = LAN_FPW19;
fpw_error(LAN_02);
} }
$admin_log->user_audit(USER_AUDIT_PW_RES,$do_log,$row['user_id'],$row['user_name']);
$ns->tablerender(LAN_03, $text); // Log to user audit log
e107::getAdminLog()->user_audit(USER_AUDIT_PW_RES, $do_log, $row['user_id'], $row['user_name']);
$ns->tablerender(LAN_03, $text.e107::getMessage()->render());
require_once(FOOTERF); require_once(FOOTERF);
exit; exit;
} }
else else
{ {
$text = LAN_213; //$text = LAN_213;
$ns->tablerender(LAN_214, "<div style='text-align:center'>".$text."</div>"); //$ns->tablerender(LAN_214, "<div style='text-align:center'>".$text."</div>");
e107::getMessage()->addError(LAN_213);
$ns->tablerender(LAN_214, e107::getMessage()->render());
} }
} }
$sc = array(); $sc = array(); // needed?
/* /*
@@ -314,10 +348,13 @@ if (USE_IMAGECODE)
if(deftrue('BOOTSTRAP')) if(deftrue('BOOTSTRAP'))
{ {
$FPW_TABLE = e107::getCoreTemplate('fpw','form'); // TODO do we want the <form> element outside the template?
$FPW_TABLE = "<form method='post' action='".SITEURL."fpw.php' autocomplete='off'>";
$FPW_TABLE .= e107::getCoreTemplate('fpw','form');
$FPW_TABLE .= "</form>";
$caption = deftrue('LAN_FPW_100',"Forgot your password?"); $caption = deftrue('LAN_FPW_100',"Forgot your password?");
} }
elseif (!$FPW_TABLE) elseif(!$FPW_TABLE)
{ {
require_once (e107::coreTemplatePath('fpw')); //correct way to load a core template. require_once (e107::coreTemplatePath('fpw')); //correct way to load a core template.
$caption = LAN_03; $caption = LAN_03;
@@ -337,9 +374,4 @@ $text = $tp->parseTemplate($FPW_TABLE, true, $sc);
$ns->tablerender($caption, $text); $ns->tablerender($caption, $text);
require_once(FOOTERF); require_once(FOOTERF);
?> ?>