aboutsummaryrefslogtreecommitdiffstats
path: root/password.php
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--password.php374
1 files changed, 287 insertions, 87 deletions
diff --git a/password.php b/password.php
index acbeedd19..d53df09a6 100644
--- a/password.php
+++ b/password.php
@@ -32,124 +32,323 @@ include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
// +-----------------------------------------------------------------------+
// | Check Access and exit when user status is not ok |
// +-----------------------------------------------------------------------+
+
check_status(ACCESS_FREE);
// +-----------------------------------------------------------------------+
-// | send a new password |
+// | Functions |
// +-----------------------------------------------------------------------+
-$page['errors'] = array();
-$page['infos'] = array();
+/**
+ * checks the validity of input parameters, fills $page['errors'] and
+ * $page['infos'] and send an email with confirmation link
+ *
+ * @return bool (true if email was sent, false otherwise)
+ */
+function process_password_request()
+{
+ global $page, $conf;
+
+ if (empty($_POST['username_or_email']))
+ {
+ array_push($page['errors'], l10n('Enter a username or email address'));
+ return false;
+ }
+
+ $user_id = get_userid_by_email($_POST['username_or_email']);
+
+ if (!is_numeric($user_id))
+ {
+ $user_id = get_userid($_POST['username_or_email']);
+ }
-if (isset($_POST['submit']))
+ if (!is_numeric($user_id))
+ {
+ array_push($page['errors'], l10n('Invalid username or email'));
+ return false;
+ }
+
+ $userdata = getuserdata($user_id, false);
+
+ // password request is not possible for guest/generic users
+ $status = $userdata['status'];
+ if (is_a_guest($status) or is_generic($status))
+ {
+ array_push($page['errors'], l10n('Password reset is not allowed for this user'));
+ return false;
+ }
+
+ if (empty($userdata['email']))
+ {
+ array_push(
+ $page['errors'],
+ sprintf(
+ l10n('User "%s" has no email address, password reset is not possible'),
+ $userdata['username']
+ )
+ );
+ return false;
+ }
+
+ if (empty($userdata['activation_key']))
+ {
+ $activation_key = get_user_activation_key();
+
+ single_update(
+ USER_INFOS_TABLE,
+ array('activation_key' => $activation_key),
+ array('user_id' => $user_id)
+ );
+
+ $userdata['activation_key'] = $activation_key;
+ }
+
+ set_make_full_url();
+
+ $message = l10n('Someone requested that the password be reset for the following user account:') . "\r\n\r\n";
+ $message.= sprintf(
+ l10n('Username "%s" on gallery %s'),
+ $userdata['username'],
+ get_gallery_home_url()
+ );
+ $message.= "\r\n\r\n";
+ $message.= l10n('To reset your password, visit the following address:') . "\r\n";
+ $message.= get_gallery_home_url().'/password.php?key='.$userdata['activation_key']."\r\n\r\n";
+ $message.= l10n('If this was a mistake, just ignore this email and nothing will happen.')."\r\n";
+
+ unset_make_full_url();
+
+ $message = trigger_event('render_lost_password_mail_content', $message);
+
+ $email_params = array(
+ 'subject' => '['.$conf['gallery_title'].'] '.l10n('Password Reset'),
+ 'content' => $message,
+ 'email_format' => 'text/plain',
+ );
+
+ if (pwg_mail($userdata['email'], $email_params))
+ {
+ array_push($page['infos'], l10n('Check your email for the confirmation link'));
+ return true;
+ }
+ else
+ {
+ array_push($page['errors'], l10n('Error sending email'));
+ return false;
+ }
+}
+
+/**
+ * checks the activation key: does it match the expected pattern? is it
+ * linked to a user? is this user allowed to reset his password?
+ *
+ * @return mixed (user_id if OK, false otherwise)
+ */
+function check_password_reset_key($key)
{
- $mailto =
- '<a href="mailto:'.get_webmaster_mail_address().'">'
- .l10n('Contact webmaster')
- .'</a>'
- ;
+ global $page;
+
+ if (!preg_match('/^[a-z0-9]{20}$/i', $key))
+ {
+ array_push($page['errors'], l10n('Invalid key'));
+ return false;
+ }
- if (isset($_POST['no_mail_address']) and $_POST['no_mail_address'] == 1)
+ $query = '
+SELECT
+ user_id,
+ status
+ FROM '.USER_INFOS_TABLE.'
+ WHERE activation_key = \''.$key.'\'
+;';
+ $result = pwg_query($query);
+
+ if (pwg_db_num_rows($result) == 0)
{
- array_push($page['infos'], l10n('Email address is missing. Please specify an email address.'));
- array_push($page['infos'], $mailto);
+ array_push($page['errors'], l10n('Invalid key'));
+ return false;
}
- else if (isset($_POST['mail_address']) and !empty($_POST['mail_address']))
+
+ $userdata = pwg_db_fetch_assoc($result);
+
+ if (is_a_guest($userdata['status']) or is_generic($userdata['status']))
{
- $mail_address = pwg_db_real_escape_string($_POST['mail_address']);
+ array_push($page['errors'], l10n('Password reset is not allowed for this user'));
+ return false;
+ }
+
+ return $userdata['user_id'];
+}
+
+/**
+ * checks the passwords, checks that user is allowed to reset his password,
+ * update password, fills $page['errors'] and $page['infos'].
+ *
+ * @return bool (true if password was reset, false otherwise)
+ */
+function reset_password()
+{
+ global $page, $user, $conf;
+
+ if ($_POST['use_new_pwd'] != $_POST['passwordConf'])
+ {
+ array_push($page['errors'], l10n('The passwords do not match'));
+ return false;
+ }
+
+ if (isset($_GET['key']))
+ {
+ $user_id = check_password_reset_key($_GET['key']);
+ if (!is_numeric($user_id))
+ {
+ array_push($page['errors'], l10n('Invalid key'));
+ return false;
+ }
+ }
+ else
+ {
+ // we check the currently logged in user
+ if (is_a_guest() or is_generic())
+ {
+ array_push($page['errors'], l10n('Password reset is not allowed for this user'));
+ return false;
+ }
+
+ $user_id = $user['id'];
+ }
- $query = '
-SELECT '.$conf['user_fields']['id'].' AS id
- , '.$conf['user_fields']['username'].' AS username
- , '.$conf['user_fields']['email'].' AS email
-FROM '.USERS_TABLE.' as u
- INNER JOIN '.USER_INFOS_TABLE.' AS ui
- ON u.'.$conf['user_fields']['id'].' = ui.user_id
-WHERE '.$conf['user_fields']['email'].' = \''.$mail_address.'\'
- AND ui.status = \'normal\'
-;';
- $result = pwg_query($query);
+ single_update(
+ USERS_TABLE,
+ array($conf['user_fields']['password'] => $conf['pass_convert']($_POST['use_new_pwd'])),
+ array($conf['user_fields']['id'] => $user_id)
+ );
- if (pwg_db_num_rows($result) > 0)
+ array_push($page['infos'], l10n('Your password has been reset'));
+
+ if (isset($_GET['key']))
+ {
+ array_push($page['infos'], '<a href="'.get_root_url().'identification.php">'.l10n('Login').'</a>');
+ }
+ else
+ {
+ array_push($page['infos'], '<a href="'.get_gallery_home_url().'">'.l10n('Return to home page').'</a>');
+ }
+
+ return true;
+}
+
+// +-----------------------------------------------------------------------+
+// | Process form |
+// +-----------------------------------------------------------------------+
+
+$page['errors'] = array();
+$page['infos'] = array();
+
+if (isset($_POST['submit']))
+{
+ check_pwg_token();
+
+ if ('lost' == $_GET['action'])
+ {
+ if (process_password_request())
+ {
+ $page['action'] = 'none';
+ }
+ }
+
+ if ('reset' == $_GET['action'])
+ {
+ if (reset_password())
{
- $error_on_mail = false;
- $datas = array();
-
- while ($row = pwg_db_fetch_assoc($result))
- {
- $new_password = generate_key(6);
-
- $infos =
- l10n('Username').': '.stripslashes($row['username'])
- ."\n".l10n('Password').': '.$new_password
- ;
-
- $infos = trigger_event('render_lost_password_mail_content', $infos);
-
- if (pwg_mail($row['email'],
- array('subject' => l10n('password updated'), 'content' => $infos)))
- {
- $data =
- array(
- $conf['user_fields']['id']
- => $row['id'],
-
- $conf['user_fields']['password']
- => $conf['pass_convert']($new_password)
- );
-
- array_push($datas, $data);
- }
- else
- {
- $error_on_mail = true;
- }
- }
-
- if ($error_on_mail)
- {
- array_push($page['errors'], l10n('Error sending email'));
- array_push($page['errors'], $mailto);
- }
- else
- {
- include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
- mass_updates(
- USERS_TABLE,
- array(
- 'primary' => array($conf['user_fields']['id']),
- 'update' => array($conf['user_fields']['password'])
- ),
- $datas
- );
-
- array_push($page['infos'], l10n('New password sent by email'));
- }
+ $page['action'] = 'none';
}
- else
+ }
+}
+
+// +-----------------------------------------------------------------------+
+// | key and action |
+// +-----------------------------------------------------------------------+
+
+// a connected user can't reset the password from a mail
+if (isset($_GET['key']) and !is_a_guest())
+{
+ unset($_GET['key']);
+}
+
+if (isset($_GET['key']))
+{
+ $user_id = check_password_reset_key($_GET['key']);
+ if (is_numeric($user_id))
+ {
+ $userdata = getuserdata($user_id, false);
+ $page['username'] = $userdata['username'];
+ $template->assign('key', $_GET['key']);
+
+ if (!isset($page['action']))
{
- array_push($page['errors'], l10n('No classic user matches this email address'));
- array_push($page['errors'], l10n('Administrator, webmaster and special user cannot use this method'));
- array_push($page['errors'], $mailto);
+ $page['action'] = 'reset';
}
}
+ else
+ {
+ $page['action'] = 'none';
+ }
+}
+
+if (!isset($page['action']))
+{
+ if (!isset($_GET['action']))
+ {
+ $page['action'] = 'lost';
+ }
+ elseif (in_array($_GET['action'], array('lost', 'reset', 'none')))
+ {
+ $page['action'] = $_GET['action'];
+ }
+}
+
+if ('reset' == $page['action'] and !isset($_GET['key']) and (is_a_guest() or is_generic()))
+{
+ redirect(get_gallery_home_url());
+}
+
+if ('lost' == $page['action'] and !is_a_guest())
+{
+ redirect(get_gallery_home_url());
}
// +-----------------------------------------------------------------------+
-// | template initialization |
+// | template initialization |
// +-----------------------------------------------------------------------+
-$title = l10n('Forgot your password?');
+$title = l10n('Reset Password');
+if ('lost' == $page['action'])
+{
+ $title = l10n('Forgot your password?');
+
+ if (isset($_POST['username_or_email']))
+ {
+ $template->assign('username_or_email', stripslashes($_POST['username_or_email']));
+ }
+}
+
$page['body_id'] = 'thePasswordPage';
$template->set_filenames(array('password'=>'password.tpl'));
-$template->assign( array(
- 'F_ACTION'=> get_root_url().'password.php'
+$template->assign(
+ array(
+ 'title' => $title,
+ 'form_action'=> get_root_url().'password.php',
+ 'action' => $page['action'],
+ 'username' => isset($page['username']) ? $page['username'] : $user['username'],
+ 'PWG_TOKEN' => get_pwg_token(),
)
);
+
// +-----------------------------------------------------------------------+
// | infos & errors display |
// +-----------------------------------------------------------------------+
+
$template->assign('errors', $page['errors']);
$template->assign('infos', $page['infos']);
@@ -163,6 +362,7 @@ if (!isset($themeconf['hide_menu_on']) OR !in_array('thePasswordPage', $themecon
// +-----------------------------------------------------------------------+
// | html code display |
// +-----------------------------------------------------------------------+
+
include(PHPWG_ROOT_PATH.'include/page_header.php');
$template->pparse('password');
include(PHPWG_ROOT_PATH.'include/page_tail.php');