2de0f01dce
The algorithm is highly inspired from WordPress : 1) in a single field, you give a username or an email 2) Piwigo sends an email with the activation key 3) the user clicks on the link in the email (with the activation key) and is able to set a new password The "lost password" feature is no longer limited to "classic" users: administrators and webmasters can use it too (no need to tell webmasters that they can only change their password in the database) git-svn-id: http://piwigo.org/svn/trunk@11992 68402e56-0260-453c-a942-63ccdbb3a9ee
370 lines
11 KiB
PHP
370 lines
11 KiB
PHP
<?php
|
|
// +-----------------------------------------------------------------------+
|
|
// | Piwigo - a PHP based photo gallery |
|
|
// +-----------------------------------------------------------------------+
|
|
// | Copyright(C) 2008-2011 Piwigo Team http://piwigo.org |
|
|
// | Copyright(C) 2003-2008 PhpWebGallery Team http://phpwebgallery.net |
|
|
// | Copyright(C) 2002-2003 Pierrick LE GALL http://le-gall.net/pierrick |
|
|
// +-----------------------------------------------------------------------+
|
|
// | This program is free software; you can redistribute it and/or modify |
|
|
// | it under the terms of the GNU General Public License as published by |
|
|
// | the Free Software Foundation |
|
|
// | |
|
|
// | This program is distributed in the hope that it will be useful, but |
|
|
// | WITHOUT ANY WARRANTY; without even the implied warranty of |
|
|
// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
|
|
// | General Public License for more details. |
|
|
// | |
|
|
// | You should have received a copy of the GNU General Public License |
|
|
// | along with this program; if not, write to the Free Software |
|
|
// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
|
|
// | USA. |
|
|
// +-----------------------------------------------------------------------+
|
|
|
|
// +-----------------------------------------------------------------------+
|
|
// | initialization |
|
|
// +-----------------------------------------------------------------------+
|
|
|
|
define('PHPWG_ROOT_PATH','./');
|
|
include_once( PHPWG_ROOT_PATH.'include/common.inc.php' );
|
|
include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
|
|
|
|
// +-----------------------------------------------------------------------+
|
|
// | Check Access and exit when user status is not ok |
|
|
// +-----------------------------------------------------------------------+
|
|
|
|
check_status(ACCESS_FREE);
|
|
|
|
// +-----------------------------------------------------------------------+
|
|
// | Functions |
|
|
// +-----------------------------------------------------------------------+
|
|
|
|
/**
|
|
* checks the validity of input parameters, fills $page['errors'] and
|
|
* $page['infos'] and send an email with confirmation link
|
|
*
|
|
* @return bool (true if email was sent, false otherwise)
|
|
*/
|
|
function process_password_request()
|
|
{
|
|
global $page, $conf;
|
|
|
|
if (empty($_POST['username_or_email']))
|
|
{
|
|
array_push($page['errors'], l10n('Enter a username or email address'));
|
|
return false;
|
|
}
|
|
|
|
$user_id = get_userid_by_email($_POST['username_or_email']);
|
|
|
|
if (!is_numeric($user_id))
|
|
{
|
|
$user_id = get_userid($_POST['username_or_email']);
|
|
}
|
|
|
|
if (!is_numeric($user_id))
|
|
{
|
|
array_push($page['errors'], l10n('Invalid username or email'));
|
|
return false;
|
|
}
|
|
|
|
$userdata = getuserdata($user_id, false);
|
|
|
|
// password request is not possible for guest/generic users
|
|
$status = $userdata['status'];
|
|
if (is_a_guest($status) or is_generic($status))
|
|
{
|
|
array_push($page['errors'], l10n('Password reset is not allowed for this user'));
|
|
return false;
|
|
}
|
|
|
|
if (empty($userdata['email']))
|
|
{
|
|
array_push(
|
|
$page['errors'],
|
|
sprintf(
|
|
l10n('User "%s" has no email address, password reset is not possible'),
|
|
$userdata['username']
|
|
)
|
|
);
|
|
return false;
|
|
}
|
|
|
|
if (empty($userdata['activation_key']))
|
|
{
|
|
$activation_key = get_user_activation_key();
|
|
|
|
single_update(
|
|
USER_INFOS_TABLE,
|
|
array('activation_key' => $activation_key),
|
|
array('user_id' => $user_id)
|
|
);
|
|
|
|
$userdata['activation_key'] = $activation_key;
|
|
}
|
|
|
|
set_make_full_url();
|
|
|
|
$message = l10n('Someone requested that the password be reset for the following user account:') . "\r\n\r\n";
|
|
$message.= sprintf(
|
|
l10n('Username "%s" on gallery %s'),
|
|
$userdata['username'],
|
|
get_gallery_home_url()
|
|
);
|
|
$message.= "\r\n\r\n";
|
|
$message.= l10n('To reset your password, visit the following address:') . "\r\n";
|
|
$message.= get_gallery_home_url().'/password.php?key='.$userdata['activation_key']."\r\n\r\n";
|
|
$message.= l10n('If this was a mistake, just ignore this email and nothing will happen.')."\r\n";
|
|
|
|
unset_make_full_url();
|
|
|
|
$message = trigger_event('render_lost_password_mail_content', $message);
|
|
|
|
$email_params = array(
|
|
'subject' => '['.$conf['gallery_title'].'] '.l10n('Password Reset'),
|
|
'content' => $message,
|
|
'email_format' => 'text/plain',
|
|
);
|
|
|
|
if (pwg_mail($userdata['email'], $email_params))
|
|
{
|
|
array_push($page['infos'], l10n('Check your email for the confirmation link'));
|
|
return true;
|
|
}
|
|
else
|
|
{
|
|
array_push($page['errors'], l10n('Error sending email'));
|
|
return false;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* checks the activation key: does it match the expected pattern? is it
|
|
* linked to a user? is this user allowed to reset his password?
|
|
*
|
|
* @return mixed (user_id if OK, false otherwise)
|
|
*/
|
|
function check_password_reset_key($key)
|
|
{
|
|
global $page;
|
|
|
|
if (!preg_match('/^[a-z0-9]{20}$/i', $key))
|
|
{
|
|
array_push($page['errors'], l10n('Invalid key'));
|
|
return false;
|
|
}
|
|
|
|
$query = '
|
|
SELECT
|
|
user_id,
|
|
status
|
|
FROM '.USER_INFOS_TABLE.'
|
|
WHERE activation_key = \''.$key.'\'
|
|
;';
|
|
$result = pwg_query($query);
|
|
|
|
if (pwg_db_num_rows($result) == 0)
|
|
{
|
|
array_push($page['errors'], l10n('Invalid key'));
|
|
return false;
|
|
}
|
|
|
|
$userdata = pwg_db_fetch_assoc($result);
|
|
|
|
if (is_a_guest($userdata['status']) or is_generic($userdata['status']))
|
|
{
|
|
array_push($page['errors'], l10n('Password reset is not allowed for this user'));
|
|
return false;
|
|
}
|
|
|
|
return $userdata['user_id'];
|
|
}
|
|
|
|
/**
|
|
* checks the passwords, checks that user is allowed to reset his password,
|
|
* update password, fills $page['errors'] and $page['infos'].
|
|
*
|
|
* @return bool (true if password was reset, false otherwise)
|
|
*/
|
|
function reset_password()
|
|
{
|
|
global $page, $user, $conf;
|
|
|
|
if ($_POST['use_new_pwd'] != $_POST['passwordConf'])
|
|
{
|
|
array_push($page['errors'], l10n('The passwords do not match'));
|
|
return false;
|
|
}
|
|
|
|
if (isset($_GET['key']))
|
|
{
|
|
$user_id = check_password_reset_key($_GET['key']);
|
|
if (!is_numeric($user_id))
|
|
{
|
|
array_push($page['errors'], l10n('Invalid key'));
|
|
return false;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
// we check the currently logged in user
|
|
if (is_a_guest() or is_generic())
|
|
{
|
|
array_push($page['errors'], l10n('Password reset is not allowed for this user'));
|
|
return false;
|
|
}
|
|
|
|
$user_id = $user['id'];
|
|
}
|
|
|
|
single_update(
|
|
USERS_TABLE,
|
|
array($conf['user_fields']['password'] => $conf['pass_convert']($_POST['use_new_pwd'])),
|
|
array($conf['user_fields']['id'] => $user_id)
|
|
);
|
|
|
|
array_push($page['infos'], l10n('Your password has been reset'));
|
|
|
|
if (isset($_GET['key']))
|
|
{
|
|
array_push($page['infos'], '<a href="'.get_root_url().'identification.php">'.l10n('Login').'</a>');
|
|
}
|
|
else
|
|
{
|
|
array_push($page['infos'], '<a href="'.get_gallery_home_url().'">'.l10n('Return to home page').'</a>');
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
// +-----------------------------------------------------------------------+
|
|
// | Process form |
|
|
// +-----------------------------------------------------------------------+
|
|
|
|
$page['errors'] = array();
|
|
$page['infos'] = array();
|
|
|
|
if (isset($_POST['submit']))
|
|
{
|
|
check_pwg_token();
|
|
|
|
if ('lost' == $_GET['action'])
|
|
{
|
|
if (process_password_request())
|
|
{
|
|
$page['action'] = 'none';
|
|
}
|
|
}
|
|
|
|
if ('reset' == $_GET['action'])
|
|
{
|
|
if (reset_password())
|
|
{
|
|
$page['action'] = 'none';
|
|
}
|
|
}
|
|
}
|
|
|
|
// +-----------------------------------------------------------------------+
|
|
// | key and action |
|
|
// +-----------------------------------------------------------------------+
|
|
|
|
// a connected user can't reset the password from a mail
|
|
if (isset($_GET['key']) and !is_a_guest())
|
|
{
|
|
unset($_GET['key']);
|
|
}
|
|
|
|
if (isset($_GET['key']))
|
|
{
|
|
$user_id = check_password_reset_key($_GET['key']);
|
|
if (is_numeric($user_id))
|
|
{
|
|
$userdata = getuserdata($user_id, false);
|
|
$page['username'] = $userdata['username'];
|
|
$template->assign('key', $_GET['key']);
|
|
|
|
if (!isset($page['action']))
|
|
{
|
|
$page['action'] = 'reset';
|
|
}
|
|
}
|
|
else
|
|
{
|
|
$page['action'] = 'none';
|
|
}
|
|
}
|
|
|
|
if (!isset($page['action']))
|
|
{
|
|
if (!isset($_GET['action']))
|
|
{
|
|
$page['action'] = 'lost';
|
|
}
|
|
elseif (in_array($_GET['action'], array('lost', 'reset', 'none')))
|
|
{
|
|
$page['action'] = $_GET['action'];
|
|
}
|
|
}
|
|
|
|
if ('reset' == $page['action'] and !isset($_GET['key']) and (is_a_guest() or is_generic()))
|
|
{
|
|
redirect(get_gallery_home_url());
|
|
}
|
|
|
|
if ('lost' == $page['action'] and !is_a_guest())
|
|
{
|
|
redirect(get_gallery_home_url());
|
|
}
|
|
|
|
// +-----------------------------------------------------------------------+
|
|
// | template initialization |
|
|
// +-----------------------------------------------------------------------+
|
|
|
|
$title = l10n('Reset Password');
|
|
if ('lost' == $page['action'])
|
|
{
|
|
$title = l10n('Forgot your password?');
|
|
|
|
if (isset($_POST['username_or_email']))
|
|
{
|
|
$template->assign('username_or_email', stripslashes($_POST['username_or_email']));
|
|
}
|
|
}
|
|
|
|
$page['body_id'] = 'thePasswordPage';
|
|
|
|
$template->set_filenames(array('password'=>'password.tpl'));
|
|
$template->assign(
|
|
array(
|
|
'title' => $title,
|
|
'form_action'=> get_root_url().'password.php',
|
|
'action' => $page['action'],
|
|
'username' => isset($page['username']) ? $page['username'] : $user['username'],
|
|
'PWG_TOKEN' => get_pwg_token(),
|
|
)
|
|
);
|
|
|
|
// +-----------------------------------------------------------------------+
|
|
// | infos & errors display |
|
|
// +-----------------------------------------------------------------------+
|
|
|
|
$template->assign('errors', $page['errors']);
|
|
$template->assign('infos', $page['infos']);
|
|
|
|
// include menubar
|
|
$themeconf = $template->get_template_vars('themeconf');
|
|
if (!isset($themeconf['hide_menu_on']) OR !in_array('thePasswordPage', $themeconf['hide_menu_on']))
|
|
{
|
|
include( PHPWG_ROOT_PATH.'include/menubar.inc.php');
|
|
}
|
|
|
|
// +-----------------------------------------------------------------------+
|
|
// | html code display |
|
|
// +-----------------------------------------------------------------------+
|
|
|
|
include(PHPWG_ROOT_PATH.'include/page_header.php');
|
|
$template->pparse('password');
|
|
include(PHPWG_ROOT_PATH.'include/page_tail.php');
|
|
|
|
?>
|