diff options
| author | Andrew Dolgov <[email protected]> | 2014-03-09 11:17:29 +0400 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2014-03-09 11:17:29 +0400 |
| commit | 5303f9a71a040b25574e12c05dac875e03de6f85 (patch) | |
| tree | faf5447621d018038b692493c197f63bccba0d8a /classes/handler | |
| parent | 3b19a53acf9e2ec70f9e0498fc55134798ffde8f (diff) | |
rework password reset to work through temporary link
Diffstat (limited to 'classes/handler')
| -rw-r--r-- | classes/handler/public.php | 89 |
1 files changed, 84 insertions, 5 deletions
diff --git a/classes/handler/public.php b/classes/handler/public.php index 4c5a5136a..1a586fe7a 100644 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -709,6 +709,8 @@ class Handler_Public extends Handler { function forgotpass() { startup_gettext(); + @$hash = $_REQUEST["hash"]; + header('Content-Type: text/html; charset=utf-8'); print "<html><head><title>Tiny Tiny RSS</title> <link rel=\"shortcut icon\" type=\"image/png\" href=\"images/favicon.png\"> @@ -726,8 +728,45 @@ class Handler_Public extends Handler { @$method = $_POST['method']; - if (!$method) { - print_notice(__("You will need to provide valid account name and email. New password will be sent on your email address.")); + if ($hash) { + $login = $_REQUEST["login"]; + + if ($login) { + $result = $this->dbh->query("SELECT id, resetpass_token FROM ttrss_users + WHERE login = '$login'"); + + if ($this->dbh->num_rows($result) != 0) { + $id = $this->dbh->fetch_result($result, 0, "id"); + $resetpass_token_full = $this->dbh->fetch_result($result, 0, "resetpass_token"); + list($timestamp, $resetpass_token) = explode(":", $resetpass_token_full); + + if ($timestamp && $resetpass_token && + $timestamp >= time() - 15*60*60 && + $resetpass_token == $hash) { + + $result = $this->dbh->query("UPDATE ttrss_users SET resetpass_token = NULL + WHERE id = $id"); + + Pref_Users::resetUserPassword($id, true); + + print "<p>"."Completed."."</p>"; + + } else { + print_error("Some of the information provided is missing or incorrect."); + } + } else { + print_error("Some of the information provided is missing or incorrect."); + } + } else { + print_error("Some of the information provided is missing or incorrect."); + } + + print "<form method=\"GET\" action=\"index.php\"> + <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\"> + </form>"; + + } else if (!$method) { + print_notice(__("You will need to provide valid account name and email. A password reset link will be sent to your email address.")); print "<form method='POST' action='public.php'>"; print "<input type='hidden' name='method' value='do'>"; @@ -768,17 +807,57 @@ class Handler_Public extends Handler { } else { + print_notice("Password reset instructions are being sent to your email address."); + $result = $this->dbh->query("SELECT id FROM ttrss_users WHERE login = '$login' AND email = '$email'"); if ($this->dbh->num_rows($result) != 0) { $id = $this->dbh->fetch_result($result, 0, "id"); - Pref_Users::resetUserPassword($id, false); + if ($id) { + $resetpass_token = sha1(get_random_bytes(128)); + $resetpass_link = get_self_url_prefix() . "/public.php?op=forgotpass&hash=" . $resetpass_token . + "&login=" . urlencode($login); + + require_once 'classes/ttrssmailer.php'; + require_once "lib/MiniTemplator.class.php"; + + $tpl = new MiniTemplator; + + $tpl->readTemplateFromFile("templates/resetpass_link_template.txt"); + + $tpl->setVariable('LOGIN', $login); + $tpl->setVariable('RESETPASS_LINK', $resetpass_link); + + $tpl->addBlock('message'); + + $message = ""; + + $tpl->generateOutputToString($message); - print "<p>"; + $mail = new ttrssMailer(); - print "<p>"."Completed."."</p>"; + $rc = $mail->quickMail($email, $login, + __("[tt-rss] Password reset request"), + $message, false); + + if (!$rc) print_error($mail->ErrorInfo); + + $resetpass_token_full = $this->dbh->escape_string(time() . ":" . $resetpass_token); + + $result = $this->dbh->query("UPDATE ttrss_users + SET resetpass_token = '$resetpass_token_full' + WHERE login = '$login' AND email = '$email'"); + + //Pref_Users::resetUserPassword($id, false); + + print "<p>"; + + print "<p>"."Completed."."</p>"; + } else { + print_error("User ID not found."); + } print "<form method=\"GET\" action=\"index.php\"> <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\"> |