if (!defined('LACONICA')) { exit(1); }
+# You have 24 hours to claim your password
+
+define(MAX_RECOVERY_TIME, 24 * 60 * 60);
+
class RecoverpasswordAction extends Action {
function handle($args) {
}
function check_code() {
+
$code = $this->trimmed('code');
$confirm = Confirm_address::staticGet($code);
- if ($confirm && $confirm->type == 'recover') {
- $user = User::staticGet($confirm->user_id);
- if ($user) {
- $result = $confirm->delete();
- if (!$result) {
- common_log_db_error($confirm, 'DELETE', __FILE__);
- common_server_error(_t('Error with confirmation code.'));
- return;
- }
- $this->set_temp_user($user);
- $this->show_password_form();
- }
+
+ if (!$confirm) {
+ $this->client_error(_t('No such recovery code.'));
+ return;
+ }
+ if ($confirm->address_type != 'recover') {
+ $this->client_error(_t('Not a recovery code.'));
+ return;
}
+
+ $user = User::staticGet($confirm->user_id);
+
+ if (!$user) {
+ $this->server_error(_t('Recovery code for unknown user.'));
+ return;
+ }
+
+ $touched = strtotime($confirm->modified);
+
+ # Burn this code
+
+ $result = $confirm->delete();
+
+ if (!$result) {
+ common_log_db_error($confirm, 'DELETE', __FILE__);
+ common_server_error(_t('Error with confirmation code.'));
+ return;
+ }
+
+ # These should be reaped, but for now we just check mod time
+ # Note: it's still deleted; let's avoid a second attempt!
+
+ if ((time() - $touched) > MAX_RECOVERY_TIME) {
+ $this->client_error(_t('This confirmation code is too old. ' .
+ 'Please start again.'));
+ return;
+ }
+
+ # Success!
+
+ $this->set_temp_user($user);
+ $this->show_password_form();
}
function set_temp_user(&$user) {
common_element('div', 'error', $msg);
} else {
common_element('div', 'instructions',
- _t('You\ve been identified . Enter a ' .
+ _t('You\'ve been identified. Enter a ' .
' new password below. '));
}
}
common_show_header(_t('Recover password'), NULL,
$msg, array($this, 'show_top'));
- common_element_start('form', array('method' => 'POST',
+ common_element_start('form', array('method' => 'post',
'id' => 'recoverpassword',
'action' => common_local_url('recoverpassword')));
common_input('nicknameoremail', _t('Nickname or email'),
common_show_header(_t('Reset password'), NULL,
$msg, array($this, 'show_password_top'));
- common_element_start('form', array('method' => 'POST',
+ common_element_start('form', array('method' => 'post',
'id' => 'recoverpassword',
'action' => common_local_url('recoverpassword')));
common_password('newpassword', _t('New password'),
$confirm = new Confirm_address();
$confirm->code = common_confirmation_code(128);
- $confirm->type = 'recover';
+ $confirm->address_type = 'recover';
$confirm->user_id = $user->id;
$confirm->address = $user->email;
$this->client_error(_t('Unexpected password reset.'));
return;
}
- $password = $this->trimmed('password');
+
+ $newpassword = $this->trimmed('newpassword');
$confirm = $this->trimmed('confirm');
- if (!$password || strlen($password) < 6) {
+
+ if (!$newpassword || strlen($newpassword) < 6) {
$this->show_password_form(_t('Password must be 6 chars or more.'));
return;
}
- if ($password != $confirm) {
+ if ($newpassword != $confirm) {
$this->show_password_form(_t('Password and confirmation do not match.'));
return;
}