X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=actions%2Frecoverpassword.php;h=06a7f62c8aa796d591c4a4fd0f0135cd86852ed9;hb=69c8fe060fb830e22030022567fd2f9459e95fd7;hp=8bcfa9755cd8ea85470a732922a111eea46e950e;hpb=589a6c05f7dda6e365298fb0854700a94853bb1a;p=quix0rs-gnu-social.git

diff --git a/actions/recoverpassword.php b/actions/recoverpassword.php
index 8bcfa9755c..06a7f62c8a 100644
--- a/actions/recoverpassword.php
+++ b/actions/recoverpassword.php
@@ -19,6 +19,10 @@
 
 if (!defined('LACONICA')) { exit(1); }
 
+# You have 24 hours to claim your password
+
+define(MAX_RECOVERY_TIME, 24 * 60 * 60);
+
 class RecoverpasswordAction extends Action {
 
     function handle($args) {
@@ -44,21 +48,51 @@ class RecoverpasswordAction extends Action {
 	}
 
 	function check_code() {
+
 		$code = $this->trimmed('code');
 		$confirm = Confirm_address::staticGet($code);
-		if ($confirm && $confirm->type == 'recover') {
-			$user = User::staticGet($confirm->user_id);
-			if ($user) {
-				$result = $confirm->delete();
-				if (!$result) {
-					common_log_db_error($confirm, 'DELETE', __FILE__);
-					common_server_error(_t('Error with confirmation code.'));
-					return;
-				}
-				$this->set_temp_user($user);
-				$this->show_password_form();
-			}
+
+		if (!$confirm) {
+			$this->client_error(_t('No such recovery code.'));
+			return;
+		}
+		if ($confirm->address_type != 'recover') {
+			$this->client_error(_t('Not a recovery code.'));
+			return;
 		}
+
+		$user = User::staticGet($confirm->user_id);
+
+		if (!$user) {
+			$this->server_error(_t('Recovery code for unknown user.'));
+			return;
+		}
+
+		$touched = strtotime($confirm->modified);
+
+		# Burn this code
+
+		$result = $confirm->delete();
+
+		if (!$result) {
+			common_log_db_error($confirm, 'DELETE', __FILE__);
+			common_server_error(_t('Error with confirmation code.'));
+			return;
+		}
+
+		# These should be reaped, but for now we just check mod time
+		# Note: it's still deleted; let's avoid a second attempt!
+
+		if ((time() - $touched) > MAX_RECOVERY_TIME) {
+			$this->client_error(_t('This confirmation code is too old. ' .
+			                       'Please start again.'));
+			return;
+		}
+
+		# Success!
+
+		$this->set_temp_user($user);
+		$this->show_password_form();
 	}
 
 	function set_temp_user(&$user) {
@@ -82,7 +116,7 @@ class RecoverpasswordAction extends Action {
 
 	function show_top($msg=NULL) {
 		if ($msg) {
-			$this->message($msg, $success);
+            common_element('div', 'error', $msg);
 		} else {
 			common_element('div', 'instructions',
 						   _t('If you\'ve forgotten or lost your' .
@@ -94,10 +128,10 @@ class RecoverpasswordAction extends Action {
 
 	function show_password_top($msg=NULL) {
 		if ($msg) {
-			$this->message($msg, $success);
+            common_element('div', 'error', $msg);
 		} else {
 			common_element('div', 'instructions',
-						   _t('You\ve been identified . Enter a ' .
+						   _t('You\'ve been identified. Enter a ' .
 						      ' new password below. '));
 		}
 	}
@@ -107,7 +141,7 @@ class RecoverpasswordAction extends Action {
 		common_show_header(_t('Recover password'), NULL,
 		$msg, array($this, 'show_top'));
 
-		common_element_start('form', array('method' => 'POST',
+		common_element_start('form', array('method' => 'post',
 										   'id' => 'recoverpassword',
 										   'action' => common_local_url('recoverpassword')));
 		common_input('nicknameoremail', _t('Nickname or email'),
@@ -124,7 +158,7 @@ class RecoverpasswordAction extends Action {
 		common_show_header(_t('Reset password'), NULL,
 		$msg, array($this, 'show_password_top'));
 
-		common_element_start('form', array('method' => 'POST',
+		common_element_start('form', array('method' => 'post',
 										   'id' => 'recoverpassword',
 										   'action' => common_local_url('recoverpassword')));
 		common_password('newpassword', _t('New password'),
@@ -158,7 +192,7 @@ class RecoverpasswordAction extends Action {
 
 		$confirm = new Confirm_address();
 		$confirm->code = common_confirmation_code(128);
-		$confirm->type = 'recover';
+		$confirm->address_type = 'recover';
 		$confirm->user_id = $user->id;
 		$confirm->address = $user->email;
 
@@ -175,7 +209,7 @@ class RecoverpasswordAction extends Action {
 		$body .= "\n\n";
 		$body .= 'If it was you, and you want to confirm, use the URL below:';
 		$body .= "\n\n";
-		$body .= "\t".common_local_url('confirmaddress',
+		$body .= "\t".common_local_url('recoverpassword',
 								   array('code' => $confirm->code));
 		$body .= "\n\n";
 		$body .= 'If not, just ignore this message.';
@@ -190,7 +224,7 @@ class RecoverpasswordAction extends Action {
 		common_show_header(_('Password recovery requested'));
 		common_element('p', NULL,
 		               _t('Instructions for recovering your password ' .
-		                  'have been sent to the email registered to your ' .
+		                  'have been sent to the email address registered to your ' .
 		                  'account.'));
 		common_show_footer();
 	}
@@ -203,13 +237,15 @@ class RecoverpasswordAction extends Action {
 			$this->client_error(_t('Unexpected password reset.'));
 			return;
 		}
-		$password = $this->trimmed('password');
+
+		$newpassword = $this->trimmed('newpassword');
 		$confirm = $this->trimmed('confirm');
-		if (!$password || strlen($password) < 6) {
+
+		if (!$newpassword || strlen($newpassword) < 6) {
 			$this->show_password_form(_t('Password must be 6 chars or more.'));
 			return;
 		}
-		if ($password != $confirm) {
+		if ($newpassword != $confirm) {
 			$this->show_password_form(_t('Password and confirmation do not match.'));
 			return;
 		}