X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=actions%2Frecoverpassword.php;h=06a7f62c8aa796d591c4a4fd0f0135cd86852ed9;hb=69c8fe060fb830e22030022567fd2f9459e95fd7;hp=9be3c45806161785e6984f363c3b8341f77663d3;hpb=96e6df323bf1b0b15a50ed56f1526180bfb33093;p=quix0rs-gnu-social.git diff --git a/actions/recoverpassword.php b/actions/recoverpassword.php index 9be3c45806..06a7f62c8a 100644 --- a/actions/recoverpassword.php +++ b/actions/recoverpassword.php @@ -19,6 +19,10 @@ if (!defined('LACONICA')) { exit(1); } +# You have 24 hours to claim your password + +define(MAX_RECOVERY_TIME, 24 * 60 * 60); + class RecoverpasswordAction extends Action { function handle($args) { @@ -44,21 +48,51 @@ class RecoverpasswordAction extends Action { } function check_code() { + $code = $this->trimmed('code'); $confirm = Confirm_address::staticGet($code); - if ($confirm && $confirm->type == 'recover') { - $user = User::staticGet($confirm->user_id); - if ($user) { - $result = $confirm->delete(); - if (!$result) { - common_log_db_error($confirm, 'DELETE', __FILE__); - common_server_error(_t('Error with confirmation code.')); - return; - } - $this->set_temp_user($user); - $this->show_password_form(); - } + + if (!$confirm) { + $this->client_error(_t('No such recovery code.')); + return; + } + if ($confirm->address_type != 'recover') { + $this->client_error(_t('Not a recovery code.')); + return; } + + $user = User::staticGet($confirm->user_id); + + if (!$user) { + $this->server_error(_t('Recovery code for unknown user.')); + return; + } + + $touched = strtotime($confirm->modified); + + # Burn this code + + $result = $confirm->delete(); + + if (!$result) { + common_log_db_error($confirm, 'DELETE', __FILE__); + common_server_error(_t('Error with confirmation code.')); + return; + } + + # These should be reaped, but for now we just check mod time + # Note: it's still deleted; let's avoid a second attempt! + + if ((time() - $touched) > MAX_RECOVERY_TIME) { + $this->client_error(_t('This confirmation code is too old. ' . + 'Please start again.')); + return; + } + + # Success! + + $this->set_temp_user($user); + $this->show_password_form(); } function set_temp_user(&$user) { @@ -97,7 +131,7 @@ class RecoverpasswordAction extends Action { common_element('div', 'error', $msg); } else { common_element('div', 'instructions', - _t('You\ve been identified . Enter a ' . + _t('You\'ve been identified. Enter a ' . ' new password below. ')); } } @@ -107,7 +141,7 @@ class RecoverpasswordAction extends Action { common_show_header(_t('Recover password'), NULL, $msg, array($this, 'show_top')); - common_element_start('form', array('method' => 'POST', + common_element_start('form', array('method' => 'post', 'id' => 'recoverpassword', 'action' => common_local_url('recoverpassword'))); common_input('nicknameoremail', _t('Nickname or email'), @@ -124,7 +158,7 @@ class RecoverpasswordAction extends Action { common_show_header(_t('Reset password'), NULL, $msg, array($this, 'show_password_top')); - common_element_start('form', array('method' => 'POST', + common_element_start('form', array('method' => 'post', 'id' => 'recoverpassword', 'action' => common_local_url('recoverpassword'))); common_password('newpassword', _t('New password'), @@ -158,7 +192,7 @@ class RecoverpasswordAction extends Action { $confirm = new Confirm_address(); $confirm->code = common_confirmation_code(128); - $confirm->type = 'recover'; + $confirm->address_type = 'recover'; $confirm->user_id = $user->id; $confirm->address = $user->email; @@ -203,13 +237,15 @@ class RecoverpasswordAction extends Action { $this->client_error(_t('Unexpected password reset.')); return; } - $password = $this->trimmed('password'); + + $newpassword = $this->trimmed('newpassword'); $confirm = $this->trimmed('confirm'); - if (!$password || strlen($password) < 6) { + + if (!$newpassword || strlen($newpassword) < 6) { $this->show_password_form(_t('Password must be 6 chars or more.')); return; } - if ($password != $confirm) { + if ($newpassword != $confirm) { $this->show_password_form(_t('Password and confirmation do not match.')); return; }