X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=actions%2Frecoverpassword.php;h=38c42f41d1b056ac303f723dd324ce7391d3fd82;hb=2abe10b8ea4b5d69fc7f6513bf465541454ca2cf;hp=17f7fc7f30fccb51e770a402ea61113082467478;hpb=506843e55d1381172c7a8e629a2447588dba67fe;p=quix0rs-gnu-social.git diff --git a/actions/recoverpassword.php b/actions/recoverpassword.php index 17f7fc7f30..38c42f41d1 100644 --- a/actions/recoverpassword.php +++ b/actions/recoverpassword.php @@ -50,7 +50,7 @@ class RecoverpasswordAction extends Action { function check_code() { $code = $this->trimmed('code'); - $confirm = Confirm_address::staticGet($code); + $confirm = Confirm_address::staticGet('code', $code); if (!$confirm) { $this->client_error(_('No such recovery code.')); @@ -85,6 +85,9 @@ class RecoverpasswordAction extends Action { # Note: it's still deleted; let's avoid a second attempt! if ((time() - $touched) > MAX_RECOVERY_TIME) { + common_log(LOG_WARNING, + 'Attempted redemption on recovery code ' . + 'that is ' . $touched . ' seconds old. '); $this->client_error(_('This confirmation code is too old. ' . 'Please start again.')); return; @@ -133,11 +136,13 @@ class RecoverpasswordAction extends Action { if ($msg) { common_element('div', 'error', $msg); } else { - common_element('div', 'instructions', + common_element_start('div', 'instructions'); + common_element('p', NULL, _('If you\'ve forgotten or lost your' . - ' password, you can get a new one sent ' . + ' password, you can get a new one sent to' . ' the email address you have stored ' . ' in your account.')); + common_element_end('div'); } } @@ -176,6 +181,7 @@ class RecoverpasswordAction extends Action { common_element_start('form', array('method' => 'post', 'id' => 'recoverpassword', 'action' => common_local_url('recoverpassword'))); + common_hidden('token', common_session_token()); common_password('newpassword', _('New password'), _('6 or more characters, and don\'t forget it!')); common_password('confirm', _('Confirm'), @@ -198,6 +204,8 @@ class RecoverpasswordAction extends Action { $user = User::staticGet('nickname', common_canonical_nickname($nore)); } + # See if it's an unconfirmed email address + if (!$user) { $confirm_email = Confirm_address::staticGet('address', common_canonical_email($nore)); if ($confirm_email && $confirm_email->address_type == 'email') { @@ -210,16 +218,28 @@ class RecoverpasswordAction extends Action { return; } + # Try to get an unconfirmed email address if they used a user name + + if (!$user->email && !$confirm_email) { + $confirm_email = Confirm_address::staticGet('user_id', $user->id); + if ($confirm_email && $confirm_email->address_type != 'email') { + # Skip non-email confirmations + $confirm_email = NULL; + } + } + if (!$user->email && !$confirm_email) { $this->client_error(_('No registered email address for that user.')); return; } + # Success! We have a valid user and a confirmed or unconfirmed email address + $confirm = new Confirm_address(); $confirm->code = common_confirmation_code(128); $confirm->address_type = 'recover'; $confirm->user_id = $user->id; - $confirm->address = ($user->email) ? $user->email : $confirm_email->address; + $confirm->address = (isset($user->email)) ? $user->email : $confirm_email->address; if (!$confirm->insert()) { common_log_db_error($confirm, 'INSERT', __FILE__); @@ -244,7 +264,7 @@ class RecoverpasswordAction extends Action { $body .= common_config('site', 'name'); $body .= "\n"; - mail_to_user($user, _('Password recovery requested'), $body); + mail_to_user($user, _('Password recovery requested'), $body, $confirm->address); common_show_header(_('Password recovery requested')); common_element('p', NULL, @@ -256,6 +276,13 @@ class RecoverpasswordAction extends Action { function reset_password() { + # CSRF protection + $token = $this->trimmed('token'); + if (!$token || $token != common_session_token()) { + $this->show_form(_('There was a problem with your session token. Try again, please.')); + return; + } + $user = $this->get_temp_user(); if (!$user) {