X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=actions%2Frecoverpassword.php;h=56f6ba9df9ac38cc8b2be6022de33ab05f6f79ef;hb=596365672a9627dbcab0f1aeddc13e4fb9c3b18b;hp=edfa9194dae79c2f04cee256fafe947034e241b4;hpb=f374e924f51d50a601bef4beeb138665374485b0;p=quix0rs-gnu-social.git diff --git a/actions/recoverpassword.php b/actions/recoverpassword.php index edfa9194da..56f6ba9df9 100644 --- a/actions/recoverpassword.php +++ b/actions/recoverpassword.php @@ -19,6 +19,10 @@ if (!defined('LACONICA')) { exit(1); } +# You have 24 hours to claim your password + +define(MAX_RECOVERY_TIME, 24 * 60 * 60); + class RecoverpasswordAction extends Action { function handle($args) { @@ -44,21 +48,51 @@ class RecoverpasswordAction extends Action { } function check_code() { + $code = $this->trimmed('code'); $confirm = Confirm_address::staticGet($code); - if ($confirm && $confirm->address_type == 'recover') { - $user = User::staticGet($confirm->user_id); - if ($user) { - $result = $confirm->delete(); - if (!$result) { - common_log_db_error($confirm, 'DELETE', __FILE__); - common_server_error(_t('Error with confirmation code.')); - return; - } - $this->set_temp_user($user); - $this->show_password_form(); - } + + if (!$confirm) { + $this->client_error(_t('No such recovery code.')); + return; + } + if ($confirm->address_type != 'recover') { + $this->client_error(_t('Not a recovery code.')); + return; } + + $user = User::staticGet($confirm->user_id); + + if (!$user) { + $this->server_error(_t('Recovery code for unknown user.')); + return; + } + + $touched = strtotime($confirm->modified); + + # Burn this code + + $result = $confirm->delete(); + + if (!$result) { + common_log_db_error($confirm, 'DELETE', __FILE__); + common_server_error(_t('Error with confirmation code.')); + return; + } + + # These should be reaped, but for now we just check mod time + # Note: it's still deleted; let's avoid a second attempt! + + if ((time() - $touched) > MAX_RECOVERY_TIME) { + $this->client_error(_t('This confirmation code is too old. ' . + 'Please start again.')); + return; + } + + # Success! + + $this->set_temp_user($user); + $this->show_password_form(); } function set_temp_user(&$user) { @@ -97,7 +131,7 @@ class RecoverpasswordAction extends Action { common_element('div', 'error', $msg); } else { common_element('div', 'instructions', - _t('You\ve been identified . Enter a ' . + _t('You\'ve been identified. Enter a ' . ' new password below. ')); } } @@ -203,13 +237,15 @@ class RecoverpasswordAction extends Action { $this->client_error(_t('Unexpected password reset.')); return; } - $password = $this->trimmed('password'); + + $newpassword = $this->trimmed('newpassword'); $confirm = $this->trimmed('confirm'); - if (!$password || strlen($password) < 6) { + + if (!$newpassword || strlen($newpassword) < 6) { $this->show_password_form(_t('Password must be 6 chars or more.')); return; } - if ($password != $confirm) { + if ($newpassword != $confirm) { $this->show_password_form(_t('Password and confirmation do not match.')); return; }