]> git.mxchange.org Git - quix0rs-gnu-social.git/commitdiff
show better errors on bad codes
authorEvan Prodromou <evan@controlezvous.ca>
Tue, 24 Jun 2008 22:55:56 +0000 (18:55 -0400)
committerEvan Prodromou <evan@controlezvous.ca>
Tue, 24 Jun 2008 22:55:56 +0000 (18:55 -0400)
darcs-hash:20080624225556-34904-2f31fbe0944374892005ea88977736bda59729fa.gz

actions/recoverpassword.php

index 0357b9df6b417c9527ba5053b06cf6086e036714..56f6ba9df9ac38cc8b2be6022de33ab05f6f79ef 100644 (file)
 
 if (!defined('LACONICA')) { exit(1); }
 
+# You have 24 hours to claim your password
+
+define(MAX_RECOVERY_TIME, 24 * 60 * 60);
+
 class RecoverpasswordAction extends Action {
 
     function handle($args) {
@@ -44,21 +48,51 @@ class RecoverpasswordAction extends Action {
        }
 
        function check_code() {
+
                $code = $this->trimmed('code');
                $confirm = Confirm_address::staticGet($code);
-               if ($confirm && $confirm->address_type == 'recover') {
-                       $user = User::staticGet($confirm->user_id);
-                       if ($user) {
-                               $result = $confirm->delete();
-                               if (!$result) {
-                                       common_log_db_error($confirm, 'DELETE', __FILE__);
-                                       common_server_error(_t('Error with confirmation code.'));
-                                       return;
-                               }
-                               $this->set_temp_user($user);
-                               $this->show_password_form();
-                       }
+
+               if (!$confirm) {
+                       $this->client_error(_t('No such recovery code.'));
+                       return;
+               }
+               if ($confirm->address_type != 'recover') {
+                       $this->client_error(_t('Not a recovery code.'));
+                       return;
+               }
+
+               $user = User::staticGet($confirm->user_id);
+
+               if (!$user) {
+                       $this->server_error(_t('Recovery code for unknown user.'));
+                       return;
                }
+
+               $touched = strtotime($confirm->modified);
+
+               # Burn this code
+
+               $result = $confirm->delete();
+
+               if (!$result) {
+                       common_log_db_error($confirm, 'DELETE', __FILE__);
+                       common_server_error(_t('Error with confirmation code.'));
+                       return;
+               }
+
+               # These should be reaped, but for now we just check mod time
+               # Note: it's still deleted; let's avoid a second attempt!
+
+               if ((time() - $touched) > MAX_RECOVERY_TIME) {
+                       $this->client_error(_t('This confirmation code is too old. ' .
+                                              'Please start again.'));
+                       return;
+               }
+
+               # Success!
+
+               $this->set_temp_user($user);
+               $this->show_password_form();
        }
 
        function set_temp_user(&$user) {
@@ -97,7 +131,7 @@ class RecoverpasswordAction extends Action {
             common_element('div', 'error', $msg);
                } else {
                        common_element('div', 'instructions',
-                                                  _t('You\ve been identified . Enter a ' .
+                                                  _t('You\'ve been identified. Enter a ' .
                                                      ' new password below. '));
                }
        }