From da8651f2155c4880232164d7168974731496e3a8 Mon Sep 17 00:00:00 2001 From: Robert Sesek Date: Tue, 13 Feb 2007 07:43:58 +0000 Subject: [PATCH] r1401: Added a password reset system that works very similarly to the user activation system. --- docs/changes.txt | 1 + docs/schema_changes.sql | 8 +++ login.php | 117 +++++++++++++++++++++++++++++++++++- templates/login.tpl | 2 +- templates/lostpassword.tpl | 35 +++++++++++ templates/passwordreset.tpl | 43 +++++++++++++ 6 files changed, 204 insertions(+), 2 deletions(-) create mode 100644 templates/lostpassword.tpl create mode 100644 templates/passwordreset.tpl diff --git a/docs/changes.txt b/docs/changes.txt index 4af03b0..6c87205 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -16,6 +16,7 @@ - Setting system cleanup that improves speed by reducing queries and not using eval() - Can now mass update of bug fields from the search screen - Search system no longer stores the actual query of the search, but rather the paramters +- Added a lost password reset system 1.1.5 =============================== diff --git a/docs/schema_changes.sql b/docs/schema_changes.sql index fc8d0e0..61fa7ae 100644 --- a/docs/schema_changes.sql +++ b/docs/schema_changes.sql @@ -13,3 +13,11 @@ ALTER TABLE search ADD searchid INT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY ALTER TABLE search ADD name VARCHAR(250) NULL; ALTER TABLE version ADD obsolete BOOL NULL; + +CREATE TABLE passwordreset +( + activatorid VARCHAR(250) NOT NULL, + userid INT NOT NULL, + dateline INT NOT NULL, + PRIMARY KEY (activatorid) +); \ No newline at end of file diff --git a/login.php b/login.php index 583988f..6ffdc7f 100755 --- a/login.php +++ b/login.php @@ -20,7 +20,9 @@ \*=====================================================================*/ $fetchtemplates = array( - 'login' + 'login', + 'lostpassword', + 'passwordreset' ); define('SVN', '$Id$'); @@ -28,6 +30,10 @@ define('SVN', '$Id$'); $focus['user'] = 'focus'; require_once('./global.php'); +require_once('./includes/api_user.php'); +require_once('./includes/class_api_error.php'); + +APIError(array(new API_Error_Handler($message), 'user_cumulative')); // ################################################################### @@ -109,6 +115,115 @@ if ($_REQUEST['do'] == 'logout') // ################################################################### +if ($_POST['do'] == 'sendpw') +{ + $user = new UserAPI($bugsys); + $user->set('email', $bugsys->in['email'], true, false); // don't verify so we don't get errors about existing emails + $user->set_condition(array('email')); + $user->fetch(); + + if ($message->items) + { + $show['lostpwerror'] = true; + $_REQUEST['do'] = 'lostpw'; + } + else + { + $activator = $funct->rand(25); + $db->query("INSERT INTO " . TABLE_PREFIX . "passwordreset (activatorid, dateline, userid) VALUES ('" . $activator . "', " . TIMENOW . ", " . $user->objdata['userid'] . ")"); + + $mail->setSubject(sprintf(_('%1$s Password Reset'), $bugsys->options['trackertitle'])); + $mail->setBodyText(sprintf(_('Hi %1$s, + +You requested this lost password email at the %2$s bug tracker. To reset your password, simply click the link below (or paste it into your browser window exactly) and enter a new password. + +%3$s/login.php?do=recoverpw&activator=%4$s + +If you did not request this, do not worry as this notice will expire in 24 hours.'), + + $user->objdata['displayname'], + $bugsys->options['trackertitle'], + $bugsys->options['trackerurl'], + $activator + )); + + $mail->send($user->objdata['email'], $user->objdata['displayname']); + + $message->message(sprintf(_('An email has been dispatched to %1$s that contains instructions on how to reset your password.'), $user->objdata['email'])); + } +} + +// ################################################################### + +if ($_REQUEST['do'] == 'lostpw') +{ + eval('$template->flush("' . $template->fetch('lostpassword') . '");'); +} + +// ################################################################### + +if ($_POST['do'] == 'resetpw') +{ + // remove old activators + $db->query("DELETE FROM " . TABLE_PREFIX . "passwordreset WHERE dateline < " . (TIMENOW - 86400)); + + // now look for ours + $activation = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "passwordreset WHERE activatorid = '" . $bugsys->input_escape('activator') . "'"); + if (!$activation) + { + $message->error(L_INVALID_ID); + } + + $user = new UserAPI($bugsys); + $user->set('userid', $activation['userid']); + $user->set_condition(); + + if ($bugsys->in['fix_password'] != $bugsys->in['confirm_password']) + { + $message->add_error(_('The passwords you entered do not patch.')); + } + if (empty($bugsys->in['fix_password'])) + { + $message->add_error(_('Your new password cannot be empty.')); + } + + $user->set('password', $bugsys->in['fix_password']); + + if (!$message->items) + { + // remove old other activators for this user + $db->query("DELETE FROM " . TABLE_PREFIX . "passwordreset WHERE userid = " . $activation['userid']); + + $user->update(); + $message->redirect(_('Your password has been changed successfully. You will now be redirected to the login page.'), 'login.php'); + } + else + { + $show['errors'] = true; + $_REQUEST['do'] = 'recoverpw'; + $message->error_list_process(); + } +} + +// ################################################################### + +if ($_REQUEST['do'] == 'recoverpw') +{ + // remove old activators + $db->query("DELETE FROM " . TABLE_PREFIX . "passwordreset WHERE dateline < " . (TIMENOW - 86400)); + + // now look for ours + $activation = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "passwordreset WHERE activatorid = '" . $bugsys->input_escape('activator') . "'"); + if (!$activation) + { + $message->error(_('Invalid activation reset key. Please make sure you copied the URL exactly as it appeared in the email.')); + } + + eval('$template->flush("' . $template->fetch('passwordreset') . '");'); +} + +// ################################################################### + if ($_REQUEST['do'] == 'cplogout') { if ($_COOKIE[COOKIE_PREFIX . 'adminsession']) diff --git a/templates/login.tpl b/templates/login.tpl index 7768788..cd2c2fb 100644 --- a/templates/login.tpl +++ b/templates/login.tpl @@ -23,7 +23,7 @@ $header
{@"Password"}:
{@"Remember Me"}: {@"Yes"}

- {@"Click here if you do not have an account..."} + [{@"Register"}] [{@"Lost Password"}]
diff --git a/templates/lostpassword.tpl b/templates/lostpassword.tpl new file mode 100644 index 0000000..4c5ed80 --- /dev/null +++ b/templates/lostpassword.tpl @@ -0,0 +1,35 @@ +$doctype + + +$headinclude + + {$bugsys->options['trackertitle']} - {@"Lost Password"} + + + + +$header + +
+ + +
+
+
{@"Lost Password Recovery"}
+ +
+
{@"The specified email could not be found or it is invalid."}
+
{@"Enter your email in the box below and you will receive a message with instructions on how to set a new password."}
+
{@"Email"}:
+
+ +
+ + +
+
+
+ +
+ +$footer \ No newline at end of file diff --git a/templates/passwordreset.tpl b/templates/passwordreset.tpl new file mode 100644 index 0000000..8e4845d --- /dev/null +++ b/templates/passwordreset.tpl @@ -0,0 +1,43 @@ +$doctype + + +$headinclude + + {$bugsys->options['trackertitle']} - {@"Reset Password"} + + + + +$header + +
+ + + + +
+ {@"The following errors occurred"}: + {$message->process} +
+
+ +
+
+
{@"Lost Password Recovery: Password Reset"}
+ +
+
{@"Enter a new password below and then confirm it."}
+
{@"New Password"}:
+
{@"Confirm Password"}:
+
+ +
+ + +
+
+
+ +
+ +$footer \ No newline at end of file -- 2.43.5