]> git.wh0rd.org Git - tt-rss.git/commitdiff
rework password reset to work through temporary link
authorAndrew Dolgov <noreply@fakecake.org>
Sun, 9 Mar 2014 07:17:29 +0000 (11:17 +0400)
committerAndrew Dolgov <noreply@fakecake.org>
Sun, 9 Mar 2014 07:17:29 +0000 (11:17 +0400)
classes/handler/public.php

index 4c5a5136a937c4411fba90b9fecfb24a5cf4563c..1a586fe7a5a23dcac32f4bde51ae8bd457fefc34 100644 (file)
@@ -709,6 +709,8 @@ class Handler_Public extends Handler {
        function forgotpass() {
                startup_gettext();
 
+               @$hash = $_REQUEST["hash"];
+
                header('Content-Type: text/html; charset=utf-8');
                print "<html><head><title>Tiny Tiny RSS</title>
                <link rel=\"shortcut icon\" type=\"image/png\" href=\"images/favicon.png\">
@@ -726,8 +728,45 @@ class Handler_Public extends Handler {
 
                @$method = $_POST['method'];
 
-               if (!$method) {
-                       print_notice(__("You will need to provide valid account name and email. New password will be sent on your email address."));
+               if ($hash) {
+                       $login = $_REQUEST["login"];
+
+                       if ($login) {
+                               $result = $this->dbh->query("SELECT id, resetpass_token FROM ttrss_users
+                                       WHERE login = '$login'");
+
+                               if ($this->dbh->num_rows($result) != 0) {
+                                       $id = $this->dbh->fetch_result($result, 0, "id");
+                                       $resetpass_token_full = $this->dbh->fetch_result($result, 0, "resetpass_token");
+                                       list($timestamp, $resetpass_token) = explode(":", $resetpass_token_full);
+
+                                       if ($timestamp && $resetpass_token &&
+                                               $timestamp >= time() - 15*60*60 &&
+                                               $resetpass_token == $hash) {
+
+                                                       $result = $this->dbh->query("UPDATE ttrss_users SET resetpass_token = NULL
+                                                               WHERE id = $id");
+
+                                                       Pref_Users::resetUserPassword($id, true);
+
+                                                       print "<p>"."Completed."."</p>";
+
+                                       } else {
+                                               print_error("Some of the information provided is missing or incorrect.");
+                                       }
+                               } else {
+                                       print_error("Some of the information provided is missing or incorrect.");
+                               }
+                       } else {
+                               print_error("Some of the information provided is missing or incorrect.");
+                       }
+
+                       print "<form method=\"GET\" action=\"index.php\">
+                               <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
+                               </form>";
+
+               } else if (!$method) {
+                       print_notice(__("You will need to provide valid account name and email. A password reset link will be sent to your email address."));
 
                        print "<form method='POST' action='public.php'>";
                        print "<input type='hidden' name='method' value='do'>";
@@ -768,17 +807,57 @@ class Handler_Public extends Handler {
 
                        } else {
 
+                               print_notice("Password reset instructions are being sent to your email address.");
+
                                $result = $this->dbh->query("SELECT id FROM ttrss_users
                                        WHERE login = '$login' AND email = '$email'");
 
                                if ($this->dbh->num_rows($result) != 0) {
                                        $id = $this->dbh->fetch_result($result, 0, "id");
 
-                                       Pref_Users::resetUserPassword($id, false);
+                                       if ($id) {
+                                               $resetpass_token = sha1(get_random_bytes(128));
+                                               $resetpass_link = get_self_url_prefix() . "/public.php?op=forgotpass&hash=" . $resetpass_token .
+                                                       "&login=" . urlencode($login);
+
+                                               require_once 'classes/ttrssmailer.php';
+                                               require_once "lib/MiniTemplator.class.php";
+
+                                               $tpl = new MiniTemplator;
+
+                                               $tpl->readTemplateFromFile("templates/resetpass_link_template.txt");
+
+                                               $tpl->setVariable('LOGIN', $login);
+                                               $tpl->setVariable('RESETPASS_LINK', $resetpass_link);
+
+                                               $tpl->addBlock('message');
+
+                                               $message = "";
+
+                                               $tpl->generateOutputToString($message);
 
-                                       print "<p>";
+                                               $mail = new ttrssMailer();
 
-                                       print "<p>"."Completed."."</p>";
+                                               $rc = $mail->quickMail($email, $login,
+                                                       __("[tt-rss] Password reset request"),
+                                                       $message, false);
+
+                                               if (!$rc) print_error($mail->ErrorInfo);
+
+                                               $resetpass_token_full = $this->dbh->escape_string(time() . ":" . $resetpass_token);
+
+                                               $result = $this->dbh->query("UPDATE ttrss_users
+                                                       SET resetpass_token = '$resetpass_token_full'
+                                                       WHERE login = '$login' AND email = '$email'");
+
+                                               //Pref_Users::resetUserPassword($id, false);
+
+                                               print "<p>";
+
+                                               print "<p>"."Completed."."</p>";
+                                       } else {
+                                               print_error("User ID not found.");
+                                       }
 
                                        print "<form method=\"GET\" action=\"index.php\">
                                                <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">