From f43e9e97a53a0ff85e728c477e72ceaa98d3415d Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@madoka.volgo-balt.ru>
Date: Fri, 22 Mar 2013 14:50:02 +0400
Subject: [PATCH] add basic password recovery thing

---
 classes/handler/public.php       | 87 ++++++++++++++++++++++++++++++++
 classes/pref/users.php           | 25 +++++----
 include/login_form.php           | 16 ++++++
 templates/resetpass_template.txt |  2 +-
 utility.css                      | 22 ++++++++
 5 files changed, 140 insertions(+), 12 deletions(-)

diff --git a/classes/handler/public.php b/classes/handler/public.php
index 6b588f81..53051a1f 100644
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -708,5 +708,92 @@ class Handler_Public extends Handler {
 		print json_encode(array("error" => array("code" => 7)));
 	}
 
+	function forgotpass() {
+		header('Content-Type: text/html; charset=utf-8');
+		print "<html>
+				<head>
+					<title>Tiny Tiny RSS</title>
+					<link rel=\"stylesheet\" type=\"text/css\" href=\"utility.css\">
+					<script type=\"text/javascript\" src=\"lib/prototype.js\"></script>
+					<script type=\"text/javascript\" src=\"lib/scriptaculous/scriptaculous.js?load=effects,dragdrop,controls\"></script>
+					<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>
+				</head>
+				<body id='forgotpass'>";
+
+		print '<div class="floatingLogo"><img src="images/logo_wide.png"></div>';
+		print "<h1>".__("Reset password")."</h1>";
+
+		@$method = $_POST['method'];
+
+		if (!$method) {
+			$secretkey = uniqid();
+			$_SESSION["secretkey"] = $secretkey;
+
+			print "<form method='POST' action='public.php'>";
+			print "<input type='hidden' name='secretkey' value='$secretkey'>";
+			print "<input type='hidden' name='method' value='do'>";
+			print "<input type='hidden' name='op' value='forgotpass'>";
+
+			print "<fieldset>";
+			print "<label>".__("Login:")."</label>";
+			print "<input type='text' name='login' value='' required>";
+			print "</fieldset>";
+
+			print "<fieldset>";
+			print "<label>".__("Email:")."</label>";
+			print "<input type='email' name='email' value='' required>";
+			print "</fieldset>";
+
+			print "<fieldset>";
+			print "<label>".__("How much is two plus two:")."</label>";
+			print "<input type='text' name='test' value='' required>";
+			print "</fieldset>";
+
+			print "<p/>";
+			print "<button type='submit'>".__("Reset password")."</button>";
+
+			print "</form>";
+		} else if ($method == 'do') {
+
+			$secretkey = $_POST["secretkey"];
+			$login = db_escape_string($this->link, $_POST["login"]);
+			$email = db_escape_string($this->link, $_POST["email"]);
+			$test = db_escape_string($this->link, $_POST["test"]);
+
+			if (($test != 4 && $test != 'four') || !$email || !$login) {
+				print_error(__('Some of the required form parameters are missing or incorrect.'));
+
+				print "<p><a href=\"public.php?op=forgotpass\">".__("Go back")."</a></p>";
+
+			} else if ($_SESSION["secretkey"] == $secretkey) {
+
+				$result = db_query($this->link, "SELECT id FROM ttrss_users
+					WHERE login = '$login' AND email = '$email'");
+
+				if (db_num_rows($result) != 0) {
+					$id = db_fetch_result($result, 0, "id");
+
+					Pref_Users::resetUserPassword($this->link, $id, false);
+
+					print "<p>".__("Completed.")."</p>";
+
+				} else {
+					print_error(__("Sorry, login and email combination not found."));
+					print "<p><a href=\"public.php?op=forgotpass\">".__("Go back")."</a></p>";
+				}
+
+			} else {
+				print_error(__("Form secret key incorrect. Please enable cookies and try again."));
+				print "<p><a href=\"public.php?op=forgotpass\">".__("Go back")."</a></p>";
+
+			}
+
+		}
+
+		print "</body>";
+		print "</html>";
+
+	}
+
 }
 ?>
diff --git a/classes/pref/users.php b/classes/pref/users.php
index fbba5e40..b4f04377 100644
--- a/classes/pref/users.php
+++ b/classes/pref/users.php
@@ -270,11 +270,9 @@ class Pref_Users extends Handler_Protected {
 			}
 		}
 
-		function resetPass() {
-
-			$uid = db_escape_string($this->link, $_REQUEST["id"]);
+		static function resetUserPassword($link, $uid, $show_password) {
 
-			$result = db_query($this->link, "SELECT login,email
+			$result = db_query($link, "SELECT login,email
 				FROM ttrss_users WHERE id = '$uid'");
 
 			$login = db_fetch_result($result, 0, "login");
@@ -286,18 +284,20 @@ class Pref_Users extends Handler_Protected {
 
 			$pwd_hash = encrypt_password($tmp_user_pwd, $new_salt, true);
 
-			db_query($this->link, "UPDATE ttrss_users SET pwd_hash = '$pwd_hash', salt = '$new_salt'
+			db_query($link, "UPDATE ttrss_users SET pwd_hash = '$pwd_hash', salt = '$new_salt'
 				WHERE id = '$uid'");
 
-			print T_sprintf("Changed password of user <b>%s</b>
-				 to <b>%s</b>", $login, $tmp_user_pwd);
+			if ($show_password) {
+				print T_sprintf("Changed password of user <b>%s</b>
+					to <b>%s</b>", $login, $tmp_user_pwd);
+			} else {
+				print T_sprintf("Sending new password of user <b>%s</b>
+					to <b>%s</b>", $login, $email);
+			}
 
 			require_once 'lib/phpmailer/class.phpmailer.php';
 
 			if ($email) {
-				print " ";
-				print T_sprintf("Notifying <b>%s</b>.", $email);
-
 				require_once "lib/MiniTemplator.class.php";
 
 				$tpl = new MiniTemplator;
@@ -340,8 +340,11 @@ class Pref_Users extends Handler_Protected {
 
 				if (!$rc) print_error($mail->ErrorInfo);
 			}
+		}
 
-			print "</div>";
+		function resetPass() {
+			$uid = db_escape_string($this->link, $_REQUEST["id"]);
+			Pref_Users::resetUserPassword($this->link, $uid, true);
 		}
 
 		function index() {
diff --git a/include/login_form.php b/include/login_form.php
index 68df544e..af451239 100644
--- a/include/login_form.php
+++ b/include/login_form.php
@@ -65,6 +65,20 @@
 		font-size : 12px;
 	}
 
+	a.forgotpass {
+		text-align : right;
+		font-size : 11px;
+		display : inline-block;
+	}
+
+	a {
+		color : #4684ff;
+	}
+
+	a:hover {
+		color : black;
+	}
+
 	div.footer a {
 		color : gray;
 	}
@@ -179,6 +193,8 @@ function bwLimitChange(elem) {
 			<input type="password" name="password" required="1"
 					style="width : 220px" class="input"
 					value="<?php echo $_SESSION["fake_password"] ?>"/>
+			<label></label>
+			<a class='forgotpass' href="public.php?op=forgotpass"><?php echo __("I forgot my password") ?></a>
 		</div>
 
 		<div class="row">
diff --git a/templates/resetpass_template.txt b/templates/resetpass_template.txt
index dd96f2c9..c262f9a7 100644
--- a/templates/resetpass_template.txt
+++ b/templates/resetpass_template.txt
@@ -1,7 +1,7 @@
 <!-- $BeginBlock message -->
 Hello, ${LOGIN}.
 
-Your password for this Tiny Tiny RSS installation has been reset by an administrator.
+Your password for this Tiny Tiny RSS installation has been reset.
 
 Your new password is ${NEWPASS}, please remember it for later reference.
 
diff --git a/utility.css b/utility.css
index de0042a7..b520a49b 100644
--- a/utility.css
+++ b/utility.css
@@ -182,3 +182,25 @@ div.autocomplete ul li {
 	cursor : pointer;
 }
 
+fieldset { 
+	border-width : 0px;
+	padding : 0px 0px 5px 0px;
+	margin : 0px;
+}
+
+fieldset input {
+	font-family : sans-serif;
+	font-size : medium;
+	border-spacing : 2px;
+	border : 1px solid #b5bcc7;
+	padding : 2px;
+}
+
+fieldset label {
+	width : 120px;
+	margin-right : 20px;
+	display : inline-block;
+	text-align : right;
+	color : gray;
+}
+
-- 
2.39.2