From 5303f9a71a040b25574e12c05dac875e03de6f85 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Sun, 9 Mar 2014 11:17:29 +0400 Subject: [PATCH] rework password reset to work through temporary link --- classes/handler/public.php | 89 +++++++++++++++++++++++++++++++++++--- 1 file changed, 84 insertions(+), 5 deletions(-) diff --git a/classes/handler/public.php b/classes/handler/public.php index 4c5a5136..1a586fe7 100644 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -709,6 +709,8 @@ class Handler_Public extends Handler { function forgotpass() { startup_gettext(); + @$hash = $_REQUEST["hash"]; + header('Content-Type: text/html; charset=utf-8'); print "Tiny Tiny RSS @@ -726,8 +728,45 @@ class Handler_Public extends Handler { @$method = $_POST['method']; - if (!$method) { - print_notice(__("You will need to provide valid account name and email. New password will be sent on your email address.")); + if ($hash) { + $login = $_REQUEST["login"]; + + if ($login) { + $result = $this->dbh->query("SELECT id, resetpass_token FROM ttrss_users + WHERE login = '$login'"); + + if ($this->dbh->num_rows($result) != 0) { + $id = $this->dbh->fetch_result($result, 0, "id"); + $resetpass_token_full = $this->dbh->fetch_result($result, 0, "resetpass_token"); + list($timestamp, $resetpass_token) = explode(":", $resetpass_token_full); + + if ($timestamp && $resetpass_token && + $timestamp >= time() - 15*60*60 && + $resetpass_token == $hash) { + + $result = $this->dbh->query("UPDATE ttrss_users SET resetpass_token = NULL + WHERE id = $id"); + + Pref_Users::resetUserPassword($id, true); + + print "

"."Completed."."

"; + + } else { + print_error("Some of the information provided is missing or incorrect."); + } + } else { + print_error("Some of the information provided is missing or incorrect."); + } + } else { + print_error("Some of the information provided is missing or incorrect."); + } + + print "
+ +
"; + + } else if (!$method) { + print_notice(__("You will need to provide valid account name and email. A password reset link will be sent to your email address.")); print "
"; print ""; @@ -768,17 +807,57 @@ class Handler_Public extends Handler { } else { + print_notice("Password reset instructions are being sent to your email address."); + $result = $this->dbh->query("SELECT id FROM ttrss_users WHERE login = '$login' AND email = '$email'"); if ($this->dbh->num_rows($result) != 0) { $id = $this->dbh->fetch_result($result, 0, "id"); - Pref_Users::resetUserPassword($id, false); + if ($id) { + $resetpass_token = sha1(get_random_bytes(128)); + $resetpass_link = get_self_url_prefix() . "/public.php?op=forgotpass&hash=" . $resetpass_token . + "&login=" . urlencode($login); + + require_once 'classes/ttrssmailer.php'; + require_once "lib/MiniTemplator.class.php"; + + $tpl = new MiniTemplator; + + $tpl->readTemplateFromFile("templates/resetpass_link_template.txt"); + + $tpl->setVariable('LOGIN', $login); + $tpl->setVariable('RESETPASS_LINK', $resetpass_link); + + $tpl->addBlock('message'); + + $message = ""; + + $tpl->generateOutputToString($message); - print "

"; + $mail = new ttrssMailer(); - print "

"."Completed."."

"; + $rc = $mail->quickMail($email, $login, + __("[tt-rss] Password reset request"), + $message, false); + + if (!$rc) print_error($mail->ErrorInfo); + + $resetpass_token_full = $this->dbh->escape_string(time() . ":" . $resetpass_token); + + $result = $this->dbh->query("UPDATE ttrss_users + SET resetpass_token = '$resetpass_token_full' + WHERE login = '$login' AND email = '$email'"); + + //Pref_Users::resetUserPassword($id, false); + + print "

"; + + print "

"."Completed."."

"; + } else { + print_error("User ID not found."); + } print " -- 2.39.2