Fix various issues with Forget Password action - Fix #863

pydio · Mar 18, 2015 · 7abfda2 · 7abfda2
1 parent 73cc5c6
commit 7abfda2
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 22 deletions.
diff --git a/core/src/plugins/authfront.keystore/class.KeystoreAuthFrontend.php b/core/src/plugins/authfront.keystore/class.KeystoreAuthFrontend.php
@@ -79,16 +79,14 @@ public function revokeUserTokens($userId){
         $this->storage = ConfService::getConfStorageImpl();
         if(!is_a($this->storage, "sqlConfDriver")) return false;
 
-        $user = AuthService::getLoggedUser()->getId();
-        if($userId == $user || AuthService::getLoggedUser()->isAdmin()){
-            $keys = $this->storage->simpleStoreList("keystore", null, "", "serial", '%"USER_ID";s:'.strlen($userId).':"'.$userId.'"%');
-            foreach($keys as $keyId => $keyData){
-                $this->storage->simpleStoreClear("keystore", $keyId);
-            }
-            if(count($keys)){
-                $this->logInfo(__FUNCTION__, "Revoking ".count($keys)." keys for user '".$userId."' on password change action.");
-            }
+        $keys = $this->storage->simpleStoreList("keystore", null, "", "serial", '%"USER_ID";s:'.strlen($userId).':"'.$userId.'"%');
+        foreach($keys as $keyId => $keyData){
+            $this->storage->simpleStoreClear("keystore", $keyId);
+        }
+        if(count($keys)){
+            $this->logInfo(__FUNCTION__, "Revoking ".count($keys)." keys for user '".$userId."' on password change action.");
         }
+        return null;
     }
 
     /**

diff --git a/core/src/plugins/gui.ajax/class.AJXP_ClientDriver.php b/core/src/plugins/gui.ajax/class.AJXP_ClientDriver.php
@@ -144,7 +144,7 @@ public function switchAction($action, $httpVars, $fileVars)
                     $root = '/'.ltrim(parse_url($configUrl, PHP_URL_PATH), '/');
                     if(strlen($root) > 1) $root = rtrim($root, '/').'/';
                 }else{
-                    preg_match ('/ws-(.)*\/|settings|dashboard|welcome/', $root, $matches, PREG_OFFSET_CAPTURE);
+                    preg_match ('/ws-(.)*\/|settings|dashboard|welcome|user/', $root, $matches, PREG_OFFSET_CAPTURE);
                     if(count($matches)){
                         $capture = $matches[0][1];
                         $root = substr($root, 0, $capture);

diff --git a/core/src/plugins/gui.user/class.UserGuiController.php b/core/src/plugins/gui.user/class.UserGuiController.php
@@ -60,15 +60,26 @@ public function processUserAccessPoint($action, $httpVars, $fileVars)
     {
         switch ($action) {
             case "user_access_point":
-
-                $uri = explode("/", trim($_SERVER["REQUEST_URI"], "/"));
-                array_shift($uri);
-                $action = array_shift($uri);
-                $this->processSubAction($action, $uri);
-                $_SESSION['OVERRIDE_GUI_START_PARAMETERS'] = array(
-                    "REBASE"=>"../../",
-                    "USER_GUI_ACTION" => $action
-                );
+                $setUrl = ConfService::getCoreConf("SERVER_URL");
+                $realUri = "/";
+                if(!empty($setUrl)){
+                    $realUri = parse_url(ConfService::getCoreConf("SERVER_URL"), PHP_URL_PATH);
+                }
+                $requestURI = str_replace("//", "/", $_SERVER["REQUEST_URI"]);
+                $uri = trim(str_replace(rtrim($realUri, "/")."/user", "", $requestURI), "/");
+                $uriParts = explode("/", $uri);
+                $action = array_shift($uriParts);
+                try{
+                    $this->processSubAction($action, $uriParts);
+                    $_SESSION['OVERRIDE_GUI_START_PARAMETERS'] = array(
+                        "REBASE"=>"../../",
+                        "USER_GUI_ACTION" => $action
+                    );
+                }catch(Exception $e){
+                    $_SESSION['OVERRIDE_GUI_START_PARAMETERS'] = array(
+                        "ALERT" => $e->getMessage()
+                    );
+                }
                 AJXP_Controller::findActionAndApply("get_boot_gui", array(), array());
                 unset($_SESSION['OVERRIDE_GUI_START_PARAMETERS']);
 
@@ -106,10 +117,13 @@ public function processUserAccessPoint($action, $httpVars, $fileVars)
                 // This is a reset password
                 if (isSet($httpVars["key"]) && isSet($httpVars["user_id"])) {
                     $key = ConfService::getConfStorageImpl()->loadTemporaryKey("password-reset", $httpVars["key"]);
+                    ConfService::getConfStorageImpl()->deleteTemporaryKey("password-reset", $httpVars["key"]);
                     if ($key != null && $key["user_id"] == $httpVars["user_id"] && AuthService::userExists($key["user_id"])) {
                         AuthService::updatePassword($key["user_id"], $httpVars["new_pass"]);
+                    }else{
+                        echo 'ERROR';
+                        break;
                     }
-                    ConfService::getConfStorageImpl()->deleteTemporaryKey("password-reset", $httpVars["key"]);
                 }
                 AuthService::disconnect();
                 echo 'SUCCESS';
@@ -129,8 +143,8 @@ protected function processSubAction($actionName, $args)
                 if (count($args)) {
                     $token = $args[0];
                     $key = ConfService::getConfStorageImpl()->loadTemporaryKey("password-reset", $token);
-                    if ($key == null) {
-
+                    if ($key == null || $key["user_id"] === false) {
+                        throw new Exception("Invalid password reset key! Did you make sure to copy the correct link?");
                     }
                 }
                 break;