Permalink
Fetching contributors…
Cannot retrieve contributors at this time
281 lines (229 sloc) 10.2 KB
<?php
// +-----------------------------------------------------------------------+
// | Phyxo - Another web based photo gallery |
// | Copyright(C) 2014-2015 Nicolas Roudaire http://www.phyxo.net/ |
// +-----------------------------------------------------------------------+
// | Copyright(C) 2008-2014 Piwigo Team http://piwigo.org |
// | Copyright(C) 2003-2008 PhpWebGallery Team http://phpwebgallery.net |
// | Copyright(C) 2002-2003 Pierrick LE GALL http://le-gall.net/pierrick |
// +-----------------------------------------------------------------------+
// | This program is free software; you can redistribute it and/or modify |
// | it under the terms of the GNU General Public License as published by |
// | the Free Software Foundation |
// | |
// | This program is distributed in the hope that it will be useful, but |
// | WITHOUT ANY WARRANTY; without even the implied warranty of |
// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
// | General Public License for more details. |
// | |
// | You should have received a copy of the GNU General Public License |
// | along with this program; if not, write to the Free Software |
// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
// | USA. |
// +-----------------------------------------------------------------------+
// +-----------------------------------------------------------------------+
// | initialization |
// +-----------------------------------------------------------------------+
define('PHPWG_ROOT_PATH','./');
include_once( PHPWG_ROOT_PATH.'include/common.inc.php' );
include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
// +-----------------------------------------------------------------------+
// | Check Access and exit when user status is not ok |
// +-----------------------------------------------------------------------+
$services['users']->checkStatus(ACCESS_FREE);
trigger_notify('loc_begin_password');
// +-----------------------------------------------------------------------+
// | Functions |
// +-----------------------------------------------------------------------+
/**
* checks the validity of input parameters, fills $page['errors'] and
* $page['infos'] and send an email with confirmation link
*
* @return bool (true if email was sent, false otherwise)
*/
function process_password_request() {
global $page, $conf, $conn, $services;
if (empty($_POST['username_or_email'])) {
$page['errors'][] = l10n('Invalid username or email');
return false;
}
$user_id = $services['users']->getUserIdByEmail($_POST['username_or_email']);
if (!is_numeric($user_id)) {
$user_id = $services['users']->getUserId($_POST['username_or_email']);
}
if (!is_numeric($user_id)) {
$page['errors'][] = l10n('Invalid username or email');
return false;
}
$userdata = $services['users']->getUserData($user_id, false);
// password request is not possible for guest/generic users
$status = $userdata['status'];
if ($services['users']->isGuest($status) or $services['users']->isGeneric($status)) {
$page['errors'][] = l10n('Password reset is not allowed for this user');
return false;
}
if (empty($userdata['email'])) {
$page['errors'][] = l10n(
'User "%s" has no email address, password reset is not possible',
$userdata['username']
);
return false;
}
if (empty($userdata['activation_key'])) {
$activation_key = get_user_activation_key();
$conn->single_update(
USER_INFOS_TABLE,
array('activation_key' => $activation_key),
array('user_id' => $user_id)
);
$userdata['activation_key'] = $activation_key;
}
set_make_full_url();
$message = l10n('Someone requested that the password be reset for the following user account:') . "\r\n\r\n";
$message.= l10n(
'Username "%s" on gallery %s',
$userdata['username'],
get_gallery_home_url()
);
$message.= "\r\n\r\n";
$message.= l10n('To reset your password, visit the following address:') . "\r\n";
$message.= get_gallery_home_url().'/password.php?key='.$userdata['activation_key']."\r\n\r\n";
$message.= l10n('If this was a mistake, just ignore this email and nothing will happen.')."\r\n";
unset_make_full_url();
$message = trigger_change('render_lost_password_mail_content', $message);
$email_params = array(
'subject' => '['.$conf['gallery_title'].'] '.l10n('Password Reset'),
'content' => $message,
'email_format' => 'text/plain',
);
if (pwg_mail($userdata['email'], $email_params)) {
$page['infos'][] = l10n('Check your email for the confirmation link');
return true;
} else {
$page['errors'][] = l10n('Error sending email');
return false;
}
}
/**
* checks the passwords, checks that user is allowed to reset his password,
* update password, fills $page['errors'] and $page['infos'].
*
* @return bool (true if password was reset, false otherwise)
*/
function reset_password() {
global $page, $user, $conf, $conn, $services;
if ($_POST['use_new_pwd'] != $_POST['passwordConf']) {
$page['errors'][] = l10n('The passwords do not match');
return false;
}
if (isset($_GET['key'])) {
$user_id = $services['users']->checkPasswordResetKey($_GET['key']);
if (!is_numeric($user_id)) {
$page['errors'][] = l10n('Invalid key');
return false;
}
} else {
// we check the currently logged in user
if ($services['users']->isGuest() or $services['users']->isGeneric()) {
$page['errors'][] = l10n('Password reset is not allowed for this user');
return false;
}
$user_id = $user['id'];
}
$conn->single_update(
USERS_TABLE,
array($conf['user_fields']['password'] => $conf['password_hash']($_POST['use_new_pwd'])),
array($conf['user_fields']['id'] => $user_id)
);
$page['infos'][] = l10n('Your password has been reset');
if (isset($_GET['key'])) {
$page['infos'][] = '<a href="'.get_root_url().'identification.php">'.l10n('Login').'</a>';
} else {
$page['infos'][] = '<a href="'.get_gallery_home_url().'">'.l10n('Return to home page').'</a>';
}
return true;
}
// +-----------------------------------------------------------------------+
// | Process form |
// +-----------------------------------------------------------------------+
if (isset($_POST['submit'])) {
check_pwg_token();
if ('lost' == $_GET['action']) {
if (process_password_request()) {
$page['action'] = 'none';
}
}
if ('reset' == $_GET['action']) {
if (reset_password()) {
$page['action'] = 'none';
}
}
}
// +-----------------------------------------------------------------------+
// | key and action |
// +-----------------------------------------------------------------------+
// a connected user can't reset the password from a mail
if (isset($_GET['key']) and !$services['users']->isGuest()) {
unset($_GET['key']);
}
if (isset($_GET['key'])) {
$user_id = $services['users']->checkPasswordResetKey($_GET['key']);
if (is_numeric($user_id)) {
$userdata = $services['users']->getUserData($user_id, false);
$page['username'] = $userdata['username'];
$template->assign('key', $_GET['key']);
if (!isset($page['action'])) {
$page['action'] = 'reset';
}
} else {
$page['action'] = 'none';
}
}
if (!isset($page['action'])) {
if (!isset($_GET['action'])) {
$page['action'] = 'lost';
} elseif (in_array($_GET['action'], array('lost', 'reset', 'none'))) {
$page['action'] = $_GET['action'];
}
}
if ('reset' == $page['action'] and !isset($_GET['key']) and ($services['users']->isGuest() or $services['users']->isGeneric())) {
redirect(get_gallery_home_url());
}
if ('lost' == $page['action'] and !$services['users']->isGuest()) {
redirect(get_gallery_home_url());
}
// +-----------------------------------------------------------------------+
// | template initialization |
// +-----------------------------------------------------------------------+
$title = l10n('Password Reset');
if ('lost' == $page['action']) {
$title = l10n('Forgot your password?');
if (isset($_POST['username_or_email'])) {
// @TODO: remove that stupid code
$template->assign('username_or_email', htmlspecialchars(stripslashes($_POST['username_or_email'])));
}
}
$page['body_id'] = 'thePasswordPage';
$template->set_filenames(array('password'=>'password.tpl'));
$template->assign(
array(
'title' => $title,
'form_action'=> get_root_url().'password.php',
'action' => $page['action'],
'username' => isset($page['username']) ? $page['username'] : $user['username'],
'PWG_TOKEN' => get_pwg_token(),
)
);
// include menubar
$themeconf = $template->get_template_vars('themeconf');
if (!isset($themeconf['hide_menu_on']) OR !in_array('thePasswordPage', $themeconf['hide_menu_on'])) {
include( PHPWG_ROOT_PATH.'include/menubar.inc.php');
}
// +-----------------------------------------------------------------------+
// | html code display |
// +-----------------------------------------------------------------------+
include(PHPWG_ROOT_PATH.'include/page_header.php');
trigger_notify('loc_end_password');
flush_page_messages();
$template->pparse('password');
include(PHPWG_ROOT_PATH.'include/page_tail.php');