aboutsummaryrefslogtreecommitdiffstats
path: root/phpBB/phpbb/ucp/controller/reset_password.php
diff options
context:
space:
mode:
authorMaat <maat-pub@mageia.biz>2020-05-09 01:15:08 +0200
committerMaat <maat-pub@mageia.biz>2020-05-09 01:15:08 +0200
commit6985226b17e8a0ef0a720bf1d12fe0c216e13dab (patch)
tree116d2565ac02c40abe0548863c6badf8ec3e1d1e /phpBB/phpbb/ucp/controller/reset_password.php
parent8ea437e30605e0f66b5220bf904a61d7c1d11ddd (diff)
parent8d00784dfe2c8bcb10843ff70b4cfa998d703285 (diff)
downloadforums-master.tar
forums-master.tar.gz
forums-master.tar.bz2
forums-master.tar.xz
forums-master.zip
Merge remote-tracking branch 'upstream/prep-release-3.3.0'HEADmaster
Diffstat (limited to 'phpBB/phpbb/ucp/controller/reset_password.php')
-rw-r--r--phpBB/phpbb/ucp/controller/reset_password.php443
1 files changed, 443 insertions, 0 deletions
diff --git a/phpBB/phpbb/ucp/controller/reset_password.php b/phpBB/phpbb/ucp/controller/reset_password.php
new file mode 100644
index 0000000000..5c27c4f414
--- /dev/null
+++ b/phpBB/phpbb/ucp/controller/reset_password.php
@@ -0,0 +1,443 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\ucp\controller;
+
+use phpbb\auth\auth;
+use phpbb\config\config;
+use phpbb\controller\helper;
+use phpbb\db\driver\driver_interface;
+use phpbb\event\dispatcher;
+use phpbb\exception\http_exception;
+use phpbb\language\language;
+use phpbb\log\log_interface;
+use phpbb\passwords\manager;
+use phpbb\request\request_interface;
+use phpbb\template\template;
+use phpbb\user;
+use Symfony\Component\HttpFoundation\Response;
+
+/**
+* Handling forgotten passwords via reset password functionality
+*/
+class reset_password
+{
+ /** @var config */
+ protected $config;
+
+ /** @var driver_interface */
+ protected $db;
+
+ /** @var dispatcher */
+ protected $dispatcher;
+
+ /** @var helper */
+ protected $helper;
+
+ /** @var language */
+ protected $language;
+
+ /** @var log_interface */
+ protected $log;
+
+ /** @var manager */
+ protected $passwords_manager;
+
+ /** @var request_interface */
+ protected $request;
+
+ /** @var template */
+ protected $template;
+
+ /** @var user */
+ protected $user;
+
+ /** @var array phpBB DB table names */
+ protected $users_table;
+
+ /** @var string phpBB root path */
+ protected $root_path;
+
+ /** @var string PHP extension */
+ protected $php_ext;
+
+ /**
+ * Reset password controller constructor.
+ *
+ * @param config $config
+ * @param driver_interface $db
+ * @param dispatcher $dispatcher
+ * @param helper $helper
+ * @param language $language
+ * @param log_interface $log
+ * @param manager $passwords_manager
+ * @param request_interface $request
+ * @param template $template
+ * @param user $user
+ * @param string $users_table
+ * @param string $root_path
+ * @param string $php_ext
+ */
+ public function __construct(config $config, driver_interface $db, dispatcher $dispatcher, helper $helper,
+ language $language, log_interface $log, manager $passwords_manager,
+ request_interface $request, template $template, user $user, string $users_table,
+ string $root_path, string $php_ext)
+ {
+ $this->config = $config;
+ $this->db = $db;
+ $this->dispatcher = $dispatcher;
+ $this->helper = $helper;
+ $this->language = $language;
+ $this->log = $log;
+ $this->passwords_manager = $passwords_manager;
+ $this->request = $request;
+ $this->template = $template;
+ $this->user = $user;
+ $this->users_table = $users_table;
+ $this->root_path = $root_path;
+ $this->php_ext = $php_ext;
+ }
+
+ /**
+ * Init controller
+ */
+ protected function init_controller()
+ {
+ $this->language->add_lang('ucp');
+
+ if (!$this->config['allow_password_reset'])
+ {
+ throw new http_exception(Response::HTTP_OK, 'UCP_PASSWORD_RESET_DISABLED', [
+ '<a href="mailto:' . htmlspecialchars($this->config['board_contact']) . '">',
+ '</a>'
+ ]);
+ }
+ }
+
+ /**
+ * Remove reset token for specified user
+ *
+ * @param int $user_id User ID
+ */
+ protected function remove_reset_token(int $user_id)
+ {
+ $sql_ary = [
+ 'reset_token' => '',
+ 'reset_token_expiration' => 0,
+ ];
+
+ $sql = 'UPDATE ' . $this->users_table . '
+ SET ' . $this->db->sql_build_array('UPDATE', $sql_ary) . '
+ WHERE user_id = ' . $user_id;
+ $this->db->sql_query($sql);
+ }
+
+ /**
+ * Handle password reset request
+ *
+ * @return Response
+ */
+ public function request()
+ {
+ $this->init_controller();
+
+ $submit = $this->request->is_set_post('submit');
+ $username = $this->request->variable('username', '', true);
+ $email = strtolower($this->request->variable('email', ''));
+
+ add_form_key('ucp_reset_password');
+
+ if ($submit)
+ {
+ if (!check_form_key('ucp_reset_password'))
+ {
+ throw new http_exception(Response::HTTP_UNAUTHORIZED, 'FORM_INVALID');
+ }
+
+ if (empty($email))
+ {
+ return $this->helper->message('NO_EMAIL_USER');
+ }
+
+ $sql_array = [
+ 'SELECT' => 'user_id, username, user_permissions, user_email, user_jabber, user_notify_type, user_type,'
+ . ' user_lang, user_inactive_reason, reset_token, reset_token_expiration',
+ 'FROM' => [$this->users_table => 'u'],
+ 'WHERE' => "user_email = '" . $this->db->sql_escape($email) . "'" .
+ (!empty($username) ? " AND username_clean = '" . $this->db->sql_escape(utf8_clean_string($username)) . "'" : ''),
+ ];
+
+ /**
+ * Change SQL query for fetching user data
+ *
+ * @event core.ucp_remind_modify_select_sql
+ * @var string email User's email from the form
+ * @var string username User's username from the form
+ * @var array sql_array Fully assembled SQL query with keys SELECT, FROM, WHERE
+ * @since 3.1.11-RC1
+ * @changed 3.3.0-b1 Moved to reset password controller
+ */
+ $vars = [
+ 'email',
+ 'username',
+ 'sql_array',
+ ];
+ extract($this->dispatcher->trigger_event('core.ucp_remind_modify_select_sql', compact($vars)));
+
+ $sql = $this->db->sql_build_query('SELECT', $sql_array);
+ $result = $this->db->sql_query_limit($sql, 2); // don't waste resources on more rows than we need
+ $rowset = $this->db->sql_fetchrowset($result);
+ $this->db->sql_freeresult($result);
+
+ if (count($rowset) > 1)
+ {
+ $this->template->assign_vars([
+ 'USERNAME_REQUIRED' => true,
+ 'EMAIL' => $email,
+ ]);
+ }
+ else
+ {
+ $message = $this->language->lang('PASSWORD_RESET_LINK_SENT') . '<br /><br />' . $this->language->lang('RETURN_INDEX', '<a href="' . append_sid("{$this->root_path}index.{$this->php_ext}") . '">', '</a>');
+
+ if (empty($rowset))
+ {
+ return $this->helper->message($message);
+ }
+
+ $user_row = $rowset[0];
+
+ if ($user_row['user_type'] == USER_IGNORE || $user_row['user_type'] == USER_INACTIVE)
+ {
+ return $this->helper->message($message);
+ }
+
+ // Do not create multiple valid reset tokens
+ if (!empty($user_row['reset_token']) && (int) $user_row['reset_token_expiration'] >= time())
+ {
+ return $this->helper->message($message);
+ }
+
+ // Check users permissions
+ $auth = new auth();
+ $auth->acl($user_row);
+
+ if (!$auth->acl_get('u_chgpasswd'))
+ {
+ return $this->helper->message($message);
+ }
+
+ // Generate reset token
+ $reset_token = strtolower(gen_rand_string(32));
+
+ $sql_ary = [
+ 'reset_token' => $reset_token,
+ 'reset_token_expiration' => strtotime('+1 day'),
+ ];
+
+ $sql = 'UPDATE ' . $this->users_table . '
+ SET ' . $this->db->sql_build_array('UPDATE', $sql_ary) . '
+ WHERE user_id = ' . $user_row['user_id'];
+ $this->db->sql_query($sql);
+
+ if (!class_exists('messenger'))
+ {
+ include($this->root_path . 'includes/functions_messenger.' . $this->php_ext);
+ }
+
+ /** @var \messenger $messenger */
+ $messenger = new \messenger(false);
+
+ $messenger->template('user_forgot_password', $user_row['user_lang']);
+
+ $messenger->set_addresses($user_row);
+
+ $messenger->anti_abuse_headers($this->config, $this->user);
+
+ $messenger->assign_vars([
+ 'USERNAME' => htmlspecialchars_decode($user_row['username']),
+ 'U_RESET_PASSWORD' => generate_board_url(true) . $this->helper->route('phpbb_ucp_reset_password_controller', [
+ 'u' => $user_row['user_id'],
+ 'token' => $reset_token,
+ ], false)
+ ]);
+
+ $messenger->send($user_row['user_notify_type']);
+
+ return $this->helper->message($message);
+ }
+ }
+
+ $this->template->assign_vars([
+ 'USERNAME' => $username,
+ 'EMAIL' => $email,
+ 'U_RESET_PASSWORD_ACTION' => $this->helper->route('phpbb_ucp_forgot_password_controller'),
+ ]);
+
+ return $this->helper->render('ucp_reset_password.html', $this->language->lang('RESET_PASSWORD'));
+ }
+
+ /**
+ * Handle controller requests
+ *
+ * @return Response
+ */
+ public function reset()
+ {
+ $this->init_controller();
+
+ $submit = $this->request->is_set_post('submit');
+ $reset_token = $this->request->variable('token', '');
+ $user_id = $this->request->variable('u', 0);
+
+ if (empty($reset_token))
+ {
+ return $this->helper->message('NO_RESET_TOKEN');
+ }
+
+ if (!$user_id)
+ {
+ return $this->helper->message('NO_USER');
+ }
+
+ add_form_key('ucp_reset_password');
+
+ $sql_array = [
+ 'SELECT' => 'user_id, username, user_permissions, user_email, user_jabber, user_notify_type, user_type,'
+ . ' user_lang, user_inactive_reason, reset_token, reset_token_expiration',
+ 'FROM' => [$this->users_table => 'u'],
+ 'WHERE' => 'user_id = ' . $user_id,
+ ];
+
+ /**
+ * Change SQL query for fetching user data
+ *
+ * @event core.ucp_reset_password_modify_select_sql
+ * @var int user_id User ID from the form
+ * @var string reset_token Reset token
+ * @var array sql_array Fully assembled SQL query with keys SELECT, FROM, WHERE
+ * @since 3.3.0-b1
+ */
+ $vars = [
+ 'user_id',
+ 'reset_token',
+ 'sql_array',
+ ];
+ extract($this->dispatcher->trigger_event('core.ucp_reset_password_modify_select_sql', compact($vars)));
+
+ $sql = $this->db->sql_build_query('SELECT', $sql_array);
+ $result = $this->db->sql_query_limit($sql, 1);
+ $user_row = $this->db->sql_fetchrow($result);
+ $this->db->sql_freeresult($result);
+
+ $message = $this->language->lang('RESET_TOKEN_EXPIRED_OR_INVALID') . '<br /><br />' . $this->language->lang('RETURN_INDEX', '<a href="' . append_sid("{$this->root_path}index.{$this->php_ext}") . '">', '</a>');
+
+ if (empty($user_row))
+ {
+ return $this->helper->message($message);
+ }
+
+ if (!hash_equals($reset_token, $user_row['reset_token']))
+ {
+ return $this->helper->message($message);
+ }
+
+ if ($user_row['reset_token_expiration'] < time())
+ {
+ $this->remove_reset_token($user_id);
+
+ return $this->helper->message($message);
+ }
+
+ $errors = [];
+
+ if ($submit)
+ {
+ if (!check_form_key('ucp_reset_password'))
+ {
+ return $this->helper->message('FORM_INVALID');
+ }
+
+ if ($user_row['user_type'] == USER_IGNORE || $user_row['user_type'] == USER_INACTIVE)
+ {
+ return $this->helper->message($message);
+ }
+
+ // Check users permissions
+ $auth = new auth();
+ $auth->acl($user_row);
+
+ if (!$auth->acl_get('u_chgpasswd'))
+ {
+ return $this->helper->message($message);
+ }
+
+ if (!function_exists('validate_data'))
+ {
+ include($this->root_path . 'includes/functions_user.' . $this->php_ext);
+ }
+
+ $data = [
+ 'new_password' => $this->request->untrimmed_variable('new_password', '', true),
+ 'password_confirm' => $this->request->untrimmed_variable('new_password_confirm', '', true),
+ ];
+ $check_data = [
+ 'new_password' => [
+ ['string', false, $this->config['min_pass_chars'], 0],
+ ['password'],
+ ],
+ 'password_confirm' => ['string', true, $this->config['min_pass_chars'], 0],
+ ];
+ $errors = array_merge($errors, validate_data($data, $check_data));
+ if (strcmp($data['new_password'], $data['password_confirm']) !== 0)
+ {
+ $errors[] = $data['password_confirm'] ? 'NEW_PASSWORD_ERROR' : 'NEW_PASSWORD_CONFIRM_EMPTY';
+ }
+ if (empty($errors))
+ {
+ $sql_ary = [
+ 'user_password' => $this->passwords_manager->hash($data['new_password']),
+ 'user_login_attempts' => 0,
+ 'reset_token' => '',
+ 'reset_token_expiration' => 0,
+ ];
+ $sql = 'UPDATE ' . $this->users_table . '
+ SET ' . $this->db->sql_build_array('UPDATE', $sql_ary) . '
+ WHERE user_id = ' . (int) $user_row['user_id'];
+ $this->db->sql_query($sql);
+ $this->log->add('user', $user_row['user_id'], $this->user->ip, 'LOG_USER_NEW_PASSWORD', false, [
+ 'reportee_id' => $user_row['user_id'],
+ $user_row['username']
+ ]);
+ meta_refresh(3, append_sid("{$this->root_path}index.{$this->php_ext}"));
+ return $this->helper->message($this->language->lang('PASSWORD_RESET'));
+ }
+ }
+
+ if (!empty($errors))
+ {
+ $this->template->assign_block_vars_array('PASSWORD_RESET_ERRORS', array_map([$this->language, 'lang'], $errors));
+ }
+
+ $this->template->assign_vars([
+ 'S_IS_PASSWORD_RESET' => true,
+ 'U_RESET_PASSWORD_ACTION' => $this->helper->route('phpbb_ucp_reset_password_controller'),
+ 'S_HIDDEN_FIELDS' => build_hidden_fields([
+ 'u' => $user_id,
+ 'token' => $reset_token,
+ ]),
+ ]);
+
+ return $this->helper->render('ucp_reset_password.html', $this->language->lang('RESET_PASSWORD'));
+ }
+}