[ticket/10432] Don't require username when user forgets password

PHPBB3-10432
author: Jakub Senko <jakubsenko@gmail.com> 2016-03-14 14:42:48 +0100
committer: Jakub Senko <jakubsenko@gmail.com> 2018-10-18 18:51:16 +0200
commit: 101d3b763308efe823d03c09bd0a4a109d19fc26 (patch)
tree: b68e25e318006513b62145edfc8286057336fd92 /phpBB
parent: 7e003bf687b340bba822fc512bfb2b2c8235a6ad (diff)
download: forums-101d3b763308efe823d03c09bd0a4a109d19fc26.tar
forums-101d3b763308efe823d03c09bd0a4a109d19fc26.tar.gz
forums-101d3b763308efe823d03c09bd0a4a109d19fc26.tar.bz2
forums-101d3b763308efe823d03c09bd0a4a109d19fc26.tar.xz
forums-101d3b763308efe823d03c09bd0a4a109d19fc26.zip
3 files changed, 80 insertions, 56 deletions
diff --git a/phpBB/includes/ucp/ucp_remind.php b/phpBB/includes/ucp/ucp_remind.php
index f46df99edb..0843d6c249 100644
--- a/phpBB/includes/ucp/ucp_remind.php
+++ b/phpBB/includes/ucp/ucp_remind.php
@@ -50,11 +50,16 @@ class ucp_remind
 				trigger_error('FORM_INVALID');
 			}
 
+			if (empty($email))
+			{
+				trigger_error('NO_EMAIL_USER');
+			}
+
 			$sql_array = array(
 				'SELECT'	=> 'user_id, username, user_permissions, user_email, user_jabber, user_notify_type, user_type, user_lang, user_inactive_reason',
 				'FROM'		=> array(USERS_TABLE => 'u'),
-				'WHERE'		=> "user_email_hash = '" . $db->sql_escape(phpbb_email_hash($email)) . "'
-									AND username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'"
+				'WHERE'		=> "user_email_hash = '" . $db->sql_escape(phpbb_email_hash($email)) . "'" .
+					(!empty($username) ? " AND username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'" : ''),
 			);
 
 			/**
@@ -75,81 +80,94 @@ class ucp_remind
 
 			$sql = $db->sql_build_query('SELECT', $sql_array);
 			$result = $db->sql_query($sql);
-			$user_row = $db->sql_fetchrow($result);
-			$db->sql_freeresult($result);
 
-			if (!$user_row)
+			if ($db->sql_affectedrows() > 1)
 			{
-				trigger_error('NO_EMAIL_USER');
-			}
+				$db->sql_freeresult($result);
 
-			if ($user_row['user_type'] == USER_IGNORE)
-			{
-				trigger_error('NO_USER');
+				$template->assign_vars(array(
+					'USERNAME_REQUIRED'	=> true,
+					'EMAIL'				=> $email,
+				));
 			}
-
-			if ($user_row['user_type'] == USER_INACTIVE)
+			else
 			{
-				if ($user_row['user_inactive_reason'] == INACTIVE_MANUAL)
+				$user_row = $db->sql_fetchrow($result);
+				$db->sql_freeresult($result);
+
+				if (!$user_row)
+				{
+					trigger_error('NO_EMAIL_USER');
+				}
+
+				if ($user_row['user_type'] == USER_IGNORE)
 				{
-					trigger_error('ACCOUNT_DEACTIVATED');
+					trigger_error('NO_USER');
 				}
-				else
+
+				if ($user_row['user_type'] == USER_INACTIVE)
 				{
-					trigger_error('ACCOUNT_NOT_ACTIVATED');
+					if ($user_row['user_inactive_reason'] == INACTIVE_MANUAL)
+					{
+						trigger_error('ACCOUNT_DEACTIVATED');
+					}
+					else
+					{
+						trigger_error('ACCOUNT_NOT_ACTIVATED');
+					}
 				}
-			}
 
-			// Check users permissions
-			$auth2 = new \phpbb\auth\auth();
-			$auth2->acl($user_row);
+				// Check users permissions
+				$auth2 = new \phpbb\auth\auth();
+				$auth2->acl($user_row);
 
-			if (!$auth2->acl_get('u_chgpasswd'))
-			{
-				send_status_line(403, 'Forbidden');
-				trigger_error('NO_AUTH_PASSWORD_REMINDER');
-			}
+				if (!$auth2->acl_get('u_chgpasswd'))
+				{
+					send_status_line(403, 'Forbidden');
+					trigger_error('NO_AUTH_PASSWORD_REMINDER');
+				}
 
-			$server_url = generate_board_url();
+				$server_url = generate_board_url();
 
-			// Make password at least 8 characters long, make it longer if admin wants to.
-			// gen_rand_string() however has a limit of 12 or 13.
-			$user_password = gen_rand_string_friendly(max(8, mt_rand((int) $config['min_pass_chars'], (int) $config['max_pass_chars'])));
+				// Make password at least 8 characters long, make it longer if admin wants to.
+				// gen_rand_string() however has a limit of 12 or 13.
+				$user_password = gen_rand_string_friendly(max(8, mt_rand((int) $config['min_pass_chars'], (int) $config['max_pass_chars'])));
 
-			// For the activation key a random length between 6 and 10 will do.
-			$user_actkey = gen_rand_string(mt_rand(6, 10));
+				// For the activation key a random length between 6 and 10 will do.
+				$user_actkey = gen_rand_string(mt_rand(6, 10));
 
-			// Instantiate passwords manager
-			/* @var $manager \phpbb\passwords\manager */
-			$passwords_manager = $phpbb_container->get('passwords.manager');
+				// Instantiate passwords manager
+				/* @var $manager \phpbb\passwords\manager */
+				$passwords_manager = $phpbb_container->get('passwords.manager');
 
-			$sql = 'UPDATE ' . USERS_TABLE . "
-				SET user_newpasswd = '" . $db->sql_escape($passwords_manager->hash($user_password)) . "', user_actkey = '" . $db->sql_escape($user_actkey) . "'
-				WHERE user_id = " . $user_row['user_id'];
-			$db->sql_query($sql);
+				$sql = 'UPDATE ' . USERS_TABLE . "
+					SET user_newpasswd = '" . $db->sql_escape($passwords_manager->hash($user_password)) . "', user_actkey = '" . $db->sql_escape($user_actkey) . "'
+					WHERE user_id = " . $user_row['user_id'];
+				$db->sql_query($sql);
 
-			include_once($phpbb_root_path . 'includes/functions_messenger.' . $phpEx);
+				include_once($phpbb_root_path . 'includes/functions_messenger.' . $phpEx);
 
-			$messenger = new messenger(false);
+				$messenger = new messenger(false);
 
-			$messenger->template('user_activate_passwd', $user_row['user_lang']);
+				$messenger->template('user_activate_passwd', $user_row['user_lang']);
 
-			$messenger->set_addresses($user_row);
+				$messenger->set_addresses($user_row);
 
-			$messenger->anti_abuse_headers($config, $user);
+				$messenger->anti_abuse_headers($config, $user);
 
-			$messenger->assign_vars(array(
-				'USERNAME'		=> htmlspecialchars_decode($user_row['username']),
-				'PASSWORD'		=> htmlspecialchars_decode($user_password),
-				'U_ACTIVATE'	=> "$server_url/ucp.$phpEx?mode=activate&u={$user_row['user_id']}&k=$user_actkey")
-			);
+				$messenger->assign_vars(array(
+					'USERNAME'		=> htmlspecialchars_decode($user_row['username']),
+					'PASSWORD'		=> htmlspecialchars_decode($user_password),
+					'U_ACTIVATE'	=> "$server_url/ucp.$phpEx?mode=activate&u={$user_row['user_id']}&k=$user_actkey")
+				);
 
-			$messenger->send($user_row['user_notify_type']);
+				$messenger->send($user_row['user_notify_type']);
 
-			meta_refresh(3, append_sid("{$phpbb_root_path}index.$phpEx"));
+				meta_refresh(3, append_sid("{$phpbb_root_path}index.$phpEx"));
 
-			$message = $user->lang['PASSWORD_UPDATED'] . '<br /><br />' . sprintf($user->lang['RETURN_INDEX'], '<a href="' . append_sid("{$phpbb_root_path}index.$phpEx") . '">', '</a>');
-			trigger_error($message);
+				$message = $user->lang['PASSWORD_UPDATED'] . '<br /><br />' . sprintf($user->lang['RETURN_INDEX'], '<a href="' . append_sid("{$phpbb_root_path}index.$phpEx") . '">', '</a>');
+				trigger_error($message);
+			}
 		}
 
 		$template->assign_vars(array(
diff --git a/phpBB/language/en/ucp.php b/phpBB/language/en/ucp.php
index 5056e23d24..301739186c 100644
--- a/phpBB/language/en/ucp.php
+++ b/phpBB/language/en/ucp.php
@@ -386,6 +386,7 @@ $lang = array_merge($lang, array(
 	'NO_BOOKMARKS_SELECTED'		=> 'You have selected no bookmarks.',
 	'NO_EDIT_READ_MESSAGE'		=> 'Private message cannot be edited because it has already been read.',
 	'NO_EMAIL_USER'				=> 'The email/username information submitted could not be found.',
+	'EMAIL_NOT_UNIQUE'			=> 'Email you specified is used by multiple users. You must specify username as well.',
 	'NO_FOES'					=> 'No foes currently defined',
 	'NO_FRIENDS'				=> 'No friends currently defined',
 	'NO_FRIENDS_OFFLINE'		=> 'No friends offline',
diff --git a/phpBB/styles/prosilver/template/ucp_remind.html b/phpBB/styles/prosilver/template/ucp_remind.html
index 0ab1251d9e..8b700de430 100644
--- a/phpBB/styles/prosilver/template/ucp_remind.html
+++ b/phpBB/styles/prosilver/template/ucp_remind.html
@@ -9,14 +9,19 @@
 		<h2>{L_SEND_PASSWORD}</h2>
 
 		<fieldset>
+			{% if USERNAME_REQUIRED %}
+				<p class="error">{{ lang('EMAIL_NOT_UNIQUE') }}</p>
+			{% endif %}
 		<dl>
-			<dt><label for="username">{L_USERNAME}{L_COLON}</label></dt>
-			<dd><input class="inputbox narrow" type="text" name="username" id="username" size="25" /></dd>
+			<dt><label for="email">{L_EMAIL_ADDRESS}{L_COLON}</label><br /><span>{L_EMAIL_REMIND}</span></dt>
+			<dd><input class="inputbox narrow" type="email" name="email" id="email" size="25" maxlength="100" value="{{ EMAIL }}" autofocus /></dd>
 		</dl>
+		{% if USERNAME_REQUIRED %}
 		<dl>
-			<dt><label for="email">{L_EMAIL_ADDRESS}{L_COLON}</label><br /><span>{L_EMAIL_REMIND}</span></dt>
-			<dd><input class="inputbox narrow" type="email" name="email" id="email" size="25" maxlength="100" /></dd>
+			<dt><label for="username">{L_USERNAME}{L_COLON}</label></dt>
+			<dd><input class="inputbox narrow" type="text" name="username" id="username" size="25" /></dd>
 		</dl>
+		{% endif %}
 		<dl>
 			<dt>&nbsp;</dt>
 			<dd>{S_HIDDEN_FIELDS}<input type="submit" name="submit" id="submit" class="button1" value="{L_SUBMIT}" tabindex="2" />&nbsp; <input type="reset" value="{L_RESET}" name="reset" class="button2" /></dd>
author	Jakub Senko <jakubsenko@gmail.com>	2016-03-14 14:42:48 +0100
committer	Jakub Senko <jakubsenko@gmail.com>	2018-10-18 18:51:16 +0200
commit	101d3b763308efe823d03c09bd0a4a109d19fc26 (patch)
tree	b68e25e318006513b62145edfc8286057336fd92 /phpBB
parent	7e003bf687b340bba822fc512bfb2b2c8235a6ad (diff)
download	forums-101d3b763308efe823d03c09bd0a4a109d19fc26.tar forums-101d3b763308efe823d03c09bd0a4a109d19fc26.tar.gz forums-101d3b763308efe823d03c09bd0a4a109d19fc26.tar.bz2 forums-101d3b763308efe823d03c09bd0a4a109d19fc26.tar.xz forums-101d3b763308efe823d03c09bd0a4a109d19fc26.zip