+ - { resource: services_ucp.yml }

+services:

+ phpbb.ucp.controller.reset_password:

+ class: phpbb\ucp\controller\reset_password

+ arguments:

+ - '@config'

+ - '@dbal.conn'

+ - '@dispatcher'

+ - '@controller.helper'

+ - '@language'

+ - '@log'

+ - '@passwords.manager'

+ - '@request'

+ - '@template'

+ - '@user'

+ - '%tables.users%'

+ - '%core.root_path%'

+ - '%core.php_ext%'

+

+phpbb_ucp_routing:

+ resource: ucp.yml

+ prefix: /user

+phpbb_ucp_reset_password_controller:

+ path: /reset_password

+ defaults: { _controller: phpbb.ucp.controller.reset_password:reset }

+

+phpbb_ucp_forgot_password_controller:

+ path: /forgot_password

+ defaults: { _controller: phpbb.ucp.controller.reset_password:request }

+ /** @var \phpbb\controller\helper $controller_helper */

+ $controller_helper = $phpbb_container->get('controller.helper');

+

+ 'U_SEND_PASSWORD' => ($config['email_enable']) ? $controller_helper->route('phpbb_ucp_forgot_password_controller') : '',

+Subject: Account password reset

+

+Hello {USERNAME}

+

+You are receiving this notification because you have requested to recover a forgotten password for your account on "{SITENAME}".

+

+To reset your password, please click the link provided below:

+

+{U_RESET_PASSWORD}

+

+If you did not authorize the request you can ignore this email. Please contact the board administrator if you keep receiving it.

+

+{EMAIL_SIG}

+ 'NO_RESET_TOKEN' => 'You did not provide a password reset token.',

+ 'PASSWORD_RESET' => 'Your password has been successfully reset.',

+ 'PASSWORD_RESET_LINK_SENT' => 'If your account exists, a password reset link was sent to your registered email address. If you do not receive an email, it may be because you are banned, your account is not activated, you have requested multiple password resets within a short time frame, or you are not allowed to change your password. Contact an administrator if any of those reasons apply. Also, please check your spam filter.',

+ 'RESET_PASSWORD' => 'Reset password',

+ 'RESET_TOKEN_EXPIRED_OR_INVALID' => 'The password reset token you supplied is invalid or has expired.',

+<?php

+/**

+ *

+ * This file is part of the phpBB Forum Software package.

+ *

+ * @copyright (c) phpBB Limited <https://www.phpbb.com>

+ * @license GNU General Public License, version 2 (GPL-2.0)

+ *

+ * For full copyright and license information, please see

+ * the docs/CREDITS.txt file.

+ *

+ */

+

+namespace phpbb\db\migration\data\v330;

+

+class reset_password extends \phpbb\db\migration\migration

+{

+ static public function depends_on()

+ {

+ return [

+ '\phpbb\db\migration\data\v330\dev',

+ ];

+ }

+

+ public function update_schema()

+ {

+ return [

+ 'add_columns' => [

+ $this->table_prefix . 'users' => [

+ 'reset_token' => ['VCHAR:64', '', 'after' => 'user_actkey'],

+ 'reset_token_expiration' => ['TIMESTAMP', 0, 'after' => 'reset_token'],

+ ],

+ ],

+ ];

+ }

+

+ public function revert_schema()

+ {

+ return [

+ 'drop_columns' => [

+ $this->table_prefix . 'users' => [

+ 'reset_token',

+ 'reset_token_expiration',

+ ],

+ ],

+ ];

+ }

+}

+<?php

+/**

+*

+* This file is part of the phpBB Forum Software package.

+*

+* @copyright (c) phpBB Limited <https://www.phpbb.com>

+* @license GNU General Public License, version 2 (GPL-2.0)

+*

+* For full copyright and license information, please see

+* the docs/CREDITS.txt file.

+*

+*/

+

+namespace phpbb\ucp\controller;

+

+use phpbb\auth\auth;

+use phpbb\config\config;

+use phpbb\controller\helper;

+use phpbb\db\driver\driver_interface;

+use phpbb\event\dispatcher;

+use phpbb\exception\http_exception;

+use phpbb\language\language;

+use phpbb\log\log_interface;

+use phpbb\passwords\manager;

+use phpbb\request\request_interface;

+use phpbb\template\template;

+use phpbb\user;

+use Symfony\Component\HttpFoundation\Response;

+

+/**

+* Handling forgotten passwords via reset password functionality

+*/

+class reset_password

+{

+ /** @var config */

+ protected $config;

+

+ /** @var driver_interface */

+ protected $db;

+

+ /** @var dispatcher */

+ protected $dispatcher;

+

+ /** @var helper */

+ protected $helper;

+

+ /** @var language */

+ protected $language;

+

+ /** @var log_interface */

+ protected $log;

+

+ /** @var manager */

+ protected $passwords_manager;

+

+ /** @var request_interface */

+ protected $request;

+

+ /** @var template */

+ protected $template;

+

+ /** @var user */

+ protected $user;

+

+ /** @var array phpBB DB table names */

+ protected $users_table;

+

+ /** @var string phpBB root path */

+ protected $root_path;

+

+ /** @var string PHP extension */

+ protected $php_ext;

+

+ /**

+ * Reset password controller constructor.

+ *

+ * @param config $config

+ * @param driver_interface $db

+ * @param dispatcher $dispatcher

+ * @param helper $helper

+ * @param language $language

+ * @param log_interface $log

+ * @param manager $passwords_manager

+ * @param request_interface $request

+ * @param template $template

+ * @param user $user

+ * @param string $users_table

+ * @param string $root_path

+ * @param string $php_ext

+ */

+ public function __construct(config $config, driver_interface $db, dispatcher $dispatcher, helper $helper,

+ language $language, log_interface $log, manager $passwords_manager,

+ request_interface $request, template $template, user $user, string $users_table,

+ string $root_path, string $php_ext)

+ {

+ $this->config = $config;

+ $this->db = $db;

+ $this->dispatcher = $dispatcher;

+ $this->helper = $helper;

+ $this->language = $language;

+ $this->log = $log;

+ $this->passwords_manager = $passwords_manager;

+ $this->request = $request;

+ $this->template = $template;

+ $this->user = $user;

+ $this->users_table = $users_table;

+ $this->root_path = $root_path;

+ $this->php_ext = $php_ext;

+ }

+

+ /**

+ * Init controller

+ */

+ protected function init_controller()

+ {

+ $this->language->add_lang('ucp');

+

+ if (!$this->config['allow_password_reset'])

+ {

+ throw new http_exception(Response::HTTP_OK, 'UCP_PASSWORD_RESET_DISABLED', [

+ '<a href="mailto:' . htmlspecialchars($this->config['board_contact']) . '">',

+ '</a>'

+ ]);

+ }

+ }

+

+ /**

+ * Remove reset token for specified user

+ *

+ * @param int $user_id User ID

+ */

+ protected function remove_reset_token(int $user_id)

+ {

+ $sql_ary = [

+ 'reset_token' => '',

+ 'reset_token_expiration' => 0,

+ ];

+

+ $sql = 'UPDATE ' . $this->users_table . '

+ SET ' . $this->db->sql_build_array('UPDATE', $sql_ary) . '

+ WHERE user_id = ' . $user_id;

+ $this->db->sql_query($sql);

+ }

+

+ /**

+ * Handle password reset request

+ *

+ * @return Response

+ */

+ public function request()

+ {

+ $this->init_controller();

+

+ $submit = $this->request->is_set_post('submit');

+ $username = $this->request->variable('username', '', true);

+ $email = strtolower($this->request->variable('email', ''));

+

+ add_form_key('ucp_reset_password');

+

+ if ($submit)

+ {

+ if (!check_form_key('ucp_reset_password'))

+ {

+ throw new http_exception(Response::HTTP_UNAUTHORIZED, 'FORM_INVALID');

+ }

+

+ if (empty($email))

+ {

+ return $this->helper->message('NO_EMAIL_USER');

+ }

+

+ $sql_array = [

+ 'SELECT' => 'user_id, username, user_permissions, user_email, user_jabber, user_notify_type, user_type,'

+ . ' user_lang, user_inactive_reason, reset_token, reset_token_expiration',

+ 'FROM' => [$this->users_table => 'u'],

+ 'WHERE' => "user_email_hash = '" . $this->db->sql_escape(phpbb_email_hash($email)) . "'" .

+ (!empty($username) ? " AND username_clean = '" . $this->db->sql_escape(utf8_clean_string($username)) . "'" : ''),

+ ];

+

+ /**

+ * Change SQL query for fetching user data

+ *

+ * @event core.ucp_remind_modify_select_sql

+ * @var string email User's email from the form

+ * @var string username User's username from the form

+ * @var array sql_array Fully assembled SQL query with keys SELECT, FROM, WHERE

+ * @since 3.1.11-RC1

+ * @changed 3.3.0-b1 Moved to reset password controller

+ */

+ $vars = [

+ 'email',

+ 'username',

+ 'sql_array',

+ ];

+ extract($this->dispatcher->trigger_event('core.ucp_remind_modify_select_sql', compact($vars)));

+

+ $sql = $this->db->sql_build_query('SELECT', $sql_array);

+ $result = $this->db->sql_query_limit($sql, 2); // don't waste resources on more rows than we need

+ $rowset = $this->db->sql_fetchrowset($result);

+ $this->db->sql_freeresult($result);

+

+ if (count($rowset) > 1)

+ {

+ $this->template->assign_vars([

+ 'USERNAME_REQUIRED' => true,

+ 'EMAIL' => $email,

+ ]);

+ }

+ else

+ {

+ $message = $this->language->lang('PASSWORD_RESET_LINK_SENT') . '<br /><br />' . $this->language->lang('RETURN_INDEX', '<a href="' . append_sid("{$this->root_path}index.{$this->php_ext}") . '">', '</a>');

+

+ if (empty($rowset))

+ {

+ return $this->helper->message($message);

+ }

+

+ $user_row = $rowset[0];

+

+ if ($user_row['user_type'] == USER_IGNORE || $user_row['user_type'] == USER_INACTIVE)

+ {

+ return $this->helper->message($message);

+ }

+

+ // Do not create multiple valid reset tokens

+ if (!empty($user_row['reset_token']) && (int) $user_row['reset_token_expiration'] >= time())

+ {

+ return $this->helper->message($message);

+ }

+

+ // Check users permissions

+ $auth = new auth();

+ $auth->acl($user_row);

+

+ if (!$auth->acl_get('u_chgpasswd'))

+ {

+ return $this->helper->message($message);

+ }

+

+ // Generate reset token

+ $reset_token = strtolower(gen_rand_string(32));

+

+ $sql_ary = [

+ 'reset_token' => $reset_token,

+ 'reset_token_expiration' => strtotime('+1 day'),

+ ];

+

+ $sql = 'UPDATE ' . $this->users_table . '

+ SET ' . $this->db->sql_build_array('UPDATE', $sql_ary) . '

+ WHERE user_id = ' . $user_row['user_id'];

+ $this->db->sql_query($sql);

+

+ if (!class_exists('messenger'))

+ {

+ include($this->root_path . 'includes/functions_messenger.' . $this->php_ext);

+ }

+

+ /** @var \messenger $messenger */

+ $messenger = new \messenger(false);

+

+ $messenger->template('user_forgot_password', $user_row['user_lang']);

+

+ $messenger->set_addresses($user_row);

+

+ $messenger->anti_abuse_headers($this->config, $this->user);

+

+ $messenger->assign_vars([

+ 'USERNAME' => htmlspecialchars_decode($user_row['username']),

+ 'U_RESET_PASSWORD' => generate_board_url(true) . $this->helper->route('phpbb_ucp_reset_password_controller', [

+ 'u' => $user_row['user_id'],

+ 'token' => $reset_token,

+ ], false)

+ ]);

+

+ $messenger->send($user_row['user_notify_type']);

+

+ return $this->helper->message($message);

+ }

+ }

+

+ $this->template->assign_vars([

+ 'USERNAME' => $username,

+ 'EMAIL' => $email,

+ 'U_RESET_PASSWORD_ACTION' => $this->helper->route('phpbb_ucp_forgot_password_controller'),

+ ]);

+

+ return $this->helper->render('ucp_reset_password.html', $this->language->lang('RESET_PASSWORD'));

+ }

+

+ /**

+ * Handle controller requests

+ *

+ * @return Response

+ */

+ public function reset()

+ {

+ $this->init_controller();

+

+ $submit = $this->request->is_set_post('submit');

+ $reset_token = $this->request->variable('token', '');

+ $user_id = $this->request->variable('u', 0);

+

+ if (empty($reset_token))

+ {

+ return $this->helper->message('NO_RESET_TOKEN');

+ }

+

+ if (!$user_id)

+ {

+ return $this->helper->message('NO_USER');

+ }

+

+ add_form_key('ucp_reset_password');

+

+ $sql_array = [

+ 'SELECT' => 'user_id, username, user_permissions, user_email, user_jabber, user_notify_type, user_type,'

+ . ' user_lang, user_inactive_reason, reset_token, reset_token_expiration',

+ 'FROM' => [$this->users_table => 'u'],

+ 'WHERE' => 'user_id = ' . $user_id,

+ ];

+

+ /**

+ * Change SQL query for fetching user data

+ *

+ * @event core.ucp_reset_password_modify_select_sql

+ * @var int user_id User ID from the form

+ * @var string reset_token Reset token

+ * @var array sql_array Fully assembled SQL query with keys SELECT, FROM, WHERE

+ * @since 3.3.0-b1

+ */

+ $vars = [

+ 'user_id',

+ 'reset_token',

+ 'sql_array',

+ ];

+ extract($this->dispatcher->trigger_event('core.ucp_reset_password_modify_select_sql', compact($vars)));

+

+ $sql = $this->db->sql_build_query('SELECT', $sql_array);

+ $result = $this->db->sql_query_limit($sql, 1);

+ $user_row = $this->db->sql_fetchrow($result);

+ $this->db->sql_freeresult($result);

+

+ $message = $this->language->lang('RESET_TOKEN_EXPIRED_OR_INVALID') . '<br /><br />' . $this->language->lang('RETURN_INDEX', '<a href="' . append_sid("{$this->root_path}index.{$this->php_ext}") . '">', '</a>');

+

+ if (empty($user_row))

+ {

+ return $this->helper->message($message);

+ }

+

+ if (!hash_equals($reset_token, $user_row['reset_token']))

+ {

+ return $this->helper->message($message);

+ }

+

+ if ($user_row['reset_token_expiration'] < time())

+ {

+ $this->remove_reset_token($user_id);

+

+ return $this->helper->message($message);

+ }

+

+ $errors = [];

+

+ if ($submit)

+ {

+ if (!check_form_key('ucp_reset_password'))

+ {

+ return $this->helper->message('FORM_INVALID');

+ }

+

+ if ($user_row['user_type'] == USER_IGNORE || $user_row['user_type'] == USER_INACTIVE)

+ {

+ return $this->helper->message($message);

+ }

+

+ // Check users permissions

+ $auth = new auth();

+ $auth->acl($user_row);

+

+ if (!$auth->acl_get('u_chgpasswd'))

+ {

+ return $this->helper->message($message);

+ }

+

+ if (!function_exists('validate_data'))

+ {

+ include($this->root_path . 'includes/functions_user.' . $this->php_ext);

+ }

+

+ $data = [

+ 'new_password' => $this->request->untrimmed_variable('new_password', '', true),

+ 'password_confirm' => $this->request->untrimmed_variable('new_password_confirm', '', true),

+ ];

+ $check_data = [

+ 'new_password' => [

+ ['string', false, $this->config['min_pass_chars'], $this->config['max_pass_chars']],

+ ['password'],

+ ],

+ 'password_confirm' => ['string', true, $this->config['min_pass_chars'], $this->config['max_pass_chars']],

+ ];

+ $errors = array_merge($errors, validate_data($data, $check_data));

+ if (strcmp($data['new_password'], $data['password_confirm']) !== 0)

+ {

+ $errors[] = $data['password_confirm'] ? 'NEW_PASSWORD_ERROR' : 'NEW_PASSWORD_CONFIRM_EMPTY';

+ }

+ if (empty($errors))

+ {

+ $sql_ary = [

+ 'user_password' => $this->passwords_manager->hash($data['new_password']),

+ 'user_login_attempts' => 0,

+ 'reset_token' => '',

+ 'reset_token_expiration' => 0,

+ ];

+ $sql = 'UPDATE ' . $this->users_table . '

+ SET ' . $this->db->sql_build_array('UPDATE', $sql_ary) . '

+ WHERE user_id = ' . (int) $user_row['user_id'];

+ $this->db->sql_query($sql);

+ $this->log->add('user', $user_row['user_id'], $this->user->ip, 'LOG_USER_NEW_PASSWORD', false, [

+ 'reportee_id' => $user_row['user_id'],

+ $user_row['username']

+ ]);

+ meta_refresh(3, append_sid("{$this->root_path}index.{$this->php_ext}"));

+ return $this->helper->message($this->language->lang('PASSWORD_RESET'));

+ }

+ }

+

+ if (!empty($errors))

+ {

+ $this->template->assign_block_vars_array('PASSWORD_RESET_ERRORS', array_map([$this->language, 'lang'], $errors));

+ }

+

+ $this->template->assign_vars([

+ 'S_IS_PASSWORD_RESET' => true,

+ 'U_RESET_PASSWORD_ACTION' => $this->helper->route('phpbb_ucp_reset_password_controller'),

+ 'S_HIDDEN_FIELDS' => build_hidden_fields([

+ 'u' => $user_id,

+ 'token' => $reset_token,

+ ]),

+ ]);

+

+ return $this->helper->render('ucp_reset_password.html', $this->language->lang('RESET_PASSWORD'));

+ }

+}

+<!-- INCLUDE overall_header.html -->

+

+<form action="{{ U_RESET_PASSWORD_ACTION }}" method="post" id="reset_password">

+

+<div class="panel">

+ <div class="inner">

+

+ <div class="content">

+ <h2>{{ lang('RESET_PASSWORD') }}</h2>

+

+ <fieldset>

+ {% if S_IS_PASSWORD_RESET %}

+ {% if PASSWORD_RESET_ERRORS %}<p class="error">{{ PASSWORD_RESET_ERRORS | join('<br>') }}</p>{% endif %}

+ <dl>

+ <dt><label for="new_password">{{ lang('NEW_PASSWORD') ~ lang('COLON') }}</label></dt>

+ <dd><input type="password" name="new_password" id="new_password" size="25" maxlength="255" title="{{ lang('CHANGE_PASSWORD') }}" autocomplete="off" /></dd>

+ </dl>

+ <dl>

+ <dt><label for="new_password_confirm">{{ lang('CONFIRM_PASSWORD') ~ lang('COLON') }}</label></dt>

+ <dd><input type="password" name="new_password_confirm" id="new_password_confirm" size="25" maxlength="255" title="{{ lang('CONFIRM_PASSWORD') }}" autocomplete="off" /></dd>

+ </dl>

+ {% else %}

+ {% if USERNAME_REQUIRED %}

+ <p class="error">{{ lang('EMAIL_NOT_UNIQUE') }}</p>

+ {% endif %}

+ <dl>

+ <dt><label for="email">{{ lang('EMAIL_ADDRESS') ~ lang('COLON') }}</label><br /><span>{{ lang('EMAIL_REMIND') }}</span></dt>

+ <dd><input class="inputbox narrow" type="email" name="email" id="email" size="25" maxlength="100" value="{{ EMAIL }}" autofocus /></dd>

+ </dl>

+ {% if USERNAME_REQUIRED %}

+ <dl>

+ <dt><label for="username">{{ lang('USERNAME') ~ lang('COLON') }}</label></dt>

+ <dd><input class="inputbox narrow" type="text" name="username" id="username" size="25" /></dd>

+ </dl>

+ {% endif %}

+ {% endif %}

+ <dl>

+ <dt>&nbsp;</dt>

+ <dd>{{ S_HIDDEN_FIELDS }}<input type="submit" name="submit" id="submit" class="button1" value="{{ lang('SUBMIT') }}" tabindex="2" />&nbsp; <input type="reset" value="{{ lang('RESET') }}" name="reset" class="button2" /></dd>

+ </dl>

+ {{ S_FORM_TOKEN }}

+ </fieldset>

+ </div>

+

+ </div>

+</div>

+</form>

+

+<!-- INCLUDE overall_footer.html -->

+ /** @var \phpbb\controller\helper $controller_helper */

+ $controller_helper = $phpbb_container->get('controller.helper');

+

+ redirect($controller_helper->route('phpbb_ucp_forgot_password_controller'));

+ 'reset_token' => '',

+ 'reset_token_expiration' => '0',

+ $crawler = self::request('GET', 'app.php/user/forgot_password');

+ $this->assertEquals($this->lang('RESET_PASSWORD'), $crawler->filter('h2')->text());

+ $crawler = self::request('GET', 'app.php/user/forgot_password');

+ $this->assertContains('app.php/user/forgot_password', $crawler->getUri());

+ $crawler = self::request('GET', "app.php/user/forgot_password?sid={$this->sid}");

+ $this->assertContainsLang('PASSWORD_RESET_LINK_SENT', $crawler->text());

+ $crawler = self::request('GET', "app.php/user/forgot_password?sid={$this->sid}");

+ $this->assertContainsLang('PASSWORD_RESET_LINK_SENT', $crawler->text());

+ $this->assertNotEmpty($this->user_data['reset_token']);

+ $this->assertNotEmpty($this->user_data['reset_token_expiration']);

+ $reset_token = $this->user_data['reset_token'];

+ $reset_token_expiration = $this->user_data['reset_token_expiration'];

+

+ // Check that reset token is only created once per day

+ $crawler = self::request('GET', "app.php/user/forgot_password?sid={$this->sid}");

+ $form = $crawler->selectButton('submit')->form(array(

+ 'email' => 'reset-password-test-user@test.com',

+ ));

+ $crawler = self::submit($form);

+ $this->assertContainsLang('PASSWORD_RESET_LINK_SENT', $crawler->text());

+

+ $this->get_user_data('reset-password-test-user');

+ $this->assertNotEmpty($this->user_data['reset_token']);

+ $this->assertNotEmpty($this->user_data['reset_token_expiration']);

+ $this->assertEquals($reset_token, $this->user_data['reset_token']);

+ $this->assertEquals($reset_token_expiration, $this->user_data['reset_token_expiration']);

+ $crawler = self::request('GET', "app.php/user/forgot_password?sid={$this->sid}");

+ $this->assertContainsLang('PASSWORD_RESET_LINK_SENT', $crawler->text());

+ $this->assertNotEmpty($this->user_data['reset_token']);

+ $this->assertNotEmpty($this->user_data['reset_token_expiration']);

+ $this->assertGreaterThan(time(), $this->user_data['reset_token_expiration']);

+ public function data_reset_user_password()

+ return [

+ ['RESET_TOKEN_EXPIRED_OR_INVALID', 0, 'abcdef'],

+ ['NO_USER', ' ', 'abcdef'],

+ ['NO_RESET_TOKEN', 0, ' '],

+ ['RESET_TOKEN_EXPIRED_OR_INVALID', 2, ''],

+ ['RESET_TOKEN_EXPIRED_OR_INVALID', 1e7, ''],

+ ['', 0, ''],

+ ['NO_RESET_TOKEN', 0, ''], // already reset

+ ];

+ * @dataProvider data_reset_user_password

+ */

+ public function test_reset_user_password($expected, $user_id, $token)

+ $user_id = !$user_id ? $this->user_data['user_id'] : $user_id;

+ $token = !$token ? $this->user_data['reset_token'] : $token;

+

+ $crawler = self::request('GET', "app.php/user/reset_password?u=$user_id&token=$token");

+ if ($expected)

+ {

+ $this->assertContainsLang($expected, $crawler->text());

+ }

+ else

+ {

+ $form = $crawler->filter('input[type=submit]')->form();

+ $values = array_merge($form->getValues(), [

+ 'new_password' => 'reset-password-test-user',

+ 'new_password_confirm' => 'reset-password-test-user',

+ ]);

+ $crawler = self::submit($form, $values);

+ $this->assertContainsLang('PASSWORD_RESET', $crawler->text());

+ }

+ $sql = 'SELECT user_id, username, user_type, user_email, user_newpasswd, user_lang, user_notify_type, user_actkey, user_inactive_reason, reset_token, reset_token_expiration