passreset.php 4.28 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?php

set_include_path(get_include_path() . PATH_SEPARATOR . '../lib');

include_once("aur.inc");         # access AUR common functions

set_lang();                 # this sets up the visitor's language
check_sid();                # see if they're still logged in

if (isset($_COOKIE["AURSID"])) {
	header('Location: index.php');
	exit();
}

$error = '';

if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confirm'])) {
	$resetkey = $_GET['resetkey'];
	$email = $_POST['email'];
	$password = $_POST['password'];
	$confirm = $_POST['confirm'];
	$uid = uid_from_email($email);

	if (empty($email) || empty($password)) {
		$error = __('Missing a required field.');
	} elseif ($password != $confirm) {
		$error = __('Password fields do not match.');
	} elseif ($uid == NULL || $uid == 'None') {
		$error = __('Invalid e-mail.');
	}

	if (empty($error)) {
		$dbh = db_connect();
Denis's avatar
Denis committed
34
35
		$salt = generate_salt();
		$hash = salted_hash($password, $salt);
36
37
38
		# The query below won't affect any records unless the ResetKey
		# and Email combination is correct and ResetKey is nonempty
		$q = "UPDATE Users
Denis's avatar
Denis committed
39
40
		      SET Passwd = '$hash',
		      Salt = '$salt',
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
		      ResetKey = ''
		      WHERE ResetKey != ''
		      AND ResetKey = '".mysql_real_escape_string($resetkey)."'
		      AND Email = '".mysql_real_escape_string($email)."'";
		$result = db_query($q, $dbh);
		if (!mysql_affected_rows($dbh)) {
			$error = __('Invalid e-mail and reset key combination.');
		} else {
			header('Location: passreset.php?step=complete');
			exit();
		}
	}
} elseif (isset($_POST['email'])) {
	$email = $_POST['email'];
	$uid = uid_from_email($email);
	if ($uid != NULL && $uid != 'None') {
		# We (ab)use new_sid() to get a random 32 characters long string
		$resetkey = new_sid();
		$dbh = db_connect();
		$q = "UPDATE Users
61
62
		      SET ResetKey = '" . $resetkey . "'
		      WHERE ID = " . $uid;
63
64
65
66
67
68
69
		db_query($q, $dbh);
		# Send email with confirmation link
		$body = __('A password reset request was submitted for the account '.
		           'associated with your e-mail address. If you wish to reset '.
		           'your password follow the link below, otherwise ignore '.
		           'this message and nothing will happen.').
		           "\n\n".
70
		           'https://aur.archlinux.org/passreset.php?'.
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
		           "resetkey={$resetkey}";
		$body = wordwrap($body, 70);
		$headers = "To: {$email}\nReply-to: nobody@archlinux.org\nFrom:aur-notify@archlinux.org\nX-Mailer: PHP\nX-MimeOLE: Produced By AUR";
		@mail(' ', 'AUR Password Reset', $body, $headers);

	}
	header('Location: passreset.php?step=confirm');
	exit();
}

$step = isset($_GET['step']) ? $_GET['step'] : NULL;

html_header(__("Password Reset"));

?>

<div class="pgbox">
	<div class="pgboxtitle">
		<span class="f3"><?php print __("Password Reset"); ?></span>
	</div>
	<div class="pgboxbody">
		<?php
		if ($error) {
			echo '<p><span class="error">'.$error.'</span></p>';
		}
		?>
		<?php
		if ($step == 'confirm') {
			echo __('Check your e-mail for the confirmation link.');
		} elseif ($step == 'complete') {
			echo __('Your password has been reset successfully.');
		} elseif (isset($_GET['resetkey'])) {
		?>
		<form action="" method="post">
			<table>
				<tr>
					<td><?php echo __("Confirm your e-mail address:"); ?></td>
					<td><input type="text" name="email" size="30" maxlength="64" /></td>
				</tr>
				<tr>
					<td><?php echo __("Enter your new password:"); ?></td>
					<td><input type="password" name="password" size="30" maxlength="32" /></td>
				</tr>
				<tr>
					<td><?php echo __("Confirm your new password:"); ?></td>
					<td><input type="password" name="confirm" size="30" maxlength="32" /></td>
				</tr>
			</table>
			<br />
120
			<input type="submit" class="button" value="<?php echo __('Continue') ?>" />
121
122
123
124
		</form>
		<?php
		} else {
		?>
125
		<p><?php echo __('If you have forgotten the e-mail address you used to register, please send a message to the %haur-general%h mailing list.',
126
127
128
129
130
		'<a href="http://mailman.archlinux.org/mailman/listinfo/aur-general">',
		'</a>'); ?></p>
		<form action="" method="post">
			<p><?php echo __("Enter your e-mail address:"); ?>
			<input type="text" name="email" size="30" maxlength="64" /></p>
131
			<input type="submit" class="button" value="<?php echo __('Continue') ?>" />
132
133
134
135
136
137
138
139
		</form>
		<?php } ?>
	</div>
</div>

<?php

html_footer(AUR_VERSION);