reduce complexity of password recovery controller

main
msquare 8 years ago
parent ac53559fea
commit f2630162e9

@ -206,85 +206,82 @@ function users_list_controller() {
} }
/** /**
* User password recovery. * Second step of password recovery: set a new password using the token link from email
* (By email)
*/ */
function user_password_recovery_controller() { function user_password_recovery_set_new_controller() {
if (isset($_REQUEST['token'])) { $user_source = User_by_password_recovery_token($_REQUEST['token']);
$user_source = User_by_password_recovery_token($_REQUEST['token']); if ($user_source == null) {
if ($user_source === false) { error(_("Token is not correct."));
engelsystem_error("Unable to load user."); redirect(page_link_to('login'));
} }
if ($user_source == null) {
error(_("Token is not correct."));
redirect(page_link_to('login'));
}
if (isset($_REQUEST['submit'])) { if (isset($_REQUEST['submit'])) {
$valid = true; $valid = true;
if (isset($_REQUEST['password']) && strlen($_REQUEST['password']) >= MIN_PASSWORD_LENGTH) { if (isset($_REQUEST['password']) && strlen($_REQUEST['password']) >= MIN_PASSWORD_LENGTH) {
if ($_REQUEST['password'] != $_REQUEST['password2']) { if ($_REQUEST['password'] != $_REQUEST['password2']) {
$valid = false;
error(_("Your passwords don't match."));
}
} else {
$valid = false; $valid = false;
error(_("Your password is to short (please use at least 6 characters).")); error(_("Your passwords don't match."));
} }
} else {
$valid = false;
error(_("Your password is to short (please use at least 6 characters)."));
}
if ($valid) { if ($valid) {
$result = set_password($user_source['UID'], $_REQUEST['password']); set_password($user_source['UID'], $_REQUEST['password']);
if ($result === false) { success(_("Password saved."));
engelsystem_error(_("Password could not be updated.")); redirect(page_link_to('login'));
}
success(_("Password saved."));
redirect(page_link_to('login'));
}
} }
}
return User_password_set_view(); return User_password_set_view();
} else { }
if (isset($_REQUEST['submit'])) {
$valid = true; /**
* First step of password recovery: display a form that asks for your email and send email with recovery link
if (isset($_REQUEST['email']) && strlen(strip_request_item('email')) > 0) { */
$email = strip_request_item('email'); function user_password_recovery_start_controller() {
if (check_email($email)) { if (isset($_REQUEST['submit'])) {
$user_source = User_by_email($email); $valid = true;
if ($user_source === false) {
engelsystem_error("Unable to load user."); if (isset($_REQUEST['email']) && strlen(strip_request_item('email')) > 0) {
} $email = strip_request_item('email');
if ($user_source == null) { if (check_email($email)) {
$valid = false; $user_source = User_by_email($email);
error(_("E-mail address is not correct.")); if ($user_source == null) {
}
} else {
$valid = false; $valid = false;
error(_("E-mail address is not correct.")); error(_("E-mail address is not correct."));
} }
} else { } else {
$valid = false; $valid = false;
error(_("Please enter your e-mail.")); error(_("E-mail address is not correct."));
} }
} else {
$valid = false;
error(_("Please enter your e-mail."));
}
if ($valid) { if ($valid) {
$token = User_generate_password_recovery_token($user_source); $token = User_generate_password_recovery_token($user_source);
if ($token === false) { engelsystem_email_to_user($user_source, _("Password recovery"), sprintf(_("Please visit %s to recover your password."), page_link_to_absolute('user_password_recovery') . '&token=' . $token));
engelsystem_error("Unable to generate password recovery token."); success(_("We sent an email containing your password recovery link."));
} redirect(page_link_to('login'));
$result = engelsystem_email_to_user($user_source, _("Password recovery"), sprintf(_("Please visit %s to recover your password."), page_link_to_absolute('user_password_recovery') . '&token=' . $token));
if ($result === false) {
engelsystem_error("Unable to send password recovery email.");
}
success(_("We sent an email containing your password recovery link."));
redirect(page_link_to('login'));
}
} }
}
return User_password_recovery_view();
}
return User_password_recovery_view(); /**
* User password recovery in 2 steps.
* (By email)
*/
function user_password_recovery_controller() {
if (isset($_REQUEST['token'])) {
return user_password_recovery_set_new_controller();
} else {
return user_password_recovery_start_controller();
} }
} }

@ -16,7 +16,10 @@ function engelsystem_email_to_user($recipient_user, $title, $message, $not_if_it
} }
function engelsystem_email($address, $title, $message) { function engelsystem_email($address, $title, $message) {
return mail($address, $title, $message, "Content-Type: text/plain; charset=UTF-8\r\nFrom: Engelsystem <noreply@engelsystem.de>"); $result = mail($address, $title, $message, "Content-Type: text/plain; charset=UTF-8\r\nFrom: Engelsystem <noreply@engelsystem.de>");
if ($result === false) {
engelsystem_error('Unable to send email.');
}
} }
?> ?>

@ -313,7 +313,7 @@ function User_by_api_key($api_key) {
function User_by_email($email) { function User_by_email($email) {
$user = sql_select("SELECT * FROM `User` WHERE `email`='" . sql_escape($email) . "' LIMIT 1"); $user = sql_select("SELECT * FROM `User` WHERE `email`='" . sql_escape($email) . "' LIMIT 1");
if ($user === false) { if ($user === false) {
return false; engelsystem_error("Unable to load user.");
} }
if (count($user) == 0) { if (count($user) == 0) {
return null; return null;
@ -330,7 +330,7 @@ function User_by_email($email) {
function User_by_password_recovery_token($token) { function User_by_password_recovery_token($token) {
$user = sql_select("SELECT * FROM `User` WHERE `password_recovery_token`='" . sql_escape($token) . "' LIMIT 1"); $user = sql_select("SELECT * FROM `User` WHERE `password_recovery_token`='" . sql_escape($token) . "' LIMIT 1");
if ($user === false) { if ($user === false) {
return false; engelsystem_error("Unable to load user.");
} }
if (count($user) == 0) { if (count($user) == 0) {
return null; return null;
@ -363,7 +363,7 @@ function User_generate_password_recovery_token(&$user) {
$user['password_recovery_token'] = md5($user['Nick'] . time() . rand()); $user['password_recovery_token'] = md5($user['Nick'] . time() . rand());
$result = sql_query("UPDATE `User` SET `password_recovery_token`='" . sql_escape($user['password_recovery_token']) . "' WHERE `UID`='" . sql_escape($user['UID']) . "' LIMIT 1"); $result = sql_query("UPDATE `User` SET `password_recovery_token`='" . sql_escape($user['password_recovery_token']) . "' WHERE `UID`='" . sql_escape($user['UID']) . "' LIMIT 1");
if ($result === false) { if ($result === false) {
return false; engelsystem_error("Unable to generate password recovery token.");
} }
engelsystem_log("Password recovery for " . User_Nick_render($user) . " started."); engelsystem_log("Password recovery for " . User_Nick_render($user) . " started.");
return $user['password_recovery_token']; return $user['password_recovery_token'];

@ -39,7 +39,11 @@ function generate_salt($length = 16) {
* set the password of a user * set the password of a user
*/ */
function set_password($uid, $password) { function set_password($uid, $password) {
return sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt(16) . '$')) . "', `password_recovery_token`=NULL WHERE `UID` = " . intval($uid) . " LIMIT 1"); $result = sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt(16) . '$')) . "', `password_recovery_token`=NULL WHERE `UID` = " . intval($uid) . " LIMIT 1");
if ($result === false) {
engelsystem_error('Unable to update password.');
}
return $result;
} }
/** /**

Loading…
Cancel
Save