reduce complexity of password recovery controller

8 years ago · f2630162e9
parent ac53559fea
commit f2630162e9
4 changed files with 74 additions and 70 deletions
--- a/includes/controller/users_controller.php
+++ b/includes/controller/users_controller.php
@ -206,85 +206,82 @@ function users_list_controller() {
 }

 /**
- * User password recovery.
- * (By email)
+ * Second step of password recovery: set a new password using the token link from email
 */
-function user_password_recovery_controller() {
-  if (isset($_REQUEST['token'])) {
-    $user_source = User_by_password_recovery_token($_REQUEST['token']);
-    if ($user_source === false) {
-      engelsystem_error("Unable to load user.");
-    }
-    if ($user_source == null) {
-      error(_("Token is not correct."));
-      redirect(page_link_to('login'));
-    }
+function user_password_recovery_set_new_controller() {
+  $user_source = User_by_password_recovery_token($_REQUEST['token']);
+  if ($user_source == null) {
+    error(_("Token is not correct."));
+    redirect(page_link_to('login'));
+  }
+  
+  if (isset($_REQUEST['submit'])) {
+    $valid = true;
    
-    if (isset($_REQUEST['submit'])) {
-      $valid = true;
-      
-      if (isset($_REQUEST['password']) && strlen($_REQUEST['password']) >= MIN_PASSWORD_LENGTH) {
-        if ($_REQUEST['password'] != $_REQUEST['password2']) {
-          $valid = false;
-          error(_("Your passwords don't match."));
-        }
-      } else {
+    if (isset($_REQUEST['password']) && strlen($_REQUEST['password']) >= MIN_PASSWORD_LENGTH) {
+      if ($_REQUEST['password'] != $_REQUEST['password2']) {
        $valid = false;
-        error(_("Your password is to short (please use at least 6 characters)."));
-      }
-      
-      if ($valid) {
-        $result = set_password($user_source['UID'], $_REQUEST['password']);
-        if ($result === false) {
-          engelsystem_error(_("Password could not be updated."));
-        }
-        
-        success(_("Password saved."));
-        redirect(page_link_to('login'));
+        error(_("Your passwords don't match."));
      }
+    } else {
+      $valid = false;
+      error(_("Your password is to short (please use at least 6 characters)."));
    }
    
-    return User_password_set_view();
-  } else {
-    if (isset($_REQUEST['submit'])) {
-      $valid = true;
-      
-      if (isset($_REQUEST['email']) && strlen(strip_request_item('email')) > 0) {
-        $email = strip_request_item('email');
-        if (check_email($email)) {
-          $user_source = User_by_email($email);
-          if ($user_source === false) {
-            engelsystem_error("Unable to load user.");
-          }
-          if ($user_source == null) {
-            $valid = false;
-            error(_("E-mail address is not correct."));
-          }
-        } else {
+    if ($valid) {
+      set_password($user_source['UID'], $_REQUEST['password']);
+      success(_("Password saved."));
+      redirect(page_link_to('login'));
+    }
+  }
+  
+  return User_password_set_view();
+}
+
+/**
+ * First step of password recovery: display a form that asks for your email and send email with recovery link
+ */
+function user_password_recovery_start_controller() {
+  if (isset($_REQUEST['submit'])) {
+    $valid = true;
+    
+    if (isset($_REQUEST['email']) && strlen(strip_request_item('email')) > 0) {
+      $email = strip_request_item('email');
+      if (check_email($email)) {
+        $user_source = User_by_email($email);
+        if ($user_source == null) {
          $valid = false;
          error(_("E-mail address is not correct."));
        }
      } else {
        $valid = false;
-        error(_("Please enter your e-mail."));
-      }
-      
-      if ($valid) {
-        $token = User_generate_password_recovery_token($user_source);
-        if ($token === false) {
-          engelsystem_error("Unable to generate password recovery token.");
-        }
-        $result = engelsystem_email_to_user($user_source, _("Password recovery"), sprintf(_("Please visit %s to recover your password."), page_link_to_absolute('user_password_recovery') . '&token=' . $token));
-        if ($result === false) {
-          engelsystem_error("Unable to send password recovery email.");
-        }
-        
-        success(_("We sent an email containing your password recovery link."));
-        redirect(page_link_to('login'));
+        error(_("E-mail address is not correct."));
      }
+    } else {
+      $valid = false;
+      error(_("Please enter your e-mail."));
    }
    
-    return User_password_recovery_view();
+    if ($valid) {
+      $token = User_generate_password_recovery_token($user_source);
+      engelsystem_email_to_user($user_source, _("Password recovery"), sprintf(_("Please visit %s to recover your password."), page_link_to_absolute('user_password_recovery') . '&token=' . $token));
+      success(_("We sent an email containing your password recovery link."));
+      redirect(page_link_to('login'));
+    }
+  }
+  
+  return User_password_recovery_view();
+}
+
+/**
+ * User password recovery in 2 steps.
+ * (By email)
+ */
+function user_password_recovery_controller() {
+  if (isset($_REQUEST['token'])) {
+    return user_password_recovery_set_new_controller();
+  } else {
+    return user_password_recovery_start_controller();
  }
 }

--- a/includes/helper/email_helper.php
+++ b/includes/helper/email_helper.php
@ -16,7 +16,10 @@ function engelsystem_email_to_user($recipient_user, $title, $message, $not_if_it
 }

 function engelsystem_email($address, $title, $message) {
-  return mail($address, $title, $message, "Content-Type: text/plain; charset=UTF-8\r\nFrom: Engelsystem <noreply@engelsystem.de>");
+  $result = mail($address, $title, $message, "Content-Type: text/plain; charset=UTF-8\r\nFrom: Engelsystem <noreply@engelsystem.de>");
+  if ($result === false) {
+    engelsystem_error('Unable to send email.');
+  }
 }

 ?>
--- a/includes/model/User_model.php
+++ b/includes/model/User_model.php
@ -313,7 +313,7 @@ function User_by_api_key($api_key) {
 function User_by_email($email) {
  $user = sql_select("SELECT * FROM `User` WHERE `email`='" . sql_escape($email) . "' LIMIT 1");
  if ($user === false) {
-    return false;
+    engelsystem_error("Unable to load user.");
  }
  if (count($user) == 0) {
    return null;
@ -330,7 +330,7 @@ function User_by_email($email) {
 function User_by_password_recovery_token($token) {
  $user = sql_select("SELECT * FROM `User` WHERE `password_recovery_token`='" . sql_escape($token) . "' LIMIT 1");
  if ($user === false) {
-    return false;
+    engelsystem_error("Unable to load user.");
  }
  if (count($user) == 0) {
    return null;
@ -363,7 +363,7 @@ function User_generate_password_recovery_token(&$user) {
  $user['password_recovery_token'] = md5($user['Nick'] . time() . rand());
  $result = sql_query("UPDATE `User` SET `password_recovery_token`='" . sql_escape($user['password_recovery_token']) . "' WHERE `UID`='" . sql_escape($user['UID']) . "' LIMIT 1");
  if ($result === false) {
-    return false;
+    engelsystem_error("Unable to generate password recovery token.");
  }
  engelsystem_log("Password recovery for " . User_Nick_render($user) . " started.");
  return $user['password_recovery_token'];
--- a/includes/sys_auth.php
+++ b/includes/sys_auth.php
@ -39,7 +39,11 @@ function generate_salt($length = 16) {
 * set the password of a user
 */
 function set_password($uid, $password) {
-  return sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt(16) . '$')) . "', `password_recovery_token`=NULL WHERE `UID` = " . intval($uid) . " LIMIT 1");
+  $result = sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt(16) . '$')) . "', `password_recovery_token`=NULL WHERE `UID` = " . intval($uid) . " LIMIT 1");
+  if ($result === false) {
+    engelsystem_error('Unable to update password.');
+  }
+  return $result;
 }

 /**