We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

reset.php 3.98 KB
Newer Older
jurgbohn's avatar
jurgbohn committed
1 2
<?php

3
/* GNU FM -- a free network service for sharing your music listening habits
jurgbohn's avatar
jurgbohn committed
4

5
   Copyright (C) 2009 Free Software Foundation, Inc
jurgbohn's avatar
jurgbohn committed
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU Affero General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU Affero General Public License for more details.

   You should have received a copy of the GNU Affero General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.

 */

jurgbohn's avatar
jurgbohn committed
22 23
// TODO: Check if the request has expired before changing.

24
require_once('database.php');
jurgbohn's avatar
jurgbohn committed
25 26 27
require_once('templating.php');
require_once('utils/EmailAddressValidator.php');

clint's avatar
clint committed
28
global $adodb;
jurgbohn's avatar
jurgbohn committed
29 30 31
$errors = '';

function sendEmail($text, $email) {
clint's avatar
clint committed
32 33
	$headers = 'From: Libre.fm Reset <recovery@libre.fm>';
	$subject = 'Libre.fm Password Reset';
34
	return(mail($email, $subject, $text, $headers));
jurgbohn's avatar
jurgbohn committed
35 36 37
}

if (isset($_GET['code'])) {
clint's avatar
clint committed
38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
	$adodb->SetFetchMode(ADODB_FETCH_ASSOC);
	$row = $adodb->GetRow('SELECT * FROM Recovery_Request WHERE code=' . $adodb->qstr($_GET['code']));
	if (!$row) {
		$errors .= "Invalid reset token.\n";
		$smarty->assign('errors', $errors);
		$smarty->display('error.tpl');
		die();
	}

	$password = '';
	$chars = 'abcdefghijklmnopqrstuvwxyz0123456789';

	for ($i = 0; $i < 8; $i++) {
		$password .= substr($chars, mt_rand(0, strlen($chars)-1), 1);
	}

	$email = $row['email'];

	$sql = 'UPDATE Users SET password=' . $adodb->qstr(md5($password)) . ' WHERE email='
		. $adodb->qstr($email);

	$adodb->Execute($sql);

	$content = "Hi!\n\nYour password has been set to " . $password . "\n\n - The Libre.fm Team";
	sendEmail($content, $email);
	$sql = 'DELETE FROM Recovery_Request WHERE code=' . $adodb->qstr($email);
	$adodb->Execute($sql);
	$smarty->assign('changed', true);
jurgbohn's avatar
jurgbohn committed
66 67
}

68
else if (isset($_POST['user'])) {
clint's avatar
clint committed
69 70 71 72 73 74
	$username = $_POST['user'];

	$adodb->SetFetchMode(ADODB_FETCH_ASSOC);
	$err = 0;

	try {
75
		$row = $adodb->GetRow('SELECT * FROM Users WHERE username='
clint's avatar
clint committed
76 77 78 79 80 81 82 83 84 85 86 87 88
				. $adodb->qstr($username));
	}
	catch (exception $e) {
		$err = 1;
	}

	if ($err || !$row) {
		$errors .= "User not found.\n";
		$smarty->assign('errors', $errors);
		$smarty->display('error.tpl');
		die();
	}
	$code = md5($username . $row['email'] . time());
89 90 91 92 93 94 95 96 97
	
	// If a recovery_request already exists, delete it from the database
	$sql = 'SELECT COUNT(*) as c FROM Recovery_Request WHERE username =' . 
		$adodb->qstr($username);
	try {
		$res = $adodb->GetRow($sql);
		if ($res['c'] != 0) {
			$sql = 'DELETE FROM Recovery_Request WHERE username =' .
				$adodb->qstr($username);
Jørgen Bøhnsdalen's avatar
typo  
Jørgen Bøhnsdalen committed
98
			$adodb->Execute($sql);
99 100 101 102 103 104 105 106
		}
	} catch (exception $e) {
		$errors .= 'Error on: ' . $sql;
		$smarty->assign('errors', $errors);
		$smarty->display('error.tpl');
		die();
	}

clint's avatar
clint committed
107
	$sql = 'INSERT INTO Recovery_Request (username, email, code, expires) VALUES('
Jørgen Bøhnsdalen's avatar
Jørgen Bøhnsdalen committed
108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123
		. $adodb->qstr($username) . ', '
		. $adodb->qstr($row['email']) . ', '
		. $adodb->qstr($code) . ', '
		. $adodb->qstr(time() + 86400) . ')';

	try {
		$res = $adodb->Execute($sql);
	}
	catch (exception $e) {
		$errors .= 'Error on: ' . $sql;
		$smarty->assign('errors', $errors);
		$smarty->display('error.tpl');
		die();
	}

	$url = $base_url . '/reset.php?code=' . $code;
124 125 126
	// TODO: Read names from variable
	$content = "Hi!\n\nSomeone entered your username "
		. "in the password reset form at libre.fm. To reset your password, please visit\n\n"
Jørgen Bøhnsdalen's avatar
Jørgen Bøhnsdalen committed
127
		. $url . "\n\n- The Libre.fm Team";
128 129 130 131 132 133 134 135 136 137

	$status = sendEmail($content, $row['email']);
	if (!$status) {
		$errors = 'Error while trying to send email to: ' . $row['email'];
		$errors .= '. Please try again later, or contact the site administrators.';
		$smarty->assign('errors', $errors);
		$smarty->display('error.tpl');
		die();
	}

Jørgen Bøhnsdalen's avatar
Jørgen Bøhnsdalen committed
138
	$smarty->assign('sent', true);
clint's avatar
clint committed
139
}
jurgbohn's avatar
jurgbohn committed
140

141
$smarty->display('reset.tpl');
jurgbohn's avatar
jurgbohn committed
142
?>