We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

reset.php 3.36 KB
Newer Older
jurgbohn's avatar
jurgbohn committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
<?php

/* Libre.fm -- a free network service for sharing your music listening habits

   Copyright (C) 2009 Libre.fm Project

   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU Affero General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU Affero General Public License for more details.

   You should have received a copy of the GNU Affero General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.

 */

jurgbohn's avatar
jurgbohn committed
22 23
// TODO: Check if the request has expired before changing.

jurgbohn's avatar
jurgbohn committed
24 25 26 27 28 29 30 31
require_once('database.php');
require_once('templating.php');
require_once('utils/EmailAddressValidator.php');

global $mdb2;
$errors = '';

function sendEmail($text, $email) {
32 33
    $headers = 'From: Libre.fm Reset <recovery@libre.fm>';
    $subject = 'Libre.fm Password Reset';
jurgbohn's avatar
jurgbohn committed
34 35 36 37
    mail($email, $subject, $text, $headers);
}

if (isset($_GET['code'])) {
elleo's avatar
elleo committed
38
    $res = $mdb2->query('SELECT * FROM Recovery_Request WHERE code=' . $mdb2->quote($_GET['code'], 'text'));
jurgbohn's avatar
jurgbohn committed
39
    if ($res->numRows() == 0) {
40
	$errors .= "Invalid reset token.\n";
jurgbohn's avatar
jurgbohn committed
41 42 43 44 45
	$smarty->assign('errors', $errors);
	$smarty->display('error.tpl');
	die();
    }

46
    $row = $res->fetchRow(MDB2_FETCHMODE_ASSOC);
clint's avatar
clint committed
47

elleo's avatar
elleo committed
48 49
    $password = '';
    $chars = 'abcdefghijklmnopqrstuvwxyz0123456789';
clint's avatar
clint committed
50

jurgbohn's avatar
jurgbohn committed
51 52 53 54 55 56
    for ($i = 0; $i < 8; $i++) {
	$password .= substr($chars, mt_rand(0, strlen($chars)-1), 1);
    }

    $email = $row['email'];

elleo's avatar
elleo committed
57
    $sql = 'UPDATE Users SET password=' . $mdb2->quote(md5($password), 'text') . ' WHERE email='
jurgbohn's avatar
jurgbohn committed
58 59 60 61 62 63
	 . $mdb2->quote($email, 'text');

    $mdb2->exec($sql);

    $content = "Hi!\n\nYour password has been set to " . $password . "\n\n - The Libre.fm Team";
    sendEmail($content, $email);
elleo's avatar
elleo committed
64
    $sql = 'DELETE FROM Recovery_Request WHERE code=' . $mdb2->quote($email, 'text');
jurgbohn's avatar
jurgbohn committed
65
    $mdb2->exec($sql);
66
    $smarty->assign('changed', true);
jurgbohn's avatar
jurgbohn committed
67 68
}

69
else if (isset($_POST['user'])) {
jurgbohn's avatar
jurgbohn committed
70 71
    $username = $_POST['user'];

elleo's avatar
elleo committed
72
    $res = $mdb2->query('SELECT * FROM Users WHERE username="'
clint's avatar
clint committed
73
       . $mdb2->quote($username, 'text'));
jurgbohn's avatar
jurgbohn committed
74

jurgbohn's avatar
jurgbohn committed
75 76
    if (PEAR::isError($res) || $res->numRows() == 0) {
	$errors .= "User not found.\n";
jurgbohn's avatar
jurgbohn committed
77
	$smarty->assign('errors', $errors);
78
	$smarty->display('error.tpl');
jurgbohn's avatar
jurgbohn committed
79
	die();
clint's avatar
clint committed
80
    }
81 82
    $row = $res->fetchRow(MDB2_FETCHMODE_ASSOC);
    $code = md5($username . $row['email'] . time());
elleo's avatar
elleo committed
83 84 85 86 87
    $sql = 'INSERT INTO Recovery_Request (username, email, code, expires) VALUES('
	. $mdb2->quote($username, 'text') . ', '
	. $mdb2->quote($row['email'], 'text') . ', '
	. $mdb2->quote($code, 'text') . ', '
	. $mdb2->quote(time() + 86400, 'text') . ')';
88 89 90

    $res = $mdb2->exec($sql);
    if (PEAR::isError($res)) {
elleo's avatar
elleo committed
91
	$errors .= 'Error on: ' . $sql;
92 93 94
	$smarty->assign('errors', $errors);
	$smarty->display('error.tpl');
	die();
jurgbohn's avatar
jurgbohn committed
95
    }
96

97
    $url = $base_url . '/reset.php?code=' . $code;
clint's avatar
clint committed
98
    $content = "Hi!\n\nSomeone from the IP-address " . $_SERVER['REMOTE_ADDR'] . " entered your username "
99
	. "in the password reset form at libre.fm. To change you password, please visit\n\n"
100 101
	. $url . "\n\n- The Libre.fm Team";
    sendEmail($content, $row['email']);
clint's avatar
clint committed
102 103
    $smarty->assign('sent', true);
}
jurgbohn's avatar
jurgbohn committed
104

105
$smarty->display('reset.tpl');
jurgbohn's avatar
jurgbohn committed
106
?>