git.gnu.io has moved to IP address 209.51.188.249 -- please double check where you are logging in.

reset.php 3.89 KB
Newer Older
jurgbohn's avatar
jurgbohn committed
1 2
<?php

3
/* GNU FM -- a free network service for sharing your music listening habits
jurgbohn's avatar
jurgbohn committed
4

5
   Copyright (C) 2009 Free Software Foundation, Inc
jurgbohn's avatar
jurgbohn committed
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU Affero General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU Affero General Public License for more details.

   You should have received a copy of the GNU Affero General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.

 */

22
require_once('database.php');
jurgbohn's avatar
jurgbohn committed
23 24 25
require_once('templating.php');
require_once('utils/EmailAddressValidator.php');

clint's avatar
clint committed
26
global $adodb;
jurgbohn's avatar
jurgbohn committed
27 28 29
$errors = '';

function sendEmail($text, $email) {
30 31
	$subject = $site_name . ' Password Reset';
	return mail($email, $subject, $text);
jurgbohn's avatar
jurgbohn committed
32 33 34
}

if (isset($_GET['code'])) {
clint's avatar
clint committed
35
	$adodb->SetFetchMode(ADODB_FETCH_ASSOC);
36
	$sql = 'SELECT * FROM Recovery_Request WHERE code=' . $adodb->qstr($_GET['code'])
37 38
		. ' AND expires > ' . $adodb->qstr(time());
	$row = $adodb->GetRow($sql);
clint's avatar
clint committed
39
	if (!$row) {
40
		displayError("Error", "Invalid reset token.");
clint's avatar
clint committed
41 42 43 44 45 46
	}

	$password = '';
	$chars = 'abcdefghijklmnopqrstuvwxyz0123456789';

	for ($i = 0; $i < 8; $i++) {
47
		$password .= substr($chars, mt_rand(0, strlen($chars) - 1), 1);
clint's avatar
clint committed
48 49 50 51 52 53 54 55 56
	}

	$email = $row['email'];

	$sql = 'UPDATE Users SET password=' . $adodb->qstr(md5($password)) . ' WHERE email='
		. $adodb->qstr($email);

	$adodb->Execute($sql);

57
	$content = "Hi!\n\nYour password has been set to " . $password . "\n\n - The " . $site_name . " Team";
clint's avatar
clint committed
58 59 60 61
	sendEmail($content, $email);
	$sql = 'DELETE FROM Recovery_Request WHERE code=' . $adodb->qstr($email);
	$adodb->Execute($sql);
	$smarty->assign('changed', true);
62
} else if (isset($_POST['user']) || isset($_POST['email'])) {
Mike Sheldon's avatar
Mike Sheldon committed
63
	if (isset($_POST['email']) && !empty($_POST['email'])) {
64 65 66 67 68 69
		$field = 'email';
		$value = $_POST['email'];
	} else {
		$field = 'username';
		$value = $_POST['user'];
	}
clint's avatar
clint committed
70 71 72 73 74

	$adodb->SetFetchMode(ADODB_FETCH_ASSOC);
	$err = 0;

	try {
75
		$row = $adodb->GetRow('SELECT * FROM Users WHERE lower(' . $field . ') = lower(' . $adodb->qstr($value) .')');
76
	} catch (Exception $e) {
clint's avatar
clint committed
77 78 79 80
		$err = 1;
	}

	if ($err || !$row) {
81
		displayError("Error", "User not found.");
clint's avatar
clint committed
82
	}
Mike Sheldon's avatar
Mike Sheldon committed
83
	$username = $row['username'];
clint's avatar
clint committed
84
	$code = md5($username . $row['email'] . time());
85

86
	// If a recovery_request already exists, delete it from the database
87
	$sql = 'SELECT COUNT(*) as c FROM Recovery_Request WHERE username =' .
88 89 90 91 92 93
		$adodb->qstr($username);
	try {
		$res = $adodb->GetRow($sql);
		if ($res['c'] != 0) {
			$sql = 'DELETE FROM Recovery_Request WHERE username =' .
				$adodb->qstr($username);
Jørgen Bøhnsdalen's avatar
Jørgen Bøhnsdalen committed
94
			$adodb->Execute($sql);
95
		}
96
	} catch (Exception $e) {
97
		displayError("Error", "Error on: {$sql}");
98 99
	}

clint's avatar
clint committed
100
	$sql = 'INSERT INTO Recovery_Request (username, email, code, expires) VALUES('
Jørgen Bøhnsdalen's avatar
Jørgen Bøhnsdalen committed
101 102 103 104 105 106 107
		. $adodb->qstr($username) . ', '
		. $adodb->qstr($row['email']) . ', '
		. $adodb->qstr($code) . ', '
		. $adodb->qstr(time() + 86400) . ')';

	try {
		$res = $adodb->Execute($sql);
108
	} catch (Exception $e) {
109
		displayError("Error", "Error on: {$sql}");
Jørgen Bøhnsdalen's avatar
Jørgen Bøhnsdalen committed
110 111 112
	}

	$url = $base_url . '/reset.php?code=' . $code;
113
	// TODO: Read names from variable
114 115 116 117
	$content = "Hi!\n\nSomeone requested a password reset on your account.\n\n"
		. "Username: {$username}\n\n"
		. "To reset your password, please visit\n\n"
		. $url . "\n\nIf you do not wish to reset your password, simply "
118
		. "disregard this email.\n\n- The " . $site_name . " Team";
119 120 121

	$status = sendEmail($content, $row['email']);
	if (!$status) {
122
		displayError("Error",
Jonas Haraldsson's avatar
Jonas Haraldsson committed
123
			"Error while trying to send email to: {$row['email']}. Please try again later, or contact the site administrators.");
124 125
	}

Jørgen Bøhnsdalen's avatar
Jørgen Bøhnsdalen committed
126
	$smarty->assign('sent', true);
clint's avatar
clint committed
127
}
jurgbohn's avatar
jurgbohn committed
128

129
$smarty->display('reset.tpl');