makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-28 06:08:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

[ticket/11327] Continue with implementation of password reset functionality

Browse source 
PHPBB3-11327
This commit is contained in:
Marc Alexander 2019-08-10 15:09:35 +02:00
parent 1d1d963c14
commit e991df195b
No known key found for this signature in database
GPG key ID: 50E0D2423696F995
2 changed files with 150 additions and 137 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
phpBB/language/en/ucp.php
View file

@ -402,6 +402,7 @@ $lang = array_merge($lang, array(
'NO_OLDER_PM' => 'No older messages.', 'NO_OLDER_PM' => 'No older messages.',
'NO_PASSWORD_SUPPLIED' => 'You cannot login without a password.', 'NO_PASSWORD_SUPPLIED' => 'You cannot login without a password.',
'NO_RECIPIENT' => 'No recipient defined.', 'NO_RECIPIENT' => 'No recipient defined.',
'NO_RESET_TOKEN' => 'You did not provide a password reset token.',
'NO_RULES_DEFINED' => 'No rules defined.', 'NO_RULES_DEFINED' => 'No rules defined.',
'NO_SAVED_DRAFTS' => 'No drafts saved.', 'NO_SAVED_DRAFTS' => 'No drafts saved.',
'NO_TO_RECIPIENT' => 'None', 'NO_TO_RECIPIENT' => 'None',
@ -463,6 +464,7 @@ $lang = array_merge($lang, array(
'REPLIED_MESSAGE' => 'Replied to message', 'REPLIED_MESSAGE' => 'Replied to message',
'REPLY_TO_ALL' => 'Reply to sender and all recipients.', 'REPLY_TO_ALL' => 'Reply to sender and all recipients.',
'REPORT_PM' => 'Report private message', 'REPORT_PM' => 'Report private message',
'RESET_TOKEN_EXPIRED_OR_INVALID' => 'The password reset token you supplied is invalid or has expired.',
'RESIGN_SELECTED' => 'Resign selected', 'RESIGN_SELECTED' => 'Resign selected',
'RETURN_FOLDER' => '%1$sReturn to previous folder%2$s', 'RETURN_FOLDER' => '%1$sReturn to previous folder%2$s',
'RETURN_UCP' => '%sReturn to the User Control Panel%s', 'RETURN_UCP' => '%sReturn to the User Control Panel%s',

201
phpBB/phpbb/ucp/controller/reset_password.php
View file

@ -22,6 +22,7 @@ use phpbb\passwords\manager;
use phpbb\request\request_interface; use phpbb\request\request_interface;
use phpbb\template\template; use phpbb\template\template;
use phpbb\user; use phpbb\user;
use Symfony\Component\HttpFoundation\Response;
/** /**
* ucp_remind * ucp_remind
@ -94,18 +95,32 @@ class reset_password
$this->request = $request; $this->request = $request;
$this->template = $template; $this->template = $template;
$this->user = $user; $this->user = $user;
$this->tables = $tables;
$this->root_path = $root_path; $this->root_path = $root_path;
$this->php_ext = $php_ext; $this->php_ext = $php_ext;
} }
public function request() /**
* Init controller
*/
protected function init_controller()
{ {
$this->language->add_lang('ucp'); $this->language->add_lang('ucp');
if (!$this->config['allow_password_reset']) if (!$this->config['allow_password_reset'])
{ {
trigger_error($this->language->lang('UCP_PASSWORD_RESET_DISABLED', '<a href="mailto:' . htmlspecialchars($this->config['board_contact']) . '">', '</a>')); $this->helper->message($this->language->lang('UCP_PASSWORD_RESET_DISABLED', '<a href="mailto:' . htmlspecialchars($this->config['board_contact']) . '">', '</a>'));
} }
}
/**
* Handle password reset request
*
* @return Response
*/
public function request()
{
$this->init_controller();
$submit = $this->request->is_set_post('submit'); $submit = $this->request->is_set_post('submit');
$username = $this->request->variable('username', '', true); $username = $this->request->variable('username', '', true);
@ -125,13 +140,13 @@ class reset_password
trigger_error('NO_EMAIL_USER'); trigger_error('NO_EMAIL_USER');
} }
$sql_array = array( $sql_array = [
'SELECT' => 'user_id, username, user_permissions, user_email, user_jabber, user_notify_type, user_type,' 'SELECT' => 'user_id, username, user_permissions, user_email, user_jabber, user_notify_type, user_type,'
. ' user_lang, user_inactive_reason, reset_token, reset_token_expiration', . ' user_lang, user_inactive_reason, reset_token, reset_token_expiration',
'FROM' => array(USERS_TABLE => 'u'), 'FROM' => [$this->tables['users'] => 'u'],
'WHERE' => "user_email_hash = '" . $this->db->sql_escape(phpbb_email_hash($email)) . "'" . 'WHERE' => "user_email_hash = '" . $this->db->sql_escape(phpbb_email_hash($email)) . "'" .
(!empty($username) ? " AND username_clean = '" . $this->db->sql_escape(utf8_clean_string($username)) . "'" : ''), (!empty($username) ? " AND username_clean = '" . $this->db->sql_escape(utf8_clean_string($username)) . "'" : ''),
); ];
/** /**
* Change SQL query for fetching user data * Change SQL query for fetching user data
@ -141,12 +156,13 @@ class reset_password
* @var string username User's username from the form * @var string username User's username from the form
* @var array sql_array Fully assembled SQL query with keys SELECT, FROM, WHERE * @var array sql_array Fully assembled SQL query with keys SELECT, FROM, WHERE
* @since 3.1.11-RC1 * @since 3.1.11-RC1
* @changed 3.3.0-b1 Moved to reset password controller
*/ */
$vars = array( $vars = [
'email', 'email',
'username', 'username',
'sql_array', 'sql_array',
); ];
extract($this->dispatcher->trigger_event('core.ucp_remind_modify_select_sql', compact($vars))); extract($this->dispatcher->trigger_event('core.ucp_remind_modify_select_sql', compact($vars)));
$sql = $this->db->sql_build_query('SELECT', $sql_array); $sql = $this->db->sql_build_query('SELECT', $sql_array);
@ -157,10 +173,10 @@ class reset_password
{ {
$this->db->sql_freeresult($result); $this->db->sql_freeresult($result);
$this->template->assign_vars(array( $this->template->assign_vars([
'USERNAME_REQUIRED' => true, 'USERNAME_REQUIRED' => true,
'EMAIL' => $email, 'EMAIL' => $email,
)); ]);
} }
else else
{ {
@ -194,15 +210,13 @@ class reset_password
trigger_error($message); trigger_error($message);
} }
$server_url = generate_board_url();
// Generate reset token // Generate reset token
$reset_token = gen_rand_string_friendly(32); $reset_token = strtolower(gen_rand_string(32));
$sql_ary = array( $sql_ary = [
'reset_token' => $reset_token, 'reset_token' => $reset_token,
'reset_token_expiration' => time() + $this->config['reset_token_lifetime'], 'reset_token_expiration' => time() + $this->config['reset_token_lifetime'],
); ];
$sql = 'UPDATE ' . $this->tables['users'] . ' $sql = 'UPDATE ' . $this->tables['users'] . '
SET ' . $this->db->sql_build_array('UPDATE', $sql_ary) . ' SET ' . $this->db->sql_build_array('UPDATE', $sql_ary) . '
@ -214,16 +228,19 @@ class reset_password
/** @var \messenger $messenger */ /** @var \messenger $messenger */
$messenger = new \messenger(false); $messenger = new \messenger(false);
$messenger->template('user_activate_passwd', $user_row['user_lang']); $messenger->template('user_forgot_password', $user_row['user_lang']);
$messenger->set_addresses($user_row); $messenger->set_addresses($user_row);
$messenger->anti_abuse_headers($this->config, $this->user); $messenger->anti_abuse_headers($this->config, $this->user);
$messenger->assign_vars(array( $messenger->assign_vars([
'USERNAME' => htmlspecialchars_decode($user_row['username']), 'USERNAME' => htmlspecialchars_decode($user_row['username']),
'U_RESET_PASSWORD' => $this->helper->route('phpbb_ucp_reset_password_controller') 'U_RESET_PASSWORD' => generate_board_url(true) . $this->helper->route('phpbb_ucp_reset_password_controller', [
)); 'u' => $user_row['user_id'],
'token' => $reset_token,
], false)
]);
$messenger->send($user_row['user_notify_type']); $messenger->send($user_row['user_notify_type']);
@ -231,11 +248,11 @@ class reset_password
} }
} }
$this->template->assign_vars(array( $this->template->assign_vars([
'USERNAME' => $username, 'USERNAME' => $username,
'EMAIL' => $email, 'EMAIL' => $email,
'S_PROFILE_ACTION' => $this->helper->route('phpbb_ucp_forgot_password_controller'), 'S_PROFILE_ACTION' => $this->helper->route('phpbb_ucp_forgot_password_controller'),
)); ]);
return $this->helper->render('ucp_remind.html', $this->language->lang('UCP_REMIND')); return $this->helper->render('ucp_remind.html', $this->language->lang('UCP_REMIND'));
} }
@ -243,25 +260,73 @@ class reset_password
/** /**
* Handle controller requests * Handle controller requests
* *
* @return \Symfony\Component\HttpFoundation\Response * @return Response
*/ */
public function reset() public function reset()
{ {
$this->language->add_lang('ucp'); $this->init_controller();
if (!$this->config['allow_password_reset'])
{
trigger_error($this->language->lang('UCP_PASSWORD_RESET_DISABLED', '<a href="mailto:' . htmlspecialchars($this->config['board_contact']) . '">', '</a>'));
}
$submit = $this->request->is_set_post('submit'); $submit = $this->request->is_set_post('submit');
$username = $this->request->variable('username', '', true); $reset_token = $this->request->variable('token', '');
$email = strtolower($this->request->variable('email', '')); $user_id = $this->request->variable('u', 0);
$key = $this->request->variable('key', '');
$user_id = $this->request->variable('user_id', 0); if (empty($reset_token))
{
$this->helper->message('NO_RESET_TOKEN');
}
if (!$user_id)
{
$this->helper->message('NO_USER');
}
add_form_key('ucp_remind'); add_form_key('ucp_remind');
$sql_array = [
'SELECT' => 'user_id, username, user_permissions, user_email, user_jabber, user_notify_type, user_type,'
. ' user_lang, user_inactive_reason, reset_token, reset_token_expiration',
'FROM' => [$this->tables['users'] => 'u'],
'WHERE' => 'user_id = ' . $user_id,
];
/**
* Change SQL query for fetching user data
*
* @event core.ucp_reset_password_modify_select_sql
* @var int user_id User ID from the form
* @var string reset_token Reset token
* @var array sql_array Fully assembled SQL query with keys SELECT, FROM, WHERE
* @since 3.3.0-b1
*/
$vars = [
'user_id',
'reset_token',
'sql_array',
];
extract($this->dispatcher->trigger_event('core.ucp_reset_password_modify_select_sql', compact($vars)));
$sql = $this->db->sql_build_query('SELECT', $sql_array);
$result = $this->db->sql_query_limit($sql, 1);
$user_row = $this->db->sql_fetchrow($result);
$this->db->sql_freeresult($result);
$message = $this->language->lang('RESET_TOKEN_EXPIRED_OR_INVALID') . '<br /><br />' . $this->language->lang('RETURN_INDEX', '<a href="' . append_sid("{$this->root_path}index.{$this->php_ext}") . '">', '</a>');
if (empty($user_row))
{
$this->helper->message($message);
}
if (!hash_equals($reset_token, $user_row['reset_token']))
{
$this->helper->message($message);
}
if ($user_row['reset_token_expiration'] < time())
{
$this->helper->message($message);
}
if ($submit) if ($submit)
{ {
if (!check_form_key('ucp_remind')) if (!check_form_key('ucp_remind'))
@ -269,64 +334,8 @@ class reset_password
trigger_error('FORM_INVALID'); trigger_error('FORM_INVALID');
} }
if (empty($email))
{
trigger_error('NO_EMAIL_USER');
}
$sql_array = array(
'SELECT' => 'user_id, username, user_permissions, user_email, user_jabber, user_notify_type, user_type, user_lang, user_inactive_reason',
'FROM' => array(USERS_TABLE => 'u'),
'WHERE' => "user_email_hash = '" . $this->db->sql_escape(phpbb_email_hash($email)) . "'" .
(!empty($username) ? " AND username_clean = '" . $this->db->sql_escape(utf8_clean_string($username)) . "'" : ''),
);
/**
* Change SQL query for fetching user data
*
* @event core.ucp_remind_modify_select_sql
* @var string email User's email from the form
* @var string username User's username from the form
* @var array sql_array Fully assembled SQL query with keys SELECT, FROM, WHERE
* @since 3.1.11-RC1
*/
$vars = array(
'email',
'username',
'sql_array',
);
extract($this->dispatcher->trigger_event('core.ucp_remind_modify_select_sql', compact($vars)));
$sql = $this->db->sql_build_query('SELECT', $sql_array);
$result = $this->db->sql_query_limit($sql, 2); // don't waste resources on more rows than we need
$rowset = $this->db->sql_fetchrowset($result);
if (count($rowset) > 1)
{
$this->db->sql_freeresult($result);
$this->template->assign_vars(array(
'USERNAME_REQUIRED' => true,
'EMAIL' => $email,
));
}
else
{
$message = $this->language->lang('PASSWORD_UPDATED_IF_EXISTED') . '<br /><br />' . $this->language->lang('RETURN_INDEX', '<a href="' . append_sid("{$this->root_path}index.{$this->php_ext}") . '">', '</a>'); $message = $this->language->lang('PASSWORD_UPDATED_IF_EXISTED') . '<br /><br />' . $this->language->lang('RETURN_INDEX', '<a href="' . append_sid("{$this->root_path}index.{$this->php_ext}") . '">', '</a>');
if (empty($rowset))
{
trigger_error($message);
}
$user_row = $rowset[0];
$this->db->sql_freeresult($result);
if (!$user_row)
{
trigger_error($message);
}
if ($user_row['user_type'] == USER_IGNORE || $user_row['user_type'] == USER_INACTIVE) if ($user_row['user_type'] == USER_IGNORE || $user_row['user_type'] == USER_INACTIVE)
{ {
trigger_error($message); trigger_error($message);
@ -365,23 +374,25 @@ class reset_password
$messenger->anti_abuse_headers($this->config, $this->user); $messenger->anti_abuse_headers($this->config, $this->user);
$messenger->assign_vars(array( $messenger->assign_vars([
'USERNAME' => htmlspecialchars_decode($user_row['username']), 'USERNAME' => htmlspecialchars_decode($user_row['username']),
'PASSWORD' => htmlspecialchars_decode($user_password), 'PASSWORD' => htmlspecialchars_decode($user_password),
'U_ACTIVATE' => "$server_url/ucp.{$this->php_ext}?mode=activate&u={$user_row['user_id']}&k=$user_actkey") 'U_ACTIVATE' => "$server_url/ucp.{$this->php_ext}?mode=activate&u={$user_row['user_id']}&k=$user_actkey"
); ]);
$messenger->send($user_row['user_notify_type']); $messenger->send($user_row['user_notify_type']);
trigger_error($message); trigger_error($message);
} }
}
$this->template->assign_vars(array( $this->template->assign_vars([
'USERNAME' => $username, 'S_IS_PASSWORD_RESET' => true,
'EMAIL' => $email,
'S_PROFILE_ACTION' => $this->helper->route('phpbb_ucp_reset_password_controller'), 'S_PROFILE_ACTION' => $this->helper->route('phpbb_ucp_reset_password_controller'),
)); 'S_HIDDEN_FIELDS' => build_hidden_fields([
'u' => $user_id,
'token' => $reset_token,
]),
]);
return $this->helper->render('ucp_remind.html', $this->language->lang('UCP_REMIND')); return $this->helper->render('ucp_remind.html', $this->language->lang('UCP_REMIND'));
} }