makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-27 21:58:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

[ticket/11327] Continue with implementation of password reset functionality

Browse source 
PHPBB3-11327
This commit is contained in:
Marc Alexander 2019-08-10 15:09:35 +02:00
parent 1d1d963c14
commit e991df195b
No known key found for this signature in database
GPG key ID: 50E0D2423696F995
2 changed files with 150 additions and 137 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
phpBB/language/en/ucp.php
View file

@ -402,6 +402,7 @@ $lang = array_merge($lang, array(
'NO_OLDER_PM' => 'No older messages.',
'NO_PASSWORD_SUPPLIED' => 'You cannot login without a password.',
'NO_RECIPIENT' => 'No recipient defined.',
'NO_RESET_TOKEN' => 'You did not provide a password reset token.',
'NO_RULES_DEFINED' => 'No rules defined.',
'NO_SAVED_DRAFTS' => 'No drafts saved.',
'NO_TO_RECIPIENT' => 'None',
@ -463,6 +464,7 @@ $lang = array_merge($lang, array(
'REPLIED_MESSAGE' => 'Replied to message',
'REPLY_TO_ALL' => 'Reply to sender and all recipients.',
'REPORT_PM' => 'Report private message',
'RESET_TOKEN_EXPIRED_OR_INVALID' => 'The password reset token you supplied is invalid or has expired.',
'RESIGN_SELECTED' => 'Resign selected',
'RETURN_FOLDER' => '%1$sReturn to previous folder%2$s',
'RETURN_UCP' => '%sReturn to the User Control Panel%s',

285
phpBB/phpbb/ucp/controller/reset_password.php
View file

@ -22,6 +22,7 @@ use phpbb\passwords\manager;
use phpbb\request\request_interface;
use phpbb\template\template;
use phpbb\user;
use Symfony\Component\HttpFoundation\Response;
/**
* ucp_remind
@ -94,18 +95,32 @@ class reset_password
$this->request = $request;
$this->template = $template;
$this->user = $user;
$this->tables = $tables;
$this->root_path = $root_path;
$this->php_ext = $php_ext;
}
public function request()
/**
* Init controller
*/
protected function init_controller()
{
$this->language->add_lang('ucp');
if (!$this->config['allow_password_reset'])
{
trigger_error($this->language->lang('UCP_PASSWORD_RESET_DISABLED', '<a href="mailto:' . htmlspecialchars($this->config['board_contact']) . '">', '</a>'));
$this->helper->message($this->language->lang('UCP_PASSWORD_RESET_DISABLED', '<a href="mailto:' . htmlspecialchars($this->config['board_contact']) . '">', '</a>'));
}
}
/**
* Handle password reset request
*
* @return Response
*/
public function request()
{
$this->init_controller();
$submit = $this->request->is_set_post('submit');
$username = $this->request->variable('username', '', true);
@ -125,13 +140,13 @@ class reset_password
trigger_error('NO_EMAIL_USER');
}
$sql_array = array(
$sql_array = [
'SELECT' => 'user_id, username, user_permissions, user_email, user_jabber, user_notify_type, user_type,'
. ' user_lang, user_inactive_reason, reset_token, reset_token_expiration',
'FROM' => array(USERS_TABLE => 'u'),
'FROM' => [$this->tables['users'] => 'u'],
'WHERE' => "user_email_hash = '" . $this->db->sql_escape(phpbb_email_hash($email)) . "'" .
(!empty($username) ? " AND username_clean = '" . $this->db->sql_escape(utf8_clean_string($username)) . "'" : ''),
);
];
/**
* Change SQL query for fetching user data
@ -141,12 +156,13 @@ class reset_password
* @var string username User's username from the form
* @var array sql_array Fully assembled SQL query with keys SELECT, FROM, WHERE
* @since 3.1.11-RC1
* @changed 3.3.0-b1 Moved to reset password controller
*/
$vars = array(
$vars = [
'email',
'username',
'sql_array',
);
];
extract($this->dispatcher->trigger_event('core.ucp_remind_modify_select_sql', compact($vars)));
$sql = $this->db->sql_build_query('SELECT', $sql_array);
@ -157,10 +173,10 @@ class reset_password
{
$this->db->sql_freeresult($result);
$this->template->assign_vars(array(
$this->template->assign_vars([
'USERNAME_REQUIRED' => true,
'EMAIL' => $email,
));
]);
}
else
{
@ -194,15 +210,13 @@ class reset_password
trigger_error($message);
}
$server_url = generate_board_url();
// Generate reset token
$reset_token = gen_rand_string_friendly(32);
$reset_token = strtolower(gen_rand_string(32));
$sql_ary = array(
$sql_ary = [
'reset_token' => $reset_token,
'reset_token_expiration' => time() + $this->config['reset_token_lifetime'],
);
];
$sql = 'UPDATE ' . $this->tables['users'] . '
SET ' . $this->db->sql_build_array('UPDATE', $sql_ary) . '
@ -214,16 +228,19 @@ class reset_password
/** @var \messenger $messenger */
$messenger = new \messenger(false);
$messenger->template('user_activate_passwd', $user_row['user_lang']);
$messenger->template('user_forgot_password', $user_row['user_lang']);
$messenger->set_addresses($user_row);
$messenger->anti_abuse_headers($this->config, $this->user);
$messenger->assign_vars(array(
$messenger->assign_vars([
'USERNAME' => htmlspecialchars_decode($user_row['username']),
'U_RESET_PASSWORD' => $this->helper->route('phpbb_ucp_reset_password_controller')
));
'U_RESET_PASSWORD' => generate_board_url(true) . $this->helper->route('phpbb_ucp_reset_password_controller', [
'u' => $user_row['user_id'],
'token' => $reset_token,
], false)
]);
$messenger->send($user_row['user_notify_type']);
@ -231,11 +248,11 @@ class reset_password
}
}
$this->template->assign_vars(array(
$this->template->assign_vars([
'USERNAME' => $username,
'EMAIL' => $email,
'S_PROFILE_ACTION' => $this->helper->route('phpbb_ucp_forgot_password_controller'),
));
]);
return $this->helper->render('ucp_remind.html', $this->language->lang('UCP_REMIND'));
}
@ -243,25 +260,73 @@ class reset_password
/**
* Handle controller requests
*
* @return \Symfony\Component\HttpFoundation\Response
* @return Response
*/
public function reset()
{
$this->language->add_lang('ucp');
$this->init_controller();
if (!$this->config['allow_password_reset'])
$submit = $this->request->is_set_post('submit');
$reset_token = $this->request->variable('token', '');
$user_id = $this->request->variable('u', 0);
if (empty($reset_token))
{
trigger_error($this->language->lang('UCP_PASSWORD_RESET_DISABLED', '<a href="mailto:' . htmlspecialchars($this->config['board_contact']) . '">', '</a>'));
$this->helper->message('NO_RESET_TOKEN');
}
$submit = $this->request->is_set_post('submit');
$username = $this->request->variable('username', '', true);
$email = strtolower($this->request->variable('email', ''));
$key = $this->request->variable('key', '');
$user_id = $this->request->variable('user_id', 0);
if (!$user_id)
{
$this->helper->message('NO_USER');
}
add_form_key('ucp_remind');
$sql_array = [
'SELECT' => 'user_id, username, user_permissions, user_email, user_jabber, user_notify_type, user_type,'
. ' user_lang, user_inactive_reason, reset_token, reset_token_expiration',
'FROM' => [$this->tables['users'] => 'u'],
'WHERE' => 'user_id = ' . $user_id,
];
/**
* Change SQL query for fetching user data
*
* @event core.ucp_reset_password_modify_select_sql
* @var int user_id User ID from the form
* @var string reset_token Reset token
* @var array sql_array Fully assembled SQL query with keys SELECT, FROM, WHERE
* @since 3.3.0-b1
*/
$vars = [
'user_id',
'reset_token',
'sql_array',
];
extract($this->dispatcher->trigger_event('core.ucp_reset_password_modify_select_sql', compact($vars)));
$sql = $this->db->sql_build_query('SELECT', $sql_array);
$result = $this->db->sql_query_limit($sql, 1);
$user_row = $this->db->sql_fetchrow($result);
$this->db->sql_freeresult($result);
$message = $this->language->lang('RESET_TOKEN_EXPIRED_OR_INVALID') . '<br /><br />' . $this->language->lang('RETURN_INDEX', '<a href="' . append_sid("{$this->root_path}index.{$this->php_ext}") . '">', '</a>');
if (empty($user_row))
{
$this->helper->message($message);
}
if (!hash_equals($reset_token, $user_row['reset_token']))
{
$this->helper->message($message);
}
if ($user_row['reset_token_expiration'] < time())
{
$this->helper->message($message);
}
if ($submit)
{
if (!check_form_key('ucp_remind'))
@ -269,119 +334,65 @@ class reset_password
trigger_error('FORM_INVALID');
}
if (empty($email))
$message = $this->language->lang('PASSWORD_UPDATED_IF_EXISTED') . '<br /><br />' . $this->language->lang('RETURN_INDEX', '<a href="' . append_sid("{$this->root_path}index.{$this->php_ext}") . '">', '</a>');
if ($user_row['user_type'] == USER_IGNORE || $user_row['user_type'] == USER_INACTIVE)
{
trigger_error('NO_EMAIL_USER');
}
$sql_array = array(
'SELECT' => 'user_id, username, user_permissions, user_email, user_jabber, user_notify_type, user_type, user_lang, user_inactive_reason',
'FROM' => array(USERS_TABLE => 'u'),
'WHERE' => "user_email_hash = '" . $this->db->sql_escape(phpbb_email_hash($email)) . "'" .
(!empty($username) ? " AND username_clean = '" . $this->db->sql_escape(utf8_clean_string($username)) . "'" : ''),
);
/**
* Change SQL query for fetching user data
*
* @event core.ucp_remind_modify_select_sql
* @var string email User's email from the form
* @var string username User's username from the form
* @var array sql_array Fully assembled SQL query with keys SELECT, FROM, WHERE
* @since 3.1.11-RC1
*/
$vars = array(
'email',
'username',
'sql_array',
);
extract($this->dispatcher->trigger_event('core.ucp_remind_modify_select_sql', compact($vars)));
$sql = $this->db->sql_build_query('SELECT', $sql_array);
$result = $this->db->sql_query_limit($sql, 2); // don't waste resources on more rows than we need
$rowset = $this->db->sql_fetchrowset($result);
if (count($rowset) > 1)
{
$this->db->sql_freeresult($result);
$this->template->assign_vars(array(
'USERNAME_REQUIRED' => true,
'EMAIL' => $email,
));
}
else
{
$message = $this->language->lang('PASSWORD_UPDATED_IF_EXISTED') . '<br /><br />' . $this->language->lang('RETURN_INDEX', '<a href="' . append_sid("{$this->root_path}index.{$this->php_ext}") . '">', '</a>');
if (empty($rowset))
{
trigger_error($message);
}
$user_row = $rowset[0];
$this->db->sql_freeresult($result);
if (!$user_row)
{
trigger_error($message);
}
if ($user_row['user_type'] == USER_IGNORE || $user_row['user_type'] == USER_INACTIVE)
{
trigger_error($message);
}
// Check users permissions
$auth2 = new \phpbb\auth\auth();
$auth2->acl($user_row);
if (!$auth2->acl_get('u_chgpasswd'))
{
trigger_error($message);
}
$server_url = generate_board_url();
// Make password at least 8 characters long, make it longer if admin wants to.
// gen_rand_string() however has a limit of 12 or 13.
$user_password = gen_rand_string_friendly(max(8, mt_rand((int) $this->config['min_pass_chars'], (int) $this->config['max_pass_chars'])));
// For the activation key a random length between 6 and 10 will do.
$user_actkey = gen_rand_string(mt_rand(6, 10));
$sql = 'UPDATE ' . USERS_TABLE . "
SET user_newpasswd = '" . $this->db->sql_escape($this->passwords_manager->hash($user_password)) . "', user_actkey = '" . $this->db->sql_escape($user_actkey) . "'
WHERE user_id = " . $user_row['user_id'];
$this->db->sql_query($sql);
include_once($this->root_path . 'includes/functions_messenger.' . $this->php_ext);
$messenger = new messenger(false);
$messenger->template('user_activate_passwd', $user_row['user_lang']);
$messenger->set_addresses($user_row);
$messenger->anti_abuse_headers($this->config, $this->user);
$messenger->assign_vars(array(
'USERNAME' => htmlspecialchars_decode($user_row['username']),
'PASSWORD' => htmlspecialchars_decode($user_password),
'U_ACTIVATE' => "$server_url/ucp.{$this->php_ext}?mode=activate&u={$user_row['user_id']}&k=$user_actkey")
);
$messenger->send($user_row['user_notify_type']);
trigger_error($message);
}
// Check users permissions
$auth2 = new \phpbb\auth\auth();
$auth2->acl($user_row);
if (!$auth2->acl_get('u_chgpasswd'))
{
trigger_error($message);
}
$server_url = generate_board_url();
// Make password at least 8 characters long, make it longer if admin wants to.
// gen_rand_string() however has a limit of 12 or 13.
$user_password = gen_rand_string_friendly(max(8, mt_rand((int) $this->config['min_pass_chars'], (int) $this->config['max_pass_chars'])));
// For the activation key a random length between 6 and 10 will do.
$user_actkey = gen_rand_string(mt_rand(6, 10));
$sql = 'UPDATE ' . USERS_TABLE . "
SET user_newpasswd = '" . $this->db->sql_escape($this->passwords_manager->hash($user_password)) . "', user_actkey = '" . $this->db->sql_escape($user_actkey) . "'
WHERE user_id = " . $user_row['user_id'];
$this->db->sql_query($sql);
include_once($this->root_path . 'includes/functions_messenger.' . $this->php_ext);
$messenger = new messenger(false);
$messenger->template('user_activate_passwd', $user_row['user_lang']);
$messenger->set_addresses($user_row);
$messenger->anti_abuse_headers($this->config, $this->user);
$messenger->assign_vars([
'USERNAME' => htmlspecialchars_decode($user_row['username']),
'PASSWORD' => htmlspecialchars_decode($user_password),
'U_ACTIVATE' => "$server_url/ucp.{$this->php_ext}?mode=activate&u={$user_row['user_id']}&k=$user_actkey"
]);
$messenger->send($user_row['user_notify_type']);
trigger_error($message);
}
$this->template->assign_vars(array(
'USERNAME' => $username,
'EMAIL' => $email,
'S_PROFILE_ACTION' => $this->helper->route('phpbb_ucp_reset_password_controller'),
));
$this->template->assign_vars([
'S_IS_PASSWORD_RESET' => true,
'S_PROFILE_ACTION' => $this->helper->route('phpbb_ucp_reset_password_controller'),
'S_HIDDEN_FIELDS' => build_hidden_fields([
'u' => $user_id,
'token' => $reset_token,
]),
]);
return $this->helper->render('ucp_remind.html', $this->language->lang('UCP_REMIND'));
}