284 lines
9.4 KiB
PHP
284 lines
9.4 KiB
PHP
|
<?php
|
||
|
|
||
|
/*
|
||
|
|
||
|
Copyright 2018 Murray Hayes
|
||
|
|
||
|
Redistribution and use in source and binary forms, with or without
|
||
|
modification, are permitted provided that the following conditions
|
||
|
are met:
|
||
|
|
||
|
1. Redistributions of source code must retain the above copyright
|
||
|
notice, this list of conditions and the following disclaimer.
|
||
|
|
||
|
2. Redistributions in binary form must reproduce the above copyright
|
||
|
notice, this list of conditions and the following disclaimer in the
|
||
|
documentation and/or other materials provided with the distribution.
|
||
|
|
||
|
3. Neither the name of the copyright holder nor the names of its
|
||
|
contributors may be used to endorse or promote products derived from
|
||
|
this software without specific prior written permission.
|
||
|
|
||
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||
|
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||
|
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||
|
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
||
|
COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||
|
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
||
|
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||
|
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
||
|
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||
|
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
|
||
|
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||
|
POSSIBILITY OF SUCH DAMAGE.
|
||
|
|
||
|
*/
|
||
|
|
||
|
session_start();
|
||
|
|
||
|
include_once "utils.php";
|
||
|
include_once "DOMUtils.php";
|
||
|
include_once "consts.php";
|
||
|
include_once "database.php";
|
||
|
include_once "formUtils.php";
|
||
|
|
||
|
|
||
|
|
||
|
if (isset($_SESSION['cookieMonster']))
|
||
|
//if (true)
|
||
|
{
|
||
|
|
||
|
$doc = returnDoc();
|
||
|
|
||
|
$root = returnRoot($doc);
|
||
|
$root = $doc->appendChild($root);
|
||
|
$root->appendChild(generateHead($doc));
|
||
|
|
||
|
$body = $doc->createElement('body');
|
||
|
$root->appendChild($body);
|
||
|
|
||
|
$body->appendChild(generateMastHead($doc, $baseDir));
|
||
|
|
||
|
|
||
|
/*
|
||
|
* Insert content here.
|
||
|
*/
|
||
|
|
||
|
if ($_SERVER['REQUEST_METHOD'] == 'POST')
|
||
|
{
|
||
|
if (isset($_POST['TokenID']) && isset($_POST['password1']) && isset($_POST['password2']))
|
||
|
{
|
||
|
/*
|
||
|
* We have a TokenID and two passwords on POST
|
||
|
* If everything checks out, reset the password.
|
||
|
*/
|
||
|
|
||
|
$token = cleanInput($_POST['TokenID']);
|
||
|
|
||
|
if ($_POST['password1'] === $_POST['password2'])
|
||
|
{
|
||
|
$newPassword = $_POST['password1'];
|
||
|
$memberID = FALSE;
|
||
|
$memberID = verifyPasswordResetToken($token);
|
||
|
if (!($memberID === FALSE))
|
||
|
{
|
||
|
/*
|
||
|
* everything looks good, update the password and clear the token.
|
||
|
*/
|
||
|
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
if (isset($_POST['useremail']))
|
||
|
{
|
||
|
/*
|
||
|
* Send a password reset url
|
||
|
*/
|
||
|
|
||
|
$targetEmail = cleanInput($_POST['useremail']);
|
||
|
|
||
|
/*
|
||
|
* Apply some sanity to this because there is no userid to log
|
||
|
* abusive requests to.
|
||
|
*/
|
||
|
|
||
|
if (strpos($targetEmail, ';') === FALSE &&
|
||
|
strpos($targetEmail, '"') === FALSE &&
|
||
|
strpos($targetEmail, "'") === FALSE &&
|
||
|
strpos($targetEmail, '?') === FALSE &&
|
||
|
strpos($targetEmail, "/") === FALSE &&
|
||
|
strpos($targetEmail, "\\") === FALSE)
|
||
|
{
|
||
|
$mailArray = returnPasswordResetTokenArray($targetEmail);
|
||
|
if (!is_null($mailArray))
|
||
|
{
|
||
|
$mailTo = $mailArray['email'];
|
||
|
$token = $mailArray['token'];
|
||
|
//print ("token is " . strlen($token) . " characters long");
|
||
|
$firstName = $mailArray['firstName'];
|
||
|
$lastName = $mailArray['lastName'];
|
||
|
$subject = "Request to change your password has been recieved";
|
||
|
$message = "Hello $firstName, we have received a request to change " .
|
||
|
"your password. If this request was not made by you do not " .
|
||
|
"respond to this email. If you continue to receive these requests " .
|
||
|
"please let us know. To reset your password, follow this link: " .
|
||
|
"http://$siteDomain$baseDir/password-reset.php?TokenID=$token " .
|
||
|
"and you will be guided through the rest of the process. Again, " .
|
||
|
"it is safe to ignore this email if you do not want to reset your " .
|
||
|
"password. Abuse can be reported to mailto:info@protospace.ca ";
|
||
|
if (!$passwordResetMailSilence)
|
||
|
{
|
||
|
mail($mailTo, $subject, $message);
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
$label = $doc->createElement('h3');
|
||
|
$label->appendChild($doc->createTextNode("This message would have been sent but it was silenced"));
|
||
|
$body->appendChild($label);
|
||
|
|
||
|
$label = $doc->createElement('p');
|
||
|
$label->appendChild($doc->createTextNode($message));
|
||
|
$body->appendChild($label);
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
if (isset($_GET['TokenID']))
|
||
|
{
|
||
|
$memberID = FALSE;
|
||
|
/*
|
||
|
* Check the token and reset the password
|
||
|
*/
|
||
|
$token = cleanInput($_GET['TokenID']);
|
||
|
|
||
|
/*
|
||
|
* Tokens will have very specific formats that should be checked.
|
||
|
*/
|
||
|
|
||
|
/** TODO:
|
||
|
* Make this more better, less sucky
|
||
|
*/
|
||
|
if (strlen($token) == 64)
|
||
|
{
|
||
|
$memberID = verifyPasswordResetToken($token);
|
||
|
|
||
|
if (!($memberID === FALSE))
|
||
|
{
|
||
|
$label = $doc->createElement('h3');
|
||
|
$label->appendChild($doc->createTextNode("Reset Password"));
|
||
|
$body->appendChild($label);
|
||
|
|
||
|
$form = createForm($doc, "password-reset.php");
|
||
|
$fieldSet = $doc->createElement('fieldset');
|
||
|
$fieldSetDiv = $doc->createElement('div');
|
||
|
$fieldSet->appendChild($fieldSetDiv);
|
||
|
|
||
|
$input = $doc->createElement('input');
|
||
|
$input->setAttribute('type', 'hidden');
|
||
|
$input->setAttribute('name', 'TokenID');
|
||
|
$input->setAttribute('value', $token);
|
||
|
$fieldSetDiv->appendChild($input);
|
||
|
|
||
|
$label = $doc->createElement('label', 'Enter new password:');
|
||
|
$label->setAttribute('for', 'password1');
|
||
|
$label->setAttribute('class', 'CourseEditorInputLabel');
|
||
|
$fieldSetDiv->appendChild($label);
|
||
|
$input = $doc->createElement('input');
|
||
|
$input->setAttribute('type', 'password');
|
||
|
$input->setAttribute('name', 'password1');
|
||
|
$input->setAttribute('value', '');
|
||
|
$input->setAttribute('autocomplete', 'off');
|
||
|
$input->setAttribute('required', 'required');
|
||
|
//$input->setAttribute('');
|
||
|
$fieldSetDiv->appendChild($input);
|
||
|
|
||
|
$label = $doc->createElement('label', 'Confirm new password:');
|
||
|
$label->setAttribute('for', 'password2');
|
||
|
$label->setAttribute('class', 'CourseEditorInputLabel');
|
||
|
$fieldSetDiv->appendChild($label);
|
||
|
$input = $doc->createElement('input');
|
||
|
$input->setAttribute('type', 'password');
|
||
|
$input->setAttribute('name', 'password2');
|
||
|
$input->setAttribute('value', '');
|
||
|
$input->setAttribute('autocomplete', 'off');
|
||
|
$input->setAttribute('required', 'required');
|
||
|
//$input->setAttribute('');
|
||
|
$fieldSetDiv->appendChild($input);
|
||
|
|
||
|
$input = $doc->createElement('input');
|
||
|
$input->setAttribute('type', 'submit');
|
||
|
$input->setAttribute('value', 'Reset Password');
|
||
|
$fieldSetDiv->appendChild($input);
|
||
|
|
||
|
$form->appendChild($fieldSet);
|
||
|
$body->appendChild($form);
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
/*
|
||
|
* Offer a password reset
|
||
|
*/
|
||
|
$label = $doc->createElement('h3');
|
||
|
$label->appendChild($doc->createTextNode("Reset Password"));
|
||
|
$body->appendChild($label);
|
||
|
|
||
|
$form = createForm($doc, "password-reset.php");
|
||
|
$fieldSet = $doc->createElement('fieldset');
|
||
|
$fieldSetDiv = $doc->createElement('div');
|
||
|
$fieldSet->appendChild($fieldSetDiv);
|
||
|
|
||
|
/*
|
||
|
$label = $doc->createElement('label', 'Username:');
|
||
|
$label->setAttribute('for', 'username');
|
||
|
$label->setAttribute('class', 'CourseEditorInputLabel');
|
||
|
$fieldSetDiv->appendChild($label);
|
||
|
$input = createElement('input');
|
||
|
$input->setAttribute('type', 'text');
|
||
|
$input->setAttribute('name', 'username');
|
||
|
$input->setAttribute('autocomplete', 'off');
|
||
|
$input->setAttribute('');
|
||
|
$fieldSetDiv->appendChild($input);
|
||
|
*/
|
||
|
|
||
|
$label = $doc->createElement('label', 'Email:');
|
||
|
$label->setAttribute('for', 'useremail');
|
||
|
$label->setAttribute('class', 'CourseEditorInputLabel');
|
||
|
$fieldSetDiv->appendChild($label);
|
||
|
$input = $doc->createElement('input');
|
||
|
$input->setAttribute('type', 'text');
|
||
|
$input->setAttribute('name', 'useremail');
|
||
|
$input->setAttribute('autocomplete', 'off');
|
||
|
if (isset($_GET['id']) &&
|
||
|
(returnAdminStatus($_SESSION['MemberID']) || returnDirectorStatus($_SESSION['MemberID'])))
|
||
|
{
|
||
|
$input->setAttribute('value', returnUserEmail((int)cleanInput($_GET['id'])));
|
||
|
}
|
||
|
//$input->setAttribute('');
|
||
|
$fieldSetDiv->appendChild($input);
|
||
|
|
||
|
$input = $doc->createElement('input');
|
||
|
$input->setAttribute('type', 'submit');
|
||
|
$form->appendChild($input);
|
||
|
|
||
|
$form->appendChild($fieldSet);
|
||
|
$body->appendChild($form);
|
||
|
}
|
||
|
}
|
||
|
$body->appendChild(generateFooter($doc));
|
||
|
if ($prettyPretty)
|
||
|
$doc->formatOutput = true;
|
||
|
outputDoc($doc);
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
generateCookieMonster();
|
||
|
}
|
||
|
|
||
|
?>
|
||
|
|