Initial commit

password-reset.php

@@ -0,0 +1,283 @@
+<?php
+
+/*
+
+Copyright 2018 Murray Hayes
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+notice, this list of conditions and the following disclaimer in the
+documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+*/
+
+session_start();
+
+include_once "utils.php";
+include_once "DOMUtils.php";
+include_once "consts.php";
+include_once "database.php";
+include_once "formUtils.php";
+
+
+
+if (isset($_SESSION['cookieMonster']))
+//if (true)
+{
+  
+  $doc = returnDoc();
+  
+  $root = returnRoot($doc);
+  $root = $doc->appendChild($root);
+  $root->appendChild(generateHead($doc));
+  
+  $body = $doc->createElement('body');
+  $root->appendChild($body);
+  
+  $body->appendChild(generateMastHead($doc, $baseDir));
+  
+      
+  /*
+   *  Insert content here.
+   */
+
+  if ($_SERVER['REQUEST_METHOD'] == 'POST')
+  {
+    if (isset($_POST['TokenID']) && isset($_POST['password1']) && isset($_POST['password2']))
+    {
+      /*
+       * We have a TokenID and two passwords on POST
+       * If everything checks out, reset the password.
+       */
+      
+      $token = cleanInput($_POST['TokenID']);
+      
+      if ($_POST['password1'] === $_POST['password2'])
+      {
+        $newPassword = $_POST['password1'];
+        $memberID = FALSE;
+        $memberID = verifyPasswordResetToken($token);
+        if (!($memberID === FALSE))
+        {
+          /*
+           * everything looks good, update the password and clear the token.
+           */
+          
+        }
+      }
+    }
+    if (isset($_POST['useremail']))
+    {
+      /*
+       * Send a password reset url
+       */
+      
+      $targetEmail = cleanInput($_POST['useremail']);
+      
+      /*
+       * Apply some sanity to this because there is no userid to log
+       * abusive requests to.
+       */
+      
+      if (strpos($targetEmail, ';') === FALSE &&
+          strpos($targetEmail, '"') === FALSE &&
+          strpos($targetEmail, "'") === FALSE &&
+          strpos($targetEmail, '?') === FALSE &&
+          strpos($targetEmail, "/") === FALSE &&
+          strpos($targetEmail, "\\") === FALSE)
+      {
+        $mailArray = returnPasswordResetTokenArray($targetEmail);
+        if (!is_null($mailArray))
+        {
+          $mailTo = $mailArray['email'];
+          $token = $mailArray['token'];
+          //print ("token is " . strlen($token) . " characters long");
+          $firstName = $mailArray['firstName'];
+          $lastName = $mailArray['lastName'];
+          $subject = "Request to change your password has been recieved";
+          $message = "Hello $firstName, we have received a request to change " .
+              "your password.  If this request was not made by you do not " .
+              "respond to this email. If you continue to receive these requests " .
+              "please let us know. To reset your password, follow this link: " .
+              "http://$siteDomain$baseDir/password-reset.php?TokenID=$token " .
+              "and you will be guided through the rest of the process.  Again, " .
+              "it is safe to ignore this email if you do not want to reset your " .
+              "password.  Abuse can be reported to mailto:info@protospace.ca ";
+          if (!$passwordResetMailSilence)
+          {
+            mail($mailTo, $subject, $message);
+          }
+          else
+          {
+            $label = $doc->createElement('h3');
+            $label->appendChild($doc->createTextNode("This message would have been sent but it was silenced"));
+            $body->appendChild($label);
+            
+            $label = $doc->createElement('p');
+            $label->appendChild($doc->createTextNode($message));
+            $body->appendChild($label);
+          }
+        }
+      }
+    }
+  }
+  else
+  {
+    if (isset($_GET['TokenID']))
+    {
+      $memberID = FALSE;
+      /*
+       * Check the token and reset the password
+       */
+      $token = cleanInput($_GET['TokenID']);
+
+      /*
+       * Tokens will have very specific formats that should be checked.
+       */
+      
+      /** TODO: 
+       *    Make this more better, less sucky
+       */
+      if (strlen($token) == 64)
+      {
+        $memberID = verifyPasswordResetToken($token);
+        
+        if (!($memberID === FALSE))
+        {
+          $label = $doc->createElement('h3');
+          $label->appendChild($doc->createTextNode("Reset Password"));
+          $body->appendChild($label);
+          
+          $form = createForm($doc, "password-reset.php");
+          $fieldSet = $doc->createElement('fieldset');
+          $fieldSetDiv = $doc->createElement('div');
+          $fieldSet->appendChild($fieldSetDiv);
+          
+          $input = $doc->createElement('input');
+          $input->setAttribute('type', 'hidden');
+          $input->setAttribute('name', 'TokenID');
+          $input->setAttribute('value', $token);
+          $fieldSetDiv->appendChild($input);
+          
+          $label = $doc->createElement('label', 'Enter new password:');
+          $label->setAttribute('for', 'password1');
+          $label->setAttribute('class', 'CourseEditorInputLabel');
+          $fieldSetDiv->appendChild($label);
+          $input = $doc->createElement('input');
+          $input->setAttribute('type', 'password');
+          $input->setAttribute('name', 'password1');
+          $input->setAttribute('value', '');
+          $input->setAttribute('autocomplete', 'off');
+          $input->setAttribute('required', 'required');
+          //$input->setAttribute('');
+          $fieldSetDiv->appendChild($input);
+
+          $label = $doc->createElement('label', 'Confirm new password:');
+          $label->setAttribute('for', 'password2');
+          $label->setAttribute('class', 'CourseEditorInputLabel');
+          $fieldSetDiv->appendChild($label);
+          $input = $doc->createElement('input');
+          $input->setAttribute('type', 'password');
+          $input->setAttribute('name', 'password2');
+          $input->setAttribute('value', '');
+          $input->setAttribute('autocomplete', 'off');
+          $input->setAttribute('required', 'required');
+          //$input->setAttribute('');
+          $fieldSetDiv->appendChild($input);
+          
+          $input = $doc->createElement('input');
+          $input->setAttribute('type', 'submit');
+          $input->setAttribute('value', 'Reset Password');
+          $fieldSetDiv->appendChild($input);
+          
+          $form->appendChild($fieldSet);
+          $body->appendChild($form);
+        }
+      }
+    }
+    else
+    {
+      /*
+       * Offer a password reset
+       */
+      $label = $doc->createElement('h3');
+      $label->appendChild($doc->createTextNode("Reset Password"));
+      $body->appendChild($label);
+      
+      $form = createForm($doc, "password-reset.php");
+      $fieldSet = $doc->createElement('fieldset');
+      $fieldSetDiv = $doc->createElement('div');
+      $fieldSet->appendChild($fieldSetDiv);
+    
+    /*  
+      $label = $doc->createElement('label', 'Username:');
+      $label->setAttribute('for', 'username');
+      $label->setAttribute('class', 'CourseEditorInputLabel');
+      $fieldSetDiv->appendChild($label);
+      $input = createElement('input');
+      $input->setAttribute('type', 'text');
+      $input->setAttribute('name', 'username');
+      $input->setAttribute('autocomplete', 'off');
+      $input->setAttribute('');
+      $fieldSetDiv->appendChild($input);
+    */
+      
+      $label = $doc->createElement('label', 'Email:');
+      $label->setAttribute('for', 'useremail');
+      $label->setAttribute('class', 'CourseEditorInputLabel');
+      $fieldSetDiv->appendChild($label);
+      $input = $doc->createElement('input');
+      $input->setAttribute('type', 'text');
+      $input->setAttribute('name', 'useremail');
+      $input->setAttribute('autocomplete', 'off');
+      if (isset($_GET['id']) && 
+          (returnAdminStatus($_SESSION['MemberID']) || returnDirectorStatus($_SESSION['MemberID'])))
+      {
+        $input->setAttribute('value', returnUserEmail((int)cleanInput($_GET['id'])));
+      }
+      //$input->setAttribute('');
+      $fieldSetDiv->appendChild($input);
+      
+      $input = $doc->createElement('input');
+      $input->setAttribute('type', 'submit');
+      $form->appendChild($input);
+      
+      $form->appendChild($fieldSet);
+      $body->appendChild($form);
+    }
+  }
+  $body->appendChild(generateFooter($doc));
+  if ($prettyPretty)
+    $doc->formatOutput = true;
+  outputDoc($doc);
+}
+else
+{
+  generateCookieMonster();
+}
+
+?>
+