You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
283 lines
9.4 KiB
283 lines
9.4 KiB
<?php |
|
|
|
/* |
|
|
|
Copyright 2018 Murray Hayes |
|
|
|
Redistribution and use in source and binary forms, with or without |
|
modification, are permitted provided that the following conditions |
|
are met: |
|
|
|
1. Redistributions of source code must retain the above copyright |
|
notice, this list of conditions and the following disclaimer. |
|
|
|
2. Redistributions in binary form must reproduce the above copyright |
|
notice, this list of conditions and the following disclaimer in the |
|
documentation and/or other materials provided with the distribution. |
|
|
|
3. Neither the name of the copyright holder nor the names of its |
|
contributors may be used to endorse or promote products derived from |
|
this software without specific prior written permission. |
|
|
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
|
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
|
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS |
|
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE |
|
COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, |
|
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, |
|
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
|
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER |
|
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
|
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN |
|
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
|
POSSIBILITY OF SUCH DAMAGE. |
|
|
|
*/ |
|
|
|
session_start(); |
|
|
|
include_once "utils.php"; |
|
include_once "DOMUtils.php"; |
|
include_once "consts.php"; |
|
include_once "database.php"; |
|
include_once "formUtils.php"; |
|
|
|
|
|
|
|
if (isset($_SESSION['cookieMonster'])) |
|
//if (true) |
|
{ |
|
|
|
$doc = returnDoc(); |
|
|
|
$root = returnRoot($doc); |
|
$root = $doc->appendChild($root); |
|
$root->appendChild(generateHead($doc)); |
|
|
|
$body = $doc->createElement('body'); |
|
$root->appendChild($body); |
|
|
|
$body->appendChild(generateMastHead($doc, $baseDir)); |
|
|
|
|
|
/* |
|
* Insert content here. |
|
*/ |
|
|
|
if ($_SERVER['REQUEST_METHOD'] == 'POST') |
|
{ |
|
if (isset($_POST['TokenID']) && isset($_POST['password1']) && isset($_POST['password2'])) |
|
{ |
|
/* |
|
* We have a TokenID and two passwords on POST |
|
* If everything checks out, reset the password. |
|
*/ |
|
|
|
$token = cleanInput($_POST['TokenID']); |
|
|
|
if ($_POST['password1'] === $_POST['password2']) |
|
{ |
|
$newPassword = $_POST['password1']; |
|
$memberID = FALSE; |
|
$memberID = verifyPasswordResetToken($token); |
|
if (!($memberID === FALSE)) |
|
{ |
|
/* |
|
* everything looks good, update the password and clear the token. |
|
*/ |
|
|
|
} |
|
} |
|
} |
|
if (isset($_POST['useremail'])) |
|
{ |
|
/* |
|
* Send a password reset url |
|
*/ |
|
|
|
$targetEmail = cleanInput($_POST['useremail']); |
|
|
|
/* |
|
* Apply some sanity to this because there is no userid to log |
|
* abusive requests to. |
|
*/ |
|
|
|
if (strpos($targetEmail, ';') === FALSE && |
|
strpos($targetEmail, '"') === FALSE && |
|
strpos($targetEmail, "'") === FALSE && |
|
strpos($targetEmail, '?') === FALSE && |
|
strpos($targetEmail, "/") === FALSE && |
|
strpos($targetEmail, "\\") === FALSE) |
|
{ |
|
$mailArray = returnPasswordResetTokenArray($targetEmail); |
|
if (!is_null($mailArray)) |
|
{ |
|
$mailTo = $mailArray['email']; |
|
$token = $mailArray['token']; |
|
//print ("token is " . strlen($token) . " characters long"); |
|
$firstName = $mailArray['firstName']; |
|
$lastName = $mailArray['lastName']; |
|
$subject = "Request to change your password has been recieved"; |
|
$message = "Hello $firstName, we have received a request to change " . |
|
"your password. If this request was not made by you do not " . |
|
"respond to this email. If you continue to receive these requests " . |
|
"please let us know. To reset your password, follow this link: " . |
|
"http://$siteDomain$baseDir/password-reset.php?TokenID=$token " . |
|
"and you will be guided through the rest of the process. Again, " . |
|
"it is safe to ignore this email if you do not want to reset your " . |
|
"password. Abuse can be reported to mailto:info@protospace.ca "; |
|
if (!$passwordResetMailSilence) |
|
{ |
|
mail($mailTo, $subject, $message); |
|
} |
|
else |
|
{ |
|
$label = $doc->createElement('h3'); |
|
$label->appendChild($doc->createTextNode("This message would have been sent but it was silenced")); |
|
$body->appendChild($label); |
|
|
|
$label = $doc->createElement('p'); |
|
$label->appendChild($doc->createTextNode($message)); |
|
$body->appendChild($label); |
|
} |
|
} |
|
} |
|
} |
|
} |
|
else |
|
{ |
|
if (isset($_GET['TokenID'])) |
|
{ |
|
$memberID = FALSE; |
|
/* |
|
* Check the token and reset the password |
|
*/ |
|
$token = cleanInput($_GET['TokenID']); |
|
|
|
/* |
|
* Tokens will have very specific formats that should be checked. |
|
*/ |
|
|
|
/** TODO: |
|
* Make this more better, less sucky |
|
*/ |
|
if (strlen($token) == 64) |
|
{ |
|
$memberID = verifyPasswordResetToken($token); |
|
|
|
if (!($memberID === FALSE)) |
|
{ |
|
$label = $doc->createElement('h3'); |
|
$label->appendChild($doc->createTextNode("Reset Password")); |
|
$body->appendChild($label); |
|
|
|
$form = createForm($doc, "password-reset.php"); |
|
$fieldSet = $doc->createElement('fieldset'); |
|
$fieldSetDiv = $doc->createElement('div'); |
|
$fieldSet->appendChild($fieldSetDiv); |
|
|
|
$input = $doc->createElement('input'); |
|
$input->setAttribute('type', 'hidden'); |
|
$input->setAttribute('name', 'TokenID'); |
|
$input->setAttribute('value', $token); |
|
$fieldSetDiv->appendChild($input); |
|
|
|
$label = $doc->createElement('label', 'Enter new password:'); |
|
$label->setAttribute('for', 'password1'); |
|
$label->setAttribute('class', 'CourseEditorInputLabel'); |
|
$fieldSetDiv->appendChild($label); |
|
$input = $doc->createElement('input'); |
|
$input->setAttribute('type', 'password'); |
|
$input->setAttribute('name', 'password1'); |
|
$input->setAttribute('value', ''); |
|
$input->setAttribute('autocomplete', 'off'); |
|
$input->setAttribute('required', 'required'); |
|
//$input->setAttribute(''); |
|
$fieldSetDiv->appendChild($input); |
|
|
|
$label = $doc->createElement('label', 'Confirm new password:'); |
|
$label->setAttribute('for', 'password2'); |
|
$label->setAttribute('class', 'CourseEditorInputLabel'); |
|
$fieldSetDiv->appendChild($label); |
|
$input = $doc->createElement('input'); |
|
$input->setAttribute('type', 'password'); |
|
$input->setAttribute('name', 'password2'); |
|
$input->setAttribute('value', ''); |
|
$input->setAttribute('autocomplete', 'off'); |
|
$input->setAttribute('required', 'required'); |
|
//$input->setAttribute(''); |
|
$fieldSetDiv->appendChild($input); |
|
|
|
$input = $doc->createElement('input'); |
|
$input->setAttribute('type', 'submit'); |
|
$input->setAttribute('value', 'Reset Password'); |
|
$fieldSetDiv->appendChild($input); |
|
|
|
$form->appendChild($fieldSet); |
|
$body->appendChild($form); |
|
} |
|
} |
|
} |
|
else |
|
{ |
|
/* |
|
* Offer a password reset |
|
*/ |
|
$label = $doc->createElement('h3'); |
|
$label->appendChild($doc->createTextNode("Reset Password")); |
|
$body->appendChild($label); |
|
|
|
$form = createForm($doc, "password-reset.php"); |
|
$fieldSet = $doc->createElement('fieldset'); |
|
$fieldSetDiv = $doc->createElement('div'); |
|
$fieldSet->appendChild($fieldSetDiv); |
|
|
|
/* |
|
$label = $doc->createElement('label', 'Username:'); |
|
$label->setAttribute('for', 'username'); |
|
$label->setAttribute('class', 'CourseEditorInputLabel'); |
|
$fieldSetDiv->appendChild($label); |
|
$input = createElement('input'); |
|
$input->setAttribute('type', 'text'); |
|
$input->setAttribute('name', 'username'); |
|
$input->setAttribute('autocomplete', 'off'); |
|
$input->setAttribute(''); |
|
$fieldSetDiv->appendChild($input); |
|
*/ |
|
|
|
$label = $doc->createElement('label', 'Email:'); |
|
$label->setAttribute('for', 'useremail'); |
|
$label->setAttribute('class', 'CourseEditorInputLabel'); |
|
$fieldSetDiv->appendChild($label); |
|
$input = $doc->createElement('input'); |
|
$input->setAttribute('type', 'text'); |
|
$input->setAttribute('name', 'useremail'); |
|
$input->setAttribute('autocomplete', 'off'); |
|
if (isset($_GET['id']) && |
|
(returnAdminStatus($_SESSION['MemberID']) || returnDirectorStatus($_SESSION['MemberID']))) |
|
{ |
|
$input->setAttribute('value', returnUserEmail((int)cleanInput($_GET['id']))); |
|
} |
|
//$input->setAttribute(''); |
|
$fieldSetDiv->appendChild($input); |
|
|
|
$input = $doc->createElement('input'); |
|
$input->setAttribute('type', 'submit'); |
|
$form->appendChild($input); |
|
|
|
$form->appendChild($fieldSet); |
|
$body->appendChild($form); |
|
} |
|
} |
|
$body->appendChild(generateFooter($doc)); |
|
if ($prettyPretty) |
|
$doc->formatOutput = true; |
|
outputDoc($doc); |
|
} |
|
else |
|
{ |
|
generateCookieMonster(); |
|
} |
|
|
|
?> |
|
|
|
|