diff options
| author | Carson Fleming <cflems@cflems.net> | 2017-04-12 19:33:38 -0400 |
|---|---|---|
| committer | Carson Fleming <cflems@cflems.net> | 2017-04-12 19:33:38 -0400 |
| commit | 3532ad23553572ef91a9f079eadc6b7454f0cd3a (patch) | |
| tree | 9436ee675528ee663c63a3d0546fb7cce34a7e6d | |
| parent | 36acfe536ada307ba028e8de99ae12905642e5fa (diff) | |
| download | bulletin-3532ad23553572ef91a9f079eadc6b7454f0cd3a.tar.gz | |
Improved password recovery mechanism
| -rw-r--r-- | forgot.php | 23 | ||||
| -rw-r--r-- | inc/forgot.tpl | 5 | ||||
| -rw-r--r-- | inc/functions.php | 11 |
3 files changed, 20 insertions, 19 deletions
@@ -2,32 +2,21 @@ require('inc/common.php'); if ($b_user['id'] > 0) loggedin(); -if (!empty($_GET['key']) && !empty($_GET['id'])) { - $db = new bdb() or fatal('No database connection!'); - $result = $db->query('SELECT id FROM users WHERE id = '.intval($_GET['id']).' AND session = \''.bulletin_hash($_GET['key']).'\' AND active = 1 LIMIT 1') or fatal($db->error); - if ($result->num_rows < 1) { - $result->free(); - $db->close(); - fatal('Invalid information provided.'); - } - $result->free(); - $db->close(); - setcookie($b_config['c_name'], intval($_GET['id']).';'.$_GET['key'], 0, $b_config['c_path'], $b_config['c_dom'], $b_config['c_sec'], $b_config['c_http']); - loggedin(); -} else if (!empty($_POST['email'])) { +if (!empty($_POST['email'])) { $db = new bdb() or fatal('No database connection!'); $token = uniqid('fp', true); $result = $db->query('SELECT id FROM users WHERE email = \''.$db->escape_string($_POST['email']).'\'') or fatal($db->error); if ($result->num_rows > 0) { - $db->query('UPDATE users SET session = \''.bulletin_hash($token).'\' WHERE email = \''.$db->escape_string($_POST['email']).'\'') or fatal($db->error); - if ($db->affected_rows < 1) fatal('Could not affect the database'); $row = $result->fetch_assoc(); + $newpass = pwgen(10); + $db->query('UPDATE users SET password = \''.bulletin_hash($newpass).'\' WHERE id = '.$row['id']) or fatal($db->error); + if ($db->affected_rows < 1) fatal('Could not affect the database'); $result->free(); $db->close(); bulletin_mail($_POST['email'], 'Recover Your Bulletin Account', tpl(array( - 'vars' => 'id='.$row['id'].'&key='.$token, + 'newpass' => htmlentities($newpass), ), 'forgot.tpl')) or fatal('Could not send out the recovery email, we apologize for the inconvenience.'); - fatal('A recovery email has been sent to the address you supplied. You can use this email to access your account, and from there change your password.'); + fatal('A recovery email has been sent to the address you supplied. You can use this email to access your account, and from there change your password.', $b_config['base_url'].'login.php'); } else { $result->free(); $db->close(); diff --git a/inc/forgot.tpl b/inc/forgot.tpl index 4c4ed4d..38e109f 100644 --- a/inc/forgot.tpl +++ b/inc/forgot.tpl @@ -2,7 +2,7 @@ <html> <head> <meta charset="UTF-8" /> - <title>Recover Your Bulletin Account</title> + <title>Your New Bulletin Password</title> </head> <body> <div id="head" style="text-align: center; width: 100%; height: 110px; border-bottom: 1px solid #dddddd;"> @@ -13,11 +13,12 @@ <div style="width: 450px; display: table; margin: 1em auto;"> <div style="font-family: sans-serif; font-size: 12pt; text-align: center; margin: 15px -15px; width: 100%; display: block;"> <p style="width: 100%;">We're sorry you've lost access to your account!</p> - <p style="width: 100%;">To log in and change your password, <a style="color: #fb4d00;" href="[config:base_url]forgot.php?[tpl:vars]">click here</a>.</p> + <p style="width: 100%;">To make the recovery process easier, we've generated a new password for you. You can now log in with the password: [tpl:newpass]</p> </div> </div> <div style="width: 450px; height: 1px; margin: auto; background: #dddddd;"></div> <p style="margin-top: 2em; text-align: center; font-family: sans-serif; font-size: 12pt; color: #aaaaaa;">Welcome back to Bulletin!</p> +[config:eml_footer] <p style="color: #dddddd; margin: 4em auto auto auto; text-align: center; font-size: x-small; font-family: sans-serif;">Copyright © 2016 Bulletin Team</p> </body> </html> diff --git a/inc/functions.php b/inc/functions.php index 12bf2fc..92343f7 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -84,4 +84,15 @@ function bulletin_mail ($to, $subject, $body) { return 0; } } + +function pwgen ($len) { + $alpha = 'abcdefghijklmnopqrstuvwxyz'; + $alpha .= strtoupper($alpha); + $alpha .= '0123456789'; + $pass = ''; + $alen = strlen($alpha); + for ($i = 0; $i < $len; $i++) + $pass .= $alpha[mt_rand(0, $alen-1)]; + return $pass; +} ?> |