diff --git a/mod/lostpass.php b/mod/lostpass.php new file mode 100644 index 000000000..fb219072e --- /dev/null +++ b/mod/lostpass.php @@ -0,0 +1,104 @@ +get_baseurl()); + + $r = q("SELECT * FROM `user` WHERE `email` = '%s' LIMIT 1", + dbesc($email) + ); + if(! count($r)) + goaway($a->get_baseurl()); + $uid = $r[0]['uid']; + $username = $r[0]['username']; + + $new_password = autoname(12) . mt_rand(100,9999); + $new_password_encoded = hash('whirlpool',$new_password); + + $r = q("UPDATE `user` SET `pwdreset` = '%s' WHERE `uid` = %d LIMIT 1", + dbesc($new_password_encoded), + intval($uid) + ); + if($r) + notice("Password reset request issued. Check your email."); + + $email_tpl = file_get_contents("view/lostpass_eml.tpl"); + $email_tpl = replace_macros($email_tpl, array( + '$sitename' => $a->config['sitename'], + '$siteurl' => $a->get_baseurl(), + '$username' => $username, + '$email' => $email, + '$reset_link' => $a->get_baseurl() . '/lostpass?verify=' . $new_password + )); + + $res = mail($email,"Password reset requested at {$a->config['sitename']}",$email_tpl,"From: Administrator@{$_SERVER[SERVER_NAME]}"); + + + + goaway($a->get_baseurl()); +} + + +function lostpass_content(&$a) { + + + if(x($_GET,'verify')) { + $verify = $_GET['verify']; + $hash = hash('whirlpool', $verify); + + $r = q("SELECT * FROM `user` WHERE `pwdreset` = '%s' LIMIT 1", + dbesc($hash) + ); + if(! count($r)) { + notice("Request could not be verified. (You may have previously submitted it.) Password reset failed." . EOL); + goaway($a->get_baseurl()); + return; + } + $uid = $r[0]['uid']; + $username = $r[0]['username']; + $email = $r[0]['email']; + + $new_password = autoname(6) . mt_rand(100,9999); + $new_password_encoded = hash('whirlpool',$new_password); + + $r = q("UPDATE `user` SET `password` = '%s', `pwdreset` = '' WHERE `uid` = %d LIMIT 1", + dbesc($new_password_encoded), + intval($uid) + ); + if($r) { + $tpl = file_get_contents('view/pwdreset.tpl'); + $o .= replace_macros($tpl,array( + '$newpass' => $new_password, + '$baseurl' => $a->get_baseurl() + )); + notice("Your password has been reset." . EOL); + + + + $email_tpl = file_get_contents("view/passchanged_eml.tpl"); + $email_tpl = replace_macros($email_tpl, array( + '$sitename' => $a->config['sitename'], + '$siteurl' => $a->get_baseurl(), + '$username' => $username, + '$email' => $email, + '$new_password' => $new_password, + '$uid' => $newuid )); + + $res = mail($email,"Your password has changed at {$a->config['sitename']}",$email_tpl,"From: Administrator@{$_SERVER[SERVER_NAME]}"); + + return $o; + } + + } + else { + $tpl = file_get_contents('view/lostpass.tpl'); + + $o .= $tpl; + + return $o; + } + +} \ No newline at end of file diff --git a/update.sql b/update.sql index 0a606e527..fc4a63fd9 100644 --- a/update.sql +++ b/update.sql @@ -13,4 +13,4 @@ ALTER TABLE `item` ADD `owner-name` CHAR( 255 ) CHARACTER SET utf8 COLLATE utf8_ ADD `owner-link` CHAR( 255 ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL AFTER `owner-name` , ADD `owner-avatar` CHAR( 255 ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL AFTER `owner-link` ; -ALTER TABLE `item` ADD `remote-parent` CHAR( 255 ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL AFTER `parent` ; \ No newline at end of file +ALTER TABLE `user` ADD `pwdreset` CHAR( 255 ) NOT NULL AFTER `blocked` ; \ No newline at end of file diff --git a/view/login.tpl b/view/login.tpl index 2ce7241fc..c7cae1bb7 100644 --- a/view/login.tpl +++ b/view/login.tpl @@ -14,7 +14,7 @@
+Enter your email address and submit to have your password reset. Then check your email for further instructions. +
+ + + diff --git a/view/lostpass_eml.tpl b/view/lostpass_eml.tpl new file mode 100644 index 000000000..c350236a4 --- /dev/null +++ b/view/lostpass_eml.tpl @@ -0,0 +1,32 @@ + +Dear $username, + A request was recently received at $sitename to reset your account +password. In order to confirm this request, please select the verification link +below or paste it into your web browser address bar. + +If you did NOT request this change, please DO NOT follow the link +provided and ignore and/or delete this email. + +Your password will not be changed unless we can verify that you +issued this request. + +Follow this link to verify your identity: + +$reset_link + +You will then receive a follow-up message containing the new password. + +You may change that password from your account settings page after logging in. + +The login details are as follows: + +Site Location: $siteurl +Login Name: $email + + + + +Sincerely, + $sitename Administrator + + diff --git a/view/passchanged_eml.tpl b/view/passchanged_eml.tpl new file mode 100644 index 000000000..9692159e1 --- /dev/null +++ b/view/passchanged_eml.tpl @@ -0,0 +1,20 @@ + +Dear $username, + Your password has been changed as requested. Please retain this +information for your records (or change your password immediately to +something that you will remember). + + +Your login details are as follows: + +Site Location: $siteurl +Login Name: $email +Password: $new_password + +You may change that password from your account settings page after logging in. + + +Sincerely, + $sitename Administrator + + diff --git a/view/pwdreset.tpl b/view/pwdreset.tpl new file mode 100644 index 000000000..dd609f061 --- /dev/null +++ b/view/pwdreset.tpl @@ -0,0 +1,16 @@ ++Your password has been reset as requested. +
++Your new password is +
++$newpass +
++Save or copy your new password - and then click here to login. +
++Your password may be changed from the 'Settings' page after successful login. \ No newline at end of file