Add time-out to password resets; prevent repeated mails #50
@ -24,7 +24,9 @@ class Login extends HTMLController
|
|||||||
if (Authentication::checkPassword($_POST['emailaddress'], $_POST['password']))
|
if (Authentication::checkPassword($_POST['emailaddress'], $_POST['password']))
|
||||||
{
|
{
|
||||||
parent::__construct('Login');
|
parent::__construct('Login');
|
||||||
$_SESSION['user_id'] = Authentication::getUserId($_POST['emailaddress']);
|
|
||||||
|
$user = Member::fromEmailAddress($_POST['emailaddress']);
|
||||||
|
$_SESSION['user_id'] = $user->getUserId();
|
||||||
|
|
||||||
if (isset($_POST['redirect_url']))
|
if (isset($_POST['redirect_url']))
|
||||||
header('Location: ' . base64_decode($_POST['redirect_url']));
|
header('Location: ' . base64_decode($_POST['redirect_url']));
|
||||||
|
@ -18,12 +18,12 @@ class ResetPassword extends HTMLController
|
|||||||
if (isset($_GET['step'], $_GET['email'], $_GET['key']) && $_GET['step'] == 2)
|
if (isset($_GET['step'], $_GET['email'], $_GET['key']) && $_GET['step'] == 2)
|
||||||
{
|
{
|
||||||
$email = rawurldecode($_GET['email']);
|
$email = rawurldecode($_GET['email']);
|
||||||
$id_user = Authentication::getUserid($email);
|
$user = Member::fromEmailAddress($email);
|
||||||
if ($id_user === false)
|
if (!$user)
|
||||||
throw new UserFacingException('Invalid email address. Please make sure you copied the full link in the email you received.');
|
throw new UserFacingException('Invalid email address. Please make sure you copied the full link in the email you received.');
|
||||||
|
|
||||||
$key = $_GET['key'];
|
$key = $_GET['key'];
|
||||||
if (!Authentication::checkResetKey($id_user, $key))
|
if (!Authentication::checkResetKey($user->getUserId(), $key))
|
||||||
throw new UserFacingException('Invalid reset token. Please make sure you copied the full link in the email you received. Note: you cannot use the same token twice.');
|
throw new UserFacingException('Invalid reset token. Please make sure you copied the full link in the email you received. Note: you cannot use the same token twice.');
|
||||||
|
|
||||||
parent::__construct('Reset password - ' . SITE_TITLE);
|
parent::__construct('Reset password - ' . SITE_TITLE);
|
||||||
@ -42,7 +42,7 @@ class ResetPassword extends HTMLController
|
|||||||
// So, are we good to go?
|
// So, are we good to go?
|
||||||
if (empty($missing))
|
if (empty($missing))
|
||||||
{
|
{
|
||||||
Authentication::updatePassword($id_user, Authentication::computeHash($_POST['password1']));
|
Authentication::updatePassword($user->getUserId(), Authentication::computeHash($_POST['password1']));
|
||||||
$_SESSION['login_msg'] = ['Your password has been reset', 'You can now use the form below to log in to your account.', 'success'];
|
$_SESSION['login_msg'] = ['Your password has been reset', 'You can now use the form below to log in to your account.', 'success'];
|
||||||
header('Location: ' . BASEURL . '/login/');
|
header('Location: ' . BASEURL . '/login/');
|
||||||
exit;
|
exit;
|
||||||
@ -60,15 +60,15 @@ class ResetPassword extends HTMLController
|
|||||||
// Have they submitted an email address yet?
|
// Have they submitted an email address yet?
|
||||||
if (isset($_POST['emailaddress']) && preg_match('~^.+@.+\.[a-z]+$~', trim($_POST['emailaddress'])))
|
if (isset($_POST['emailaddress']) && preg_match('~^.+@.+\.[a-z]+$~', trim($_POST['emailaddress'])))
|
||||||
{
|
{
|
||||||
$id_user = Authentication::getUserid(trim($_POST['emailaddress']));
|
$user = Member::fromEmailAddress($_POST['emailaddress']);
|
||||||
if ($id_user === false)
|
if (!$user)
|
||||||
{
|
{
|
||||||
$form->adopt(new Alert('Invalid email address', 'The email address you provided could not be found in our system. Please try again.', 'danger'));
|
$form->adopt(new Alert('Invalid email address', 'The email address you provided could not be found in our system. Please try again.', 'danger'));
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
Authentication::setResetKey($id_user);
|
Authentication::setResetKey($user->getUserId());
|
||||||
Email::resetMail($id_user);
|
Email::resetMail($user->getUserId());
|
||||||
|
|
||||||
// Show the success message
|
// Show the success message
|
||||||
$this->page->clear();
|
$this->page->clear();
|
||||||
|
@ -73,22 +73,6 @@ class Authentication
|
|||||||
return $hash;
|
return $hash;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Finds the user id belonging to a certain emailaddress.
|
|
||||||
*/
|
|
||||||
public static function getUserId($emailaddress)
|
|
||||||
{
|
|
||||||
$res = Registry::get('db')->queryValue('
|
|
||||||
SELECT id_user
|
|
||||||
FROM users
|
|
||||||
WHERE emailaddress = {string:emailaddress}',
|
|
||||||
[
|
|
||||||
'emailaddress' => $emailaddress,
|
|
||||||
]);
|
|
||||||
|
|
||||||
return empty($res) ? false : $res;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Verifies whether the user is currently logged in.
|
* Verifies whether the user is currently logged in.
|
||||||
*/
|
*/
|
||||||
|
@ -8,7 +8,7 @@
|
|||||||
|
|
||||||
class Member extends User
|
class Member extends User
|
||||||
{
|
{
|
||||||
private function __construct($data)
|
private function __construct($data = [])
|
||||||
{
|
{
|
||||||
foreach ($data as $key => $value)
|
foreach ($data as $key => $value)
|
||||||
$this->$key = $value;
|
$this->$key = $value;
|
||||||
@ -18,6 +18,15 @@ class Member extends User
|
|||||||
$this->is_admin = $this->is_admin == 1;
|
$this->is_admin = $this->is_admin == 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static function fromEmailAddress($email_address)
|
||||||
|
{
|
||||||
|
return Registry::get('db')->queryObject(static::class, '
|
||||||
|
SELECT *
|
||||||
|
FROM users
|
||||||
|
WHERE emailaddress = {string:email_address}',
|
||||||
|
['email_address' => $email_address]);
|
||||||
|
}
|
||||||
|
|
||||||
public static function fromId($id_user)
|
public static function fromId($id_user)
|
||||||
{
|
{
|
||||||
$row = Registry::get('db')->queryAssoc('
|
$row = Registry::get('db')->queryAssoc('
|
||||||
|
Loading…
Reference in New Issue
Block a user