reset.php 4.17 KB
Newer Older
Scott committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
<?php
/*
	Question2Answer by Gideon Greenspan and contributors
	http://www.question2answer.org/

	File: qa-include/qa-page-reset.php
	Description: Controller for password reset page (comes after forgot page)


	This program is free software; you can redistribute it and/or
	modify it under the terms of the GNU General Public License
	as published by the Free Software Foundation; either version 2
	of the License, or (at your option) any later version.

	This program is distributed in the hope that it will be useful,
	but WITHOUT ANY WARRANTY; without even the implied warranty of
	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
	GNU General Public License for more details.

	More about this license: http://www.question2answer.org/license.php
*/

	if (!defined('QA_VERSION')) { // don't allow this page to be requested directly from browser
		header('Location: ../');
		exit;
	}


//	Check we're not using single-sign on integration and that we're not logged in

	if (QA_FINAL_EXTERNAL_USERS)
		qa_fatal_error('User login is handled by external code');

	if (qa_is_logged_in())
		qa_redirect('');


//	Process incoming form

	if (qa_clicked('doreset')) {
Scott committed
41
		require_once QA_INCLUDE_DIR.'app/users-edit.php';
Scott committed
42
		require_once QA_INCLUDE_DIR.'db/users.php';
Scott committed
43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58

		$inemailhandle=qa_post_text('emailhandle');
		$incode=trim(qa_post_text('code')); // trim to prevent passing in blank values to match uninitiated DB rows

		$errors=array();

		if (!qa_check_form_security_code('reset', qa_post_text('formcode')))
			$errors['page']=qa_lang_html('misc/form_security_again');

		else {
			if (qa_opt('allow_login_email_only') || (strpos($inemailhandle, '@')!==false)) // handles can't contain @ symbols
				$matchusers=qa_db_user_find_by_email($inemailhandle);
			else
				$matchusers=qa_db_user_find_by_handle($inemailhandle);

			if (count($matchusers)==1) { // if match more than one (should be impossible), consider it a non-match
Scott committed
59
				require_once QA_INCLUDE_DIR.'db/selects.php';
Scott committed
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138

				$inuserid=$matchusers[0];
				$userinfo=qa_db_select_with_pending(qa_db_user_account_selectspec($inuserid, true));

				// strlen() check is vital otherwise we can reset code for most users by entering the empty string
				if (strlen($incode) && (strtolower(trim($userinfo['emailcode'])) == strtolower($incode))) {
					qa_complete_reset_user($inuserid);
					qa_redirect('login', array('e' => $inemailhandle, 'ps' => '1')); // redirect to login page

				} else
					$errors['code']=qa_lang('users/reset_code_wrong');

			} else
				$errors['emailhandle']=qa_lang('users/user_not_found');
		}

	} else {
		$inemailhandle=qa_get('e');
		$incode=qa_get('c');
	}


//	Prepare content for theme

	$qa_content=qa_content_prepare();

	$qa_content['title']=qa_lang_html('users/reset_title');
	$qa_content['error']=@$errors['page'];

	if (empty($inemailhandle) || isset($errors['emailhandle']))
		$forgotpath=qa_path('forgot');
	else
		$forgotpath=qa_path('forgot',  array('e' => $inemailhandle));

	$qa_content['form']=array(
		'tags' => 'method="post" action="'.qa_self_html().'"',

		'style' => 'tall',

		'ok' => empty($incode) ? qa_lang_html('users/reset_code_emailed') : null,

		'fields' => array(
			'email_handle' => array(
				'label' => qa_opt('allow_login_email_only') ? qa_lang_html('users/email_label') : qa_lang_html('users/email_handle_label'),
				'tags' => 'name="emailhandle" id="emailhandle"',
				'value' => qa_html(@$inemailhandle),
				'error' => qa_html(@$errors['emailhandle']),
			),

			'code' => array(
				'label' => qa_lang_html('users/reset_code_label'),
				'tags' => 'name="code" id="code"',
				'value' => qa_html(@$incode),
				'error' => qa_html(@$errors['code']),
				'note' => qa_lang_html('users/reset_code_emailed').' - '.
					'<a href="'.qa_html($forgotpath).'">'.qa_lang_html('users/reset_code_another').'</a>',
			),
		),

		'buttons' => array(
			'reset' => array(
				'label' => qa_lang_html('users/send_password_button'),
			),
		),

		'hidden' => array(
			'doreset' => '1',
			'formcode' => qa_get_form_security_code('reset'),
		),
	);

	$qa_content['focusid']=(isset($errors['emailhandle']) || !strlen(@$inemailhandle)) ? 'emailhandle' : 'code';


	return $qa_content;


/*
	Omit PHP closing tag to help avoid accidental output
Gideon Greenspan committed
139
*/