<?php /* Question2Answer by Gideon Greenspan and contributors http://www.question2answer.org/ File: qa-include/qa-page-reset.php Description: Controller for password reset page (comes after forgot page) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. More about this license: http://www.question2answer.org/license.php */ if (!defined('QA_VERSION')) { // don't allow this page to be requested directly from browser header('Location: ../'); exit; } // Check we're not using single-sign on integration and that we're not logged in if (QA_FINAL_EXTERNAL_USERS) { qa_fatal_error('User login is handled by external code'); } if (qa_is_logged_in()) { qa_redirect(''); } // Fetch the email or handle from POST or GET $emailHandle = qa_post_text('emailhandle'); if (!isset($emailHandle)) { $emailHandle = qa_get('e'); } $emailHandle = trim($emailHandle); // if $emailHandle is null, trim returns an empty string // Fetch the code from POST or GET $code = qa_post_text('code'); if (!isset($code)) { $code = qa_get('c'); } $code = trim($code); // if $code is null, trim returns an empty string $forgotPath = strlen($emailHandle) > 0 ? qa_path('forgot', array('e' => $emailHandle)) : qa_path('forgot'); $focusId = 'code'; $errors = array(); $fields = array( 'email_handle' => array( 'type' => 'static', 'label' => qa_lang_html(qa_opt('allow_login_email_only') ? 'users/email_label' : 'users/email_handle_label'), 'value' => qa_html($emailHandle), ), 'code' => array( 'label' => qa_lang_html('users/email_code_label'), 'tags' => 'name="code" id="code"', 'value' => isset($code) ? qa_html($code) : null, 'note_force' => true, 'note' => qa_lang_html('users/email_code_emailed') . ' - ' . '<a href="' . qa_html($forgotPath) . '">' . qa_lang_html('users/email_code_another') . '</a>', ), ); $buttons = array( 'next' => array( 'tags' => 'name="donext"', 'label' => qa_lang_html('misc/next_step'), ), ); $hidden = array( 'formcode' => qa_get_form_security_code('reset'), ); if (strlen($emailHandle) > 0) { require_once QA_INCLUDE_DIR . 'app/users-edit.php'; require_once QA_INCLUDE_DIR . 'db/users.php'; $hidden['emailhandle'] = $emailHandle; $matchingUsers = qa_opt('allow_login_email_only') || strpos($emailHandle, '@') !== false // handles can't contain @ symbols ? qa_db_user_find_by_email($emailHandle) : qa_db_user_find_by_handle($emailHandle); // Make sure there is only one match if (count($matchingUsers) == 1) { require_once QA_INCLUDE_DIR . 'db/selects.php'; // strlen() check is vital otherwise we can reset code for most users by entering the empty string if (strlen($code) > 0) { $userId = $matchingUsers[0]; $userInfo = qa_db_select_with_pending(qa_db_user_account_selectspec($userId, true)); if (strtolower(trim($userInfo['emailcode'])) == strtolower($code)) { // User input a valid code so no need to ask for it but pass it to the next step unset($fields['code']); $hidden['code'] = $code; $buttons = array( 'change' => array( 'tags' => 'name="dochangepassword"', 'label' => qa_lang_html('users/change_password'), ), ); $focusId = 'newpassword1'; if (qa_clicked('dochangepassword')) { $newPassword = qa_post_text('newpassword1'); $repeatPassword = qa_post_text('newpassword2'); if (!qa_check_form_security_code('reset', qa_post_text('formcode'))) { $errors['page'] = qa_lang_html('misc/form_security_again'); } else { $passwordError = qa_password_validate($newPassword, $userInfo); if (!empty($passwordError)) { $errors['new_1'] = $passwordError['password']; } if ($newPassword != $repeatPassword) { $errors['new_2'] = qa_lang('users/password_mismatch'); } if (empty($errors)) { // Update password, login user, fire events and redirect to home page qa_finish_reset_user($userId, $newPassword); qa_redirect(''); } } } $fields['new_1'] = array( 'label' => qa_lang_html('users/new_password_1'), 'tags' => 'name="newpassword1" id="newpassword1"', 'type' => 'password', 'error' => qa_html(isset($errors['new_1']) ? $errors['new_1'] : null), ); $fields['new_2'] = array( 'label' => qa_lang_html('users/new_password_2'), 'tags' => 'name="newpassword2"', 'type' => 'password', 'error' => qa_html(isset($errors['new_2']) ? $errors['new_2'] : null), ); } else { // User input wrong code so show field with error $fields['code']['error'] = qa_lang('users/email_code_wrong'); } } elseif (qa_clicked('donext')) { // If user submitted the form with an empty code $fields['code']['error'] = qa_lang('users/email_code_wrong'); } } else { // If match more than one (should be impossible), consider it a non-match $errors['page'] = qa_lang_html('users/user_not_found'); } } else { // If there is no handle notify the user $errors['page'] = qa_lang_html('users/user_not_found'); } // Prepare content for theme $qa_content = qa_content_prepare(); $qa_content['title'] = qa_lang_html('users/reset_title'); $qa_content['error'] = isset($errors['page']) ? $errors['page'] : null; if (!isset($errors['page'])) { // Using this form action instead of qa_self_html() to get rid of the 's' (success) GET parameter from forgot.php $qa_content['form'] = array( 'tags' => 'method="post" action="' . qa_path_html('reset') . '"', 'style' => 'tall', 'ok' => qa_get('s') ? qa_lang_html('users/email_code_emailed') : null, 'fields' => $fields, 'buttons' => $buttons, 'hidden' => $hidden, ); } $qa_content['focusid'] = $focusId; return $qa_content;