aboutsummaryrefslogtreecommitdiff
path: root/engine/lib
diff options
context:
space:
mode:
authorbrettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>2010-02-05 20:05:35 +0000
committerbrettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>2010-02-05 20:05:35 +0000
commit1481f9f5608492ba19426ee784b946494e2524db (patch)
tree116bef46ca34a2eb2559d8e6dfc9451faf4151e6 /engine/lib
parentc6692128b257f4021e05cfda9a212e514b07add4 (diff)
downloadelgg-1481f9f5608492ba19426ee784b946494e2524db.tar.gz
elgg-1481f9f5608492ba19426ee784b946494e2524db.tar.bz2
Fixes #1483: Reset password emails forward to a confirmation page handler instead of directly to an action.
git-svn-id: http://code.elgg.org/elgg/trunk@3907 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine/lib')
-rw-r--r--engine/lib/users.php75
1 files changed, 62 insertions, 13 deletions
diff --git a/engine/lib/users.php b/engine/lib/users.php
index aaec4fc9f..46379aca2 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -969,7 +969,7 @@ function send_new_password_request($user_guid) {
set_private_setting($user_guid, 'passwd_conf_code', $code);
// generate link
- $link = $CONFIG->site->url . "action/user/passwordreset?u=$user_guid&c=$code";
+ $link = $CONFIG->site->url . "pg/resetpassword?u=$user_guid&c=$code";
// generate email
$email = sprintf(elgg_echo('email:resetreq:body'), $user->name, $_SERVER['REMOTE_ADDR'], $link);
@@ -1017,13 +1017,14 @@ function execute_new_password_request($user_guid, $conf_code) {
global $CONFIG;
$user_guid = (int)$user_guid;
-
$user = get_entity($user_guid);
- if (($user) && (get_private_setting($user_guid, 'passwd_conf_code') == $conf_code)) {
+
+ $saved_code = get_private_setting($user_guid, 'passwd_conf_code');
+
+ if ($user && $saved_code && $saved_code == $conf_code) {
$password = generate_random_cleartext_password();
if (force_user_password_reset($user_guid, $password)) {
- //remove_metadata($user_guid, 'conf_code');
remove_private_setting($user_guid, 'passwd_conf_code');
$email = sprintf(elgg_echo('email:resetpassword:body'), $user->name, $password);
@@ -1032,7 +1033,54 @@ function execute_new_password_request($user_guid, $conf_code) {
}
}
- return false;
+ return FALSE;
+}
+
+/**
+ * Handles pages for password reset requests.
+ *
+ * @param unknown_type $page
+ * @return unknown_type
+ */
+function elgg_user_resetpassword_page_handler($page) {
+ global $CONFIG;
+
+ $user_guid = get_input('u');
+ $code = get_input('c');
+
+ $user = get_entity($user_guid);
+
+ // don't check code here to avoid automated attacks
+ if (!$user instanceof ElggUser) {
+ register_error(elgg_echo('user:passwordreset:unknown_user'));
+ forward();
+ }
+
+ $form_body = elgg_echo('user:resetpassword:reset_password_confirm') . "<br />";
+
+ $form_body .= elgg_view('input/hidden', array(
+ 'internalname' => 'u',
+ 'value' => $user_guid
+ ));
+
+ $form_body .= elgg_view('input/hidden', array(
+ 'internalname' => 'c',
+ 'value' => $code
+ ));
+
+ $form_body .= elgg_view('input/submit', array(
+ 'value' => elgg_echo('resetpassword')
+ ));
+
+ $form .= elgg_view('input/form', array(
+ 'body' => $form_body,
+ 'action' => $CONFIG->site->url . 'action/user/passwordreset'
+ ));
+
+ $content = elgg_view_title(elgg_echo('resetpassword'));
+ $content .= elgg_view('page_elements/contentwrapper', array('body' => $form));
+
+ page_draw($title, $content);
}
/**
@@ -1504,14 +1552,15 @@ function users_init() {
add_menu(elgg_echo('friends'), $CONFIG->wwwroot . "pg/friends/" . $user->username);
}
- register_page_handler('friends','friends_page_handler');
- register_page_handler('friendsof','friends_of_page_handler');
- register_page_handler('collections','collections_page_handler');
- register_page_handler('dashboard','dashboard_page_handler');
- register_page_handler('register','registration_page_handler');
-
- register_action("register",true);
- register_action("useradd",true);
+ register_page_handler('friends', 'friends_page_handler');
+ register_page_handler('friendsof', 'friends_of_page_handler');
+ register_page_handler('collections', 'collections_page_handler');
+ register_page_handler('dashboard', 'dashboard_page_handler');
+ register_page_handler('register', 'registration_page_handler');
+ register_page_handler('resetpassword', 'elgg_user_resetpassword_page_handler');
+
+ register_action("register", true);
+ register_action("useradd", true);
register_action("friends/add");
register_action("friends/remove");
register_action('friends/addcollection');