dolost.php 5.18 KB
Newer Older
1
<?php
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
/*
    Prosody Account Manager
    Copyright (C) 2014 Benjamin Sonntag <benjamin@sonntag.fr>, SKhaen <skhaen@cyphercat.eu>   

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as
    published by the Free Software Foundation, either version 3 of the
    License, or (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU Affero General Public License for more details.

    You should have received a copy of the GNU Affero General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.

    You can find the source code of this software at https://github.com/LaQuadratureDuNet/JabberService
 */
21
22
23
24
25
26
27

require_once("config.php"); 

$debug=false;
$fields=array("email","login","csrf","cap","url");
$found=0;
foreach($fields as $f) if (isset($_POST[$f])) $found++;
28
29
if (!count($error)) $error=array();
if (!count($info)) $info=array();
30
31
32
33
34
35
36
37

if ($found==5 && $_POST["url"]=="") {
  if ($_SESSION["captcha"]!=$_POST["cap"]) {
    $error[]=_("The captcha is incorrect, please try again"); 
  }
  if (!csrf_check($_POST["csrf"])) {
    $error[]=_("The captcha is incorrect, please try again (2)"); 
  }
38
  $_POST["login"]=mb_strtolower($_POST["login"], 'UTF-8');
39
40
41
42
43
44
45
  $login=fixlogin($_POST["login"]);
  if ($login!=$_POST["login"] || strlen($login)<3 || strlen($login)>80) {
    $error[]=_("The login must be between 3 and 80 characters long, and must not contains special characters (unicode and accents authorized though)");
  }
  if (count($error)==0) {
    sleep(5); // Let create some artificial waiting for the one who want to restore many accounts ...
    // Does it exist? 
Benjamin Sonntag's avatar
Benjamin Sonntag committed
46
    $already=@mysqli_fetch_assoc(mysqli_query($db, "SELECT * FROM accounts WHERE jabberid='".addslashes($_POST["login"]."@jabber.lqdn.fr")."';"));
47
48
49
    if (!$already) {
      $error[]=sprintf(_("This account doesn't exist, or have been permanently destroyed. <a href=\"%s\">Click here to create a new account with this login</a>."),"create.php");
    }
50
    if ($already["disabledate"]!="") {
51
52
53
54
55
      $error[]=sprintf(_("This account have been disabled. <a href=\"%s\">Click here to restore it</a>."),"recover.php");
    }
    if ($already["email"]!=hashmail($_POST["email"],$already["email"])) { 
      $error[]=_("This account's email address is not the one you entered. Please try again with another email address.");
    }
56
    $key=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]."-".intval(time()/14400) ),0,16);
57
    if (count($error)==0) {
58
59
60
61
      require_once("class.phpmailer.php");
      require_once("class.smtp.php");
      $mail = new PHPMailer;
      $mail->isSMTP();
62
      $mail->CharSet='UTF-8';
63
64
65
66
67
      $mail->Host = 'localhost';
      $mail->From = $mail_from;
      $mail->FromName = $mail_fromname;
      $mail->addAddress($_POST["email"]);
      $mail->Subject = sprintf(_("Password lost on %s"),$domain);
68
      $mail->Body = sprintf(_("You receive this email because you created a Jabber Chat account on %s and lost your pasword.\n\nPlease click the link below to reset your password.\n\n%s\n\nIf you didn't asked for this password reminder, please ignore this message or contact us.\n\nThanks a lot for your understanding.\nRegards\nThe Jabber Chat Team\n"),$domain,$rooturl."/recover/".$already["id"]."/".$key);
69
70
71
72
      if(!$mail->send()) {
	$error[]=_("The email has NOT been sent, please try again later or contact us");
      } else {
	$info[]=_("An email has been sent to the address you entered. Please check your mail and click the link to reset your password");
73
74
	require_once("nothing.php");
	exit();
75
      }
76
77
78
79
    } // still no error ? 
  } // no error ?
} // isset ?

80
81
82
83
84
85
86
87
88

// Recover step 2
if (isset($_GET["id"]) && isset($_GET["key"])) {
  $id=intval($_GET["id"]);
  if (!$id || !preg_match('#^[0-9a-f]{16}$#',$_GET["key"])) {
    $error[]=_("The url is incorrect. please check your mail or contact us."); 
  }
  if (count($error)==0) {
    // Does it exist? 
Benjamin Sonntag's avatar
Benjamin Sonntag committed
89
      $already=@mysqli_fetch_assoc(mysqli_query($db, "SELECT * FROM accounts WHERE id='".$id."';"));
90
91
92
93
94
95
    if (!$already) {
      $error[]=sprintf(_("This account doesn't exist, or have been permanently destroyed. <a href=\"%s\">Click here to create a new account with this login</a>."),"create.php");
    }
    if ($already["disabledate"]!="") {
      $error[]=sprintf(_("This account have been disabled. <a href=\"%s\">Click here to restore it</a>."),"recover.php");
    }
96
97
98
    $key=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]."-".intval(time()/14400) ),0,16);
    $key2=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]."-".intval((time()-14400)/14400) ),0,16);
    if ($key!=$_GET["key"] && $key2!=$_GET["key"]) {
99
100
101
102
103
      $error[]=_("The provided key is incorrect, please check your mail or contact us.");
    }
    if (count($error)==0) {
      // change the password (form)
      $info[]=sprintf(_("Please enter a new password (twice) for your account %s"),$already["jabberid"]);
104
      require("changepass.php");
105
106
107
108
109
      exit();
    } // still no error ? 
  } // no error ?
} // isset ?