From f2630162e9e2cc1f71b8a7ebac8cd76b7b22d7ad Mon Sep 17 00:00:00 2001 From: msquare Date: Tue, 15 Nov 2016 22:08:41 +0100 Subject: reduce complexity of password recovery controller --- includes/controller/users_controller.php | 127 +++++++++++++++---------------- includes/helper/email_helper.php | 5 +- includes/model/User_model.php | 6 +- includes/sys_auth.php | 6 +- 4 files changed, 74 insertions(+), 70 deletions(-) (limited to 'includes') diff --git a/includes/controller/users_controller.php b/includes/controller/users_controller.php index beaf2538..33abe764 100644 --- a/includes/controller/users_controller.php +++ b/includes/controller/users_controller.php @@ -206,85 +206,82 @@ function users_list_controller() { } /** - * User password recovery. - * (By email) + * Second step of password recovery: set a new password using the token link from email */ -function user_password_recovery_controller() { - if (isset($_REQUEST['token'])) { - $user_source = User_by_password_recovery_token($_REQUEST['token']); - if ($user_source === false) { - engelsystem_error("Unable to load user."); - } - if ($user_source == null) { - error(_("Token is not correct.")); - redirect(page_link_to('login')); - } +function user_password_recovery_set_new_controller() { + $user_source = User_by_password_recovery_token($_REQUEST['token']); + if ($user_source == null) { + error(_("Token is not correct.")); + redirect(page_link_to('login')); + } + + if (isset($_REQUEST['submit'])) { + $valid = true; - if (isset($_REQUEST['submit'])) { - $valid = true; - - if (isset($_REQUEST['password']) && strlen($_REQUEST['password']) >= MIN_PASSWORD_LENGTH) { - if ($_REQUEST['password'] != $_REQUEST['password2']) { - $valid = false; - error(_("Your passwords don't match.")); - } - } else { + if (isset($_REQUEST['password']) && strlen($_REQUEST['password']) >= MIN_PASSWORD_LENGTH) { + if ($_REQUEST['password'] != $_REQUEST['password2']) { $valid = false; - error(_("Your password is to short (please use at least 6 characters).")); - } - - if ($valid) { - $result = set_password($user_source['UID'], $_REQUEST['password']); - if ($result === false) { - engelsystem_error(_("Password could not be updated.")); - } - - success(_("Password saved.")); - redirect(page_link_to('login')); + error(_("Your passwords don't match.")); } + } else { + $valid = false; + error(_("Your password is to short (please use at least 6 characters).")); } - return User_password_set_view(); - } else { - if (isset($_REQUEST['submit'])) { - $valid = true; - - if (isset($_REQUEST['email']) && strlen(strip_request_item('email')) > 0) { - $email = strip_request_item('email'); - if (check_email($email)) { - $user_source = User_by_email($email); - if ($user_source === false) { - engelsystem_error("Unable to load user."); - } - if ($user_source == null) { - $valid = false; - error(_("E-mail address is not correct.")); - } - } else { + if ($valid) { + set_password($user_source['UID'], $_REQUEST['password']); + success(_("Password saved.")); + redirect(page_link_to('login')); + } + } + + return User_password_set_view(); +} + +/** + * First step of password recovery: display a form that asks for your email and send email with recovery link + */ +function user_password_recovery_start_controller() { + if (isset($_REQUEST['submit'])) { + $valid = true; + + if (isset($_REQUEST['email']) && strlen(strip_request_item('email')) > 0) { + $email = strip_request_item('email'); + if (check_email($email)) { + $user_source = User_by_email($email); + if ($user_source == null) { $valid = false; error(_("E-mail address is not correct.")); } } else { $valid = false; - error(_("Please enter your e-mail.")); - } - - if ($valid) { - $token = User_generate_password_recovery_token($user_source); - if ($token === false) { - engelsystem_error("Unable to generate password recovery token."); - } - $result = engelsystem_email_to_user($user_source, _("Password recovery"), sprintf(_("Please visit %s to recover your password."), page_link_to_absolute('user_password_recovery') . '&token=' . $token)); - if ($result === false) { - engelsystem_error("Unable to send password recovery email."); - } - - success(_("We sent an email containing your password recovery link.")); - redirect(page_link_to('login')); + error(_("E-mail address is not correct.")); } + } else { + $valid = false; + error(_("Please enter your e-mail.")); } - return User_password_recovery_view(); + if ($valid) { + $token = User_generate_password_recovery_token($user_source); + engelsystem_email_to_user($user_source, _("Password recovery"), sprintf(_("Please visit %s to recover your password."), page_link_to_absolute('user_password_recovery') . '&token=' . $token)); + success(_("We sent an email containing your password recovery link.")); + redirect(page_link_to('login')); + } + } + + return User_password_recovery_view(); +} + +/** + * User password recovery in 2 steps. + * (By email) + */ +function user_password_recovery_controller() { + if (isset($_REQUEST['token'])) { + return user_password_recovery_set_new_controller(); + } else { + return user_password_recovery_start_controller(); } } diff --git a/includes/helper/email_helper.php b/includes/helper/email_helper.php index 24c32be8..0ef4326a 100644 --- a/includes/helper/email_helper.php +++ b/includes/helper/email_helper.php @@ -16,7 +16,10 @@ function engelsystem_email_to_user($recipient_user, $title, $message, $not_if_it } function engelsystem_email($address, $title, $message) { - return mail($address, $title, $message, "Content-Type: text/plain; charset=UTF-8\r\nFrom: Engelsystem "); + $result = mail($address, $title, $message, "Content-Type: text/plain; charset=UTF-8\r\nFrom: Engelsystem "); + if ($result === false) { + engelsystem_error('Unable to send email.'); + } } ?> diff --git a/includes/model/User_model.php b/includes/model/User_model.php index c3e91911..f58c5d18 100644 --- a/includes/model/User_model.php +++ b/includes/model/User_model.php @@ -313,7 +313,7 @@ function User_by_api_key($api_key) { function User_by_email($email) { $user = sql_select("SELECT * FROM `User` WHERE `email`='" . sql_escape($email) . "' LIMIT 1"); if ($user === false) { - return false; + engelsystem_error("Unable to load user."); } if (count($user) == 0) { return null; @@ -330,7 +330,7 @@ function User_by_email($email) { function User_by_password_recovery_token($token) { $user = sql_select("SELECT * FROM `User` WHERE `password_recovery_token`='" . sql_escape($token) . "' LIMIT 1"); if ($user === false) { - return false; + engelsystem_error("Unable to load user."); } if (count($user) == 0) { return null; @@ -363,7 +363,7 @@ function User_generate_password_recovery_token(&$user) { $user['password_recovery_token'] = md5($user['Nick'] . time() . rand()); $result = sql_query("UPDATE `User` SET `password_recovery_token`='" . sql_escape($user['password_recovery_token']) . "' WHERE `UID`='" . sql_escape($user['UID']) . "' LIMIT 1"); if ($result === false) { - return false; + engelsystem_error("Unable to generate password recovery token."); } engelsystem_log("Password recovery for " . User_Nick_render($user) . " started."); return $user['password_recovery_token']; diff --git a/includes/sys_auth.php b/includes/sys_auth.php index 27a74ae8..135e49e3 100644 --- a/includes/sys_auth.php +++ b/includes/sys_auth.php @@ -39,7 +39,11 @@ function generate_salt($length = 16) { * set the password of a user */ function set_password($uid, $password) { - return sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt(16) . '$')) . "', `password_recovery_token`=NULL WHERE `UID` = " . intval($uid) . " LIMIT 1"); + $result = sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt(16) . '$')) . "', `password_recovery_token`=NULL WHERE `UID` = " . intval($uid) . " LIMIT 1"); + if ($result === false) { + engelsystem_error('Unable to update password.'); + } + return $result; } /** -- cgit v1.2.3-54-g00ecf