From 7ba3aa7e31fbd6972c76d5d2a79c8c0f54fae1aa Mon Sep 17 00:00:00 2001
From: Laurence Sebastian Bowes <elbows@sucs.org>
Date: Thu, 10 Sep 2015 18:39:14 +0100
Subject: [PATCH] Ready to merge and debug on beta

---
 components/accountrecovery.php | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/components/accountrecovery.php b/components/accountrecovery.php
index 1cc6380..1454a80 100755
--- a/components/accountrecovery.php
+++ b/components/accountrecovery.php
@@ -4,33 +4,36 @@
 	//2 modes, auth and resetpass which are sent to smarty so it can display the right form.
 	//default state
 	$mode = 'auth';
-	$ldifpath = '/tmp/accountrecovery.ldif',
 	include_once("../lib/ldap-auth.php");
 	$smarty->assign("title", "Account Recovery");
 	//Have they already started resetting?
-	if(isset($session->data['recoveryuser'])) {
-		if ($_POST['newpass'] != $_POST['newpass2']){
+	if(isset($session->data['recoveryuser']) && isset($_POST['newpass'])) {
+		$ldifpath = '/tmp/passreset_' . $session->data['recoveryuser'] . '.ldif';
+		if ($_POST['newpass'] !== $_POST['newpass2']){
 			trigger_error("The passwords must match.", E_USER_WARNING);
 		}
-		else if (weakPassword($_POST['newpass'])){
+		elseif (weakPassword($_POST['newpass'])){
 			trigger_error("Your password is too weak!", E_USER_WARNING);
+			unset($newpass);
 		}
 		else{
 			//Reset their password
 			$hashpass = base64_encode(sha1($_POST['newpass'], true));
-			$ldif = "dn: uid=$session->data['recoveryuser'],ou=People,dc=sucs,dc=org
+			$ldif = "dn: uid=" . $session->data['recoveryuser']. ",ou=People,dc=sucs,dc=org
 changetype: modify
 replace: userPassword
 userPassword: {SHA}$hashpass";
+
 			file_put_contents($ldifpath, $ldif);
 			//for now specify the full command, would be nicer to have a shell script for this instead.
-			//commented out because I don't want people to actually run this yet
-			//system("ldapmodify -x -H ldap://silver -D'cn=Manager,dc=sucs,dc=org' -y /etc/ldap.secret -f /tmp/accountrecovery.ldif");
+			system("ldapmodify -x -H ldap://silver -D'cn=Manager,dc=sucs,dc=org' -y /etc/ldap.secret -f " . $ldifpath);
 			unlink($ldifpath);
 			unset($session->data['recoveryuser']);
 			message_flash("Your password has been successfully changed.");
 		}
 	}
+	else{
+		$mode = 'auth';
 		//if they have tried to log in, try and auth them
 		if (isset($_POST['username'])) $authd = ldapAuth($_POST['username'], $_POST['password']);
 		//auth failed, tell them they got something wrong
@@ -41,19 +44,15 @@ userPassword: {SHA}$hashpass";
 			//if they are authd, try and get their username
 			$usrname = $sucsDB->GetOne('SELECT username FROM members WHERE sid=?', $_POST['username']);
 			//check if they are a member of sucs
-			if($usrname != ""){
+			if($usrname !== ""){
 				$session->data["recoveryuser"] = $usrname;
 				$mode = 'resetpass';
 			}
-			//if not, redirect them to signup
 			else{
-				//this doesn't work yet. I'm not sure how to output while the script is still running, or how to properly handle a redirection.
-				trigger_error("You are not yet a sucs member. Redirecting you to signup.");
-				sleep(3);
 				header('Location: http://www.swansea-union.co.uk/mysociety/sucs/');
 			}
 		}
-
+	}
 	//Things to make smarty work
 	$smarty->assign("mode", $mode);
 	$smarty->assign("usrname", $usrname);
-- 
GitLab