From 7ba3aa7e31fbd6972c76d5d2a79c8c0f54fae1aa Mon Sep 17 00:00:00 2001 From: Laurence Sebastian Bowes <elbows@sucs.org> Date: Thu, 10 Sep 2015 18:39:14 +0100 Subject: [PATCH] Ready to merge and debug on beta --- components/accountrecovery.php | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/components/accountrecovery.php b/components/accountrecovery.php index 1cc6380..1454a80 100755 --- a/components/accountrecovery.php +++ b/components/accountrecovery.php @@ -4,33 +4,36 @@ //2 modes, auth and resetpass which are sent to smarty so it can display the right form. //default state $mode = 'auth'; - $ldifpath = '/tmp/accountrecovery.ldif', include_once("../lib/ldap-auth.php"); $smarty->assign("title", "Account Recovery"); //Have they already started resetting? - if(isset($session->data['recoveryuser'])) { - if ($_POST['newpass'] != $_POST['newpass2']){ + if(isset($session->data['recoveryuser']) && isset($_POST['newpass'])) { + $ldifpath = '/tmp/passreset_' . $session->data['recoveryuser'] . '.ldif'; + if ($_POST['newpass'] !== $_POST['newpass2']){ trigger_error("The passwords must match.", E_USER_WARNING); } - else if (weakPassword($_POST['newpass'])){ + elseif (weakPassword($_POST['newpass'])){ trigger_error("Your password is too weak!", E_USER_WARNING); + unset($newpass); } else{ //Reset their password $hashpass = base64_encode(sha1($_POST['newpass'], true)); - $ldif = "dn: uid=$session->data['recoveryuser'],ou=People,dc=sucs,dc=org + $ldif = "dn: uid=" . $session->data['recoveryuser']. ",ou=People,dc=sucs,dc=org changetype: modify replace: userPassword userPassword: {SHA}$hashpass"; + file_put_contents($ldifpath, $ldif); //for now specify the full command, would be nicer to have a shell script for this instead. - //commented out because I don't want people to actually run this yet - //system("ldapmodify -x -H ldap://silver -D'cn=Manager,dc=sucs,dc=org' -y /etc/ldap.secret -f /tmp/accountrecovery.ldif"); + system("ldapmodify -x -H ldap://silver -D'cn=Manager,dc=sucs,dc=org' -y /etc/ldap.secret -f " . $ldifpath); unlink($ldifpath); unset($session->data['recoveryuser']); message_flash("Your password has been successfully changed."); } } + else{ + $mode = 'auth'; //if they have tried to log in, try and auth them if (isset($_POST['username'])) $authd = ldapAuth($_POST['username'], $_POST['password']); //auth failed, tell them they got something wrong @@ -41,19 +44,15 @@ userPassword: {SHA}$hashpass"; //if they are authd, try and get their username $usrname = $sucsDB->GetOne('SELECT username FROM members WHERE sid=?', $_POST['username']); //check if they are a member of sucs - if($usrname != ""){ + if($usrname !== ""){ $session->data["recoveryuser"] = $usrname; $mode = 'resetpass'; } - //if not, redirect them to signup else{ - //this doesn't work yet. I'm not sure how to output while the script is still running, or how to properly handle a redirection. - trigger_error("You are not yet a sucs member. Redirecting you to signup."); - sleep(3); header('Location: http://www.swansea-union.co.uk/mysociety/sucs/'); } } - + } //Things to make smarty work $smarty->assign("mode", $mode); $smarty->assign("usrname", $usrname); -- GitLab