From e4f9fe9a5ed3608a1416cf467f517845df7cb527 Mon Sep 17 00:00:00 2001
From: Laurence Sebastian Bowes <elbows@sucs.org>
Date: Sun, 7 Jun 2015 02:56:01 +0100
Subject: [PATCH 01/14] First commit. Shitty broken account recovery code that
 isn't working yet.

---
 components/accountrecovery.php | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100755 components/accountrecovery.php

diff --git a/components/accountrecovery.php b/components/accountrecovery.php
new file mode 100755
index 0000000..e7dfdd6
--- /dev/null
+++ b/components/accountrecovery.php
@@ -0,0 +1,29 @@
+<?php
+	include_once("ldap-auth.php")
+	$smarty->assign("title", "Account Recovery");
+		<p>Recovering your SUCS account</p>
+		<p>Please enter your university username and password
+		<form name ="userstuff" method ="POST" action = "accountrecovery.php">
+		<input type = "text" name ="username">
+		<input type = "password" name ="password">
+		<input type = "submit" name = "Userauth" VALUE = "Login">
+		</form>
+		$authd = ldapAuth($_POST['username'], $_POST['password']);
+		if ($_POST['newpass'] == $_POST['newpass2']) $newpass = $_POST['newpass'];
+
+
+		if ($authd == "nope") print "Incorrect username or password";
+		elseif ($authd == "uni"){
+			print ("Reset your password:");
+			print "<form name =\"resetpass\" method =\"POST\" action = \"recovery.php\">
+				   <p>Please enter the new password for your SUCS account:</p>
+				   <input type = \"password\" name =\"newpass\">
+				   <p>Enter the password again:</p>
+				   <input type = \"password\" name =\"newpass2\">
+				   <input type = \"submit\" name = \"Resetpass\" VALUE = \"Reset password\">
+				   </form>";
+		} 
+		
+		?>
+	</body>
+</html>
-- 
GitLab


From 09403881fef58a6b5f3a773d0c5d947522a8084f Mon Sep 17 00:00:00 2001
From: Laurence Sebastian Bowes <elbows@sucs.org>
Date: Sun, 7 Jun 2015 03:01:26 +0100
Subject: [PATCH 02/14] A bit better.

---
 components/accountrecovery.php | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/components/accountrecovery.php b/components/accountrecovery.php
index e7dfdd6..24eba9b 100755
--- a/components/accountrecovery.php
+++ b/components/accountrecovery.php
@@ -1,17 +1,15 @@
 <?php
 	include_once("ldap-auth.php")
 	$smarty->assign("title", "Account Recovery");
-		<p>Recovering your SUCS account</p>
-		<p>Please enter your university username and password
+	$body = '<p>Please enter your university username and password</p>
 		<form name ="userstuff" method ="POST" action = "accountrecovery.php">
 		<input type = "text" name ="username">
 		<input type = "password" name ="password">
 		<input type = "submit" name = "Userauth" VALUE = "Login">
-		</form>
+		</form>'
 		$authd = ldapAuth($_POST['username'], $_POST['password']);
 		if ($_POST['newpass'] == $_POST['newpass2']) $newpass = $_POST['newpass'];
 
-
 		if ($authd == "nope") print "Incorrect username or password";
 		elseif ($authd == "uni"){
 			print ("Reset your password:");
@@ -24,6 +22,4 @@
 				   </form>";
 		} 
 		
-		?>
-	</body>
-</html>
+?>
-- 
GitLab


From 581c5f947fc36098686bd061c67045974cfbe907 Mon Sep 17 00:00:00 2001
From: Laurence Sebastian Bowes <elbows@sucs.org>
Date: Thu, 11 Jun 2015 12:01:33 +0100
Subject: [PATCH 03/14] Tidied things up a lot and made things sort of work
 with smarty. Still not working though and still needs a lot of work.

---
 components/accountrecovery.php | 13 ++++---------
 static/fragments/Recovery.txt  |  1 +
 templates/accountrecovery.tpl  | 17 +++++++++++++++++
 3 files changed, 22 insertions(+), 9 deletions(-)
 create mode 100644 static/fragments/Recovery.txt
 create mode 100644 templates/accountrecovery.tpl

diff --git a/components/accountrecovery.php b/components/accountrecovery.php
index 24eba9b..8fc595a 100755
--- a/components/accountrecovery.php
+++ b/components/accountrecovery.php
@@ -1,15 +1,8 @@
 <?php
-	include_once("ldap-auth.php")
+	include_once("../lib/ldap-auth.php")
 	$smarty->assign("title", "Account Recovery");
-	$body = '<p>Please enter your university username and password</p>
-		<form name ="userstuff" method ="POST" action = "accountrecovery.php">
-		<input type = "text" name ="username">
-		<input type = "password" name ="password">
-		<input type = "submit" name = "Userauth" VALUE = "Login">
-		</form>'
-		$authd = ldapAuth($_POST['username'], $_POST['password']);
+	$authd = ldapAuth($_POST['username'], $_POST['password']);
 		if ($_POST['newpass'] == $_POST['newpass2']) $newpass = $_POST['newpass'];
-
 		if ($authd == "nope") print "Incorrect username or password";
 		elseif ($authd == "uni"){
 			print ("Reset your password:");
@@ -21,5 +14,7 @@
 				   <input type = \"submit\" name = \"Resetpass\" VALUE = \"Reset password\">
 				   </form>";
 		} 
+
+		$output = $smarty->fetch("accountrecovery.tpl")
 		
 ?>
diff --git a/static/fragments/Recovery.txt b/static/fragments/Recovery.txt
new file mode 100644
index 0000000..bab3716
--- /dev/null
+++ b/static/fragments/Recovery.txt
@@ -0,0 +1 @@
+<p>This form allows you to recover your SUCS username and password, in case you forgot them, using your university login details.</p>
diff --git a/templates/accountrecovery.tpl b/templates/accountrecovery.tpl
new file mode 100644
index 0000000..91a03e8
--- /dev/null
+++ b/templates/accountrecovery.tpl
@@ -0,0 +1,17 @@
+{if $loggedin == 'no'}
+	{include file="../static/fragments/Recovery.txt"}
+	<div class="box">
+		<div class="boxhead">
+			<h3>Account Recovery</h3>
+		</div>
+		<div class="boxcontent">
+			<p>Please enter your university username and password</p>
+			<form name ="userstuff" method ="POST" action = "accountrecovery.php">
+				<input type = "text" name ="username">
+				<input type = "password" name ="password">
+				<input type = "submit" name = "Userauth" VALUE = "Login">
+			</form>
+		</div>
+		<div class="hollowfoot"><div><div></div></div></div>
+	</div>
+{/if}
-- 
GitLab


From 77bf1a4cfde3af6f48584431b052c03e225039db Mon Sep 17 00:00:00 2001
From: Laurence Sebastian Bowes <elbows@sucs.org>
Date: Fri, 12 Jun 2015 01:11:23 +0100
Subject: [PATCH 04/14] Still broken but pushing ahead.

Refactored a lot of code, I feel like it's almost completed.
---
 components/accountrecovery.php | 38 ++++++++++++++++++++++------------
 templates/accountrecovery.tpl  | 34 ++++++++++++++++++++----------
 2 files changed, 48 insertions(+), 24 deletions(-)

diff --git a/components/accountrecovery.php b/components/accountrecovery.php
index 8fc595a..b78fce7 100755
--- a/components/accountrecovery.php
+++ b/components/accountrecovery.php
@@ -1,20 +1,32 @@
 <?php
-	include_once("../lib/ldap-auth.php")
+	//This script will allow the user to reset their password using their university credentials
+
+	include_once("../lib/ldap-auth.php");
 	$smarty->assign("title", "Account Recovery");
+	
+	//Have they already started resetting?
+	if(isset($data["recoveryuser"])) {
+		if ($_POST['newpass'] == $_POST['newpass2']){
+			//Reset their password
+			unset($data["recoveryuser"]);
+		}
+		else{
+			//Passwords don't match		
+		}
+
 	$authd = ldapAuth($_POST['username'], $_POST['password']);
-		if ($_POST['newpass'] == $_POST['newpass2']) $newpass = $_POST['newpass'];
-		if ($authd == "nope") print "Incorrect username or password";
+		if ($authd == "nope") $badpass = 'true';
 		elseif ($authd == "uni"){
-			print ("Reset your password:");
-			print "<form name =\"resetpass\" method =\"POST\" action = \"recovery.php\">
-				   <p>Please enter the new password for your SUCS account:</p>
-				   <input type = \"password\" name =\"newpass\">
-				   <p>Enter the password again:</p>
-				   <input type = \"password\" name =\"newpass2\">
-				   <input type = \"submit\" name = \"Resetpass\" VALUE = \"Reset password\">
-				   </form>";
+			$badpass = 'false'
+			$usrname = $sucsDB->GetOne('SELECT username FROM members WHERE sid=?', $_POST['username']);
+			$data["recoveryuser"] = $usrname;
+			$recoverystate = 'yes'
 		} 
 
-		$output = $smarty->fetch("accountrecovery.tpl")
-		
+	//Things to make smarty work
+	$smarty->assign("badpass", $badpass);
+	$smarty->assign("recoverystate", $recoverystate);
+	$smarty->assign("usrname", $usrname);
+	$output = $smarty->fetch("accountrecovery.tpl");
+	$smarty->assign("body", $output);	
 ?>
diff --git a/templates/accountrecovery.tpl b/templates/accountrecovery.tpl
index 91a03e8..2d5e8b0 100644
--- a/templates/accountrecovery.tpl
+++ b/templates/accountrecovery.tpl
@@ -1,17 +1,29 @@
-{if $loggedin == 'no'}
-	{include file="../static/fragments/Recovery.txt"}
-	<div class="box">
-		<div class="boxhead">
-			<h3>Account Recovery</h3>
-		</div>
-		<div class="boxcontent">
-			<p>Please enter your university username and password</p>
+{* include file="../static/fragments/Recovery.txt" *}
+
+<div class="box">
+	<div class="boxhead">
+		<h3>Account Recovery</h3>
+	</div>
+	<div class="boxcontent">
+		{if $recovery == 'no'}
+			<p>Please enter your <b>university</b> username and password</p>
 			<form name ="userstuff" method ="POST" action = "accountrecovery.php">
 				<input type = "text" name ="username">
 				<input type = "password" name ="password">
 				<input type = "submit" name = "Userauth" VALUE = "Login">
 			</form>
-		</div>
-		<div class="hollowfoot"><div><div></div></div></div>
+		{/if}
+		{elseif $recovery == 'yes'}
+			<form name ="resetpass" method ="POST" action = "accountrecovery.php">
+				<p>Your SUCS username is <b>$usrname</b></p>
+				<p>Please enter the new password for your account:</p>
+				<input type = "password" name ="newpass">
+				<p>Enter the password again:</p>
+				<input type = "password" name ="newpass2">
+				<input type = "submit" name = "Resetpass" VALUE = "Reset password">
+			</form>
+		{/if}
 	</div>
-{/if}
+<div class="hollowfoot"><div><div></div></div></div>
+</div>
+
-- 
GitLab


From 6696ee615231a690672397fb8826fd4fc9332e5b Mon Sep 17 00:00:00 2001
From: Laurence Sebastian Bowes <elbows@sucs.org>
Date: Fri, 12 Jun 2015 01:30:27 +0100
Subject: [PATCH 05/14] Added link to recovery page

---
 templates/login.tpl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/templates/login.tpl b/templates/login.tpl
index 10e8f1c..d9bed0f 100644
--- a/templates/login.tpl
+++ b/templates/login.tpl
@@ -22,6 +22,7 @@
 					<input type="hidden" name="token" value="{$session->token}" />
 					<input type="submit" class="button" name="Login" id="Login" value="Login" />
 					<br>
+					<a href="{$baseurl}/Recovery">Forgotten your username or password? Click here.</a>
 					<a href="{$baseurl}/join">No Account? Don't worry, sign up today!</a>
 {/if}
 					</div>
-- 
GitLab


From b4f4c23dc9d5a3407e1410bbfc52df801b788656 Mon Sep 17 00:00:00 2001
From: Laurence Sebastian Bowes <elbows@sucs.org>
Date: Fri, 12 Jun 2015 01:32:07 +0100
Subject: [PATCH 06/14] Oops. Added line break.

---
 templates/login.tpl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/templates/login.tpl b/templates/login.tpl
index d9bed0f..e3d8ce0 100644
--- a/templates/login.tpl
+++ b/templates/login.tpl
@@ -23,6 +23,7 @@
 					<input type="submit" class="button" name="Login" id="Login" value="Login" />
 					<br>
 					<a href="{$baseurl}/Recovery">Forgotten your username or password? Click here.</a>
+					<br>
 					<a href="{$baseurl}/join">No Account? Don't worry, sign up today!</a>
 {/if}
 					</div>
-- 
GitLab


From 8ada71737e06f9c8532e415821eb7165d1db9f16 Mon Sep 17 00:00:00 2001
From: Laurence Sebastian Bowes <elbows@sucs.org>
Date: Fri, 12 Jun 2015 03:05:14 +0100
Subject: [PATCH 07/14] I have fixed the template so the post form now works,
 and fixed a lot of issues in the component file (horrible syntactic errors).
 Still a ways to go but I believe the script should be functional now, once it
 has access to the SUCS db and the actual password changing magic has been
 added.

---
 components/accountrecovery.php | 22 ++++++++++++++--------
 templates/accountrecovery.tpl  | 13 ++++++-------
 2 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/components/accountrecovery.php b/components/accountrecovery.php
index b78fce7..00a621c 100755
--- a/components/accountrecovery.php
+++ b/components/accountrecovery.php
@@ -1,32 +1,38 @@
 <?php
 	//This script will allow the user to reset their password using their university credentials
 
+	//default states
+	$recoverystate = "no";
+
 	include_once("../lib/ldap-auth.php");
-	$smarty->assign("title", "Account Recovery");
-	
+	$smarty->assign("title", "Account Recovery");	
 	//Have they already started resetting?
-	if(isset($data["recoveryuser"])) {
+	if(isset($session->data['recoveryuser'])) {
 		if ($_POST['newpass'] == $_POST['newpass2']){
 			//Reset their password
-			unset($data["recoveryuser"]);
+			unset($data['recoveryuser']);
 		}
 		else{
 			//Passwords don't match		
 		}
+	}
 
 	$authd = ldapAuth($_POST['username'], $_POST['password']);
 		if ($authd == "nope") $badpass = 'true';
 		elseif ($authd == "uni"){
-			$badpass = 'false'
+			$badpass = 'false';
 			$usrname = $sucsDB->GetOne('SELECT username FROM members WHERE sid=?', $_POST['username']);
-			$data["recoveryuser"] = $usrname;
-			$recoverystate = 'yes'
+			$session->data["recoveryuser"] = $usrname;
+			$recoverystate = 'yes';
 		} 
 
+
 	//Things to make smarty work
+	$smarty->assign("componentpath", $baseurl . $component[path]);
 	$smarty->assign("badpass", $badpass);
 	$smarty->assign("recoverystate", $recoverystate);
 	$smarty->assign("usrname", $usrname);
-	$output = $smarty->fetch("accountrecovery.tpl");
+	$output=$smarty->fetch("accountrecovery.tpl");
 	$smarty->assign("body", $output);	
+
 ?>
diff --git a/templates/accountrecovery.tpl b/templates/accountrecovery.tpl
index 2d5e8b0..48c97f3 100644
--- a/templates/accountrecovery.tpl
+++ b/templates/accountrecovery.tpl
@@ -1,21 +1,20 @@
-{* include file="../static/fragments/Recovery.txt" *}
+{include file="../static/fragments/Recovery.txt"}
 
 <div class="box">
 	<div class="boxhead">
 		<h3>Account Recovery</h3>
 	</div>
 	<div class="boxcontent">
-		{if $recovery == 'no'}
+		{if $recoverystate == 'no'}
 			<p>Please enter your <b>university</b> username and password</p>
-			<form name ="userstuff" method ="POST" action = "accountrecovery.php">
+			<form name ="userstuff" method ="POST" action = "{$url}">
 				<input type = "text" name ="username">
 				<input type = "password" name ="password">
 				<input type = "submit" name = "Userauth" VALUE = "Login">
 			</form>
-		{/if}
-		{elseif $recovery == 'yes'}
-			<form name ="resetpass" method ="POST" action = "accountrecovery.php">
-				<p>Your SUCS username is <b>$usrname</b></p>
+		{elseif $recoverystate == 'yes'}
+			<form name ="resetpass" method ="POST" action = "{$url}">
+				<p>Your SUCS username is <b>{$usrname}</b></p>
 				<p>Please enter the new password for your account:</p>
 				<input type = "password" name ="newpass">
 				<p>Enter the password again:</p>
-- 
GitLab


From 21c1f721d361ec03168166247895456d7721ef9f Mon Sep 17 00:00:00 2001
From: Laurence Sebastian Bowes <elbows@sucs.org>
Date: Fri, 12 Jun 2015 13:42:17 +0100
Subject: [PATCH 08/14] added nice alerts

---
 components/accountrecovery.php | 27 +++++++++++++--------------
 templates/accountrecovery.tpl  |  4 ++--
 2 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/components/accountrecovery.php b/components/accountrecovery.php
index 00a621c..155c20a 100755
--- a/components/accountrecovery.php
+++ b/components/accountrecovery.php
@@ -1,36 +1,35 @@
 <?php
 	//This script will allow the user to reset their password using their university credentials
 
-	//default states
-	$recoverystate = "no";
+	//default state
+	$mode = 'auth';
 
 	include_once("../lib/ldap-auth.php");
 	$smarty->assign("title", "Account Recovery");	
 	//Have they already started resetting?
 	if(isset($session->data['recoveryuser'])) {
-		if ($_POST['newpass'] == $_POST['newpass2']){
-			//Reset their password
-			unset($data['recoveryuser']);
+		if ($_POST['newpass'] !== $_POST['newpass2']){
+			trigger_error("The passwords must match.", E_USER_WARNING);
 		}
 		else{
-			//Passwords don't match		
+			//Reset their password
+			unset($session->data['recoveryuser']);
+			message_flash("Your password has been successfully changed.");
 		}
 	}
 
-	$authd = ldapAuth($_POST['username'], $_POST['password']);
-		if ($authd == "nope") $badpass = 'true';
+		if (isset($_POST['username'])) $authd = ldapAuth($_POST['username'], $_POST['password']);
+		if ($authd == "nope") {
+			trigger_error("Bad username or password", E_USER_WARNING);
+		}
 		elseif ($authd == "uni"){
-			$badpass = 'false';
 			$usrname = $sucsDB->GetOne('SELECT username FROM members WHERE sid=?', $_POST['username']);
 			$session->data["recoveryuser"] = $usrname;
-			$recoverystate = 'yes';
+			$mode = 'resetpass';
 		} 
 
-
 	//Things to make smarty work
-	$smarty->assign("componentpath", $baseurl . $component[path]);
-	$smarty->assign("badpass", $badpass);
-	$smarty->assign("recoverystate", $recoverystate);
+	$smarty->assign("mode", $mode);
 	$smarty->assign("usrname", $usrname);
 	$output=$smarty->fetch("accountrecovery.tpl");
 	$smarty->assign("body", $output);	
diff --git a/templates/accountrecovery.tpl b/templates/accountrecovery.tpl
index 48c97f3..97194dc 100644
--- a/templates/accountrecovery.tpl
+++ b/templates/accountrecovery.tpl
@@ -5,14 +5,14 @@
 		<h3>Account Recovery</h3>
 	</div>
 	<div class="boxcontent">
-		{if $recoverystate == 'no'}
+		{if $mode == 'auth'}
 			<p>Please enter your <b>university</b> username and password</p>
 			<form name ="userstuff" method ="POST" action = "{$url}">
 				<input type = "text" name ="username">
 				<input type = "password" name ="password">
 				<input type = "submit" name = "Userauth" VALUE = "Login">
 			</form>
-		{elseif $recoverystate == 'yes'}
+		{elseif $mode == 'resetpass'}
 			<form name ="resetpass" method ="POST" action = "{$url}">
 				<p>Your SUCS username is <b>{$usrname}</b></p>
 				<p>Please enter the new password for your account:</p>
-- 
GitLab


From dcfbbb1fc09f43f0a6bcefc6511d71b3aa973b0e Mon Sep 17 00:00:00 2001
From: Imran Hussain <imranh@sucs.org>
Date: Fri, 12 Jun 2015 13:57:35 +0100
Subject: [PATCH 09/14] Add HTML5 placeholder text

---
 templates/accountrecovery.tpl | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/templates/accountrecovery.tpl b/templates/accountrecovery.tpl
index 97194dc..b44688f 100644
--- a/templates/accountrecovery.tpl
+++ b/templates/accountrecovery.tpl
@@ -8,21 +8,22 @@
 		{if $mode == 'auth'}
 			<p>Please enter your <b>university</b> username and password</p>
 			<form name ="userstuff" method ="POST" action = "{$url}">
-				<input type = "text" name ="username">
-				<input type = "password" name ="password">
+				<input type = "text" name ="username" placeholder="Username">
+				<br>
+				<input type = "password" name ="password" placeholder="Password">
+				<br>
 				<input type = "submit" name = "Userauth" VALUE = "Login">
 			</form>
 		{elseif $mode == 'resetpass'}
 			<form name ="resetpass" method ="POST" action = "{$url}">
 				<p>Your SUCS username is <b>{$usrname}</b></p>
 				<p>Please enter the new password for your account:</p>
-				<input type = "password" name ="newpass">
+				<input type = "password" name ="newpass" placeholder="Password">
 				<p>Enter the password again:</p>
-				<input type = "password" name ="newpass2">
+				<input type = "password" name ="newpass2" placeholder="Password">
 				<input type = "submit" name = "Resetpass" VALUE = "Reset password">
 			</form>
 		{/if}
 	</div>
 <div class="hollowfoot"><div><div></div></div></div>
-</div>
-
+</div>
\ No newline at end of file
-- 
GitLab


From 0ffb7fee8771bba4a73ee5e185139784a0625fef Mon Sep 17 00:00:00 2001
From: Imran Hussain <imranh@sucs.org>
Date: Fri, 12 Jun 2015 14:15:09 +0100
Subject: [PATCH 10/14] Whitespacing

---
 components/accountrecovery.php |  8 ++++----
 htdocs/index.php               |  2 +-
 templates/accountrecovery.tpl  | 12 ++++++------
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/components/accountrecovery.php b/components/accountrecovery.php
index 155c20a..d6bde0e 100755
--- a/components/accountrecovery.php
+++ b/components/accountrecovery.php
@@ -5,10 +5,10 @@
 	$mode = 'auth';
 
 	include_once("../lib/ldap-auth.php");
-	$smarty->assign("title", "Account Recovery");	
+	$smarty->assign("title", "Account Recovery");
 	//Have they already started resetting?
 	if(isset($session->data['recoveryuser'])) {
-		if ($_POST['newpass'] !== $_POST['newpass2']){
+		if ($_POST['newpass'] != $_POST['newpass2']){
 			trigger_error("The passwords must match.", E_USER_WARNING);
 		}
 		else{
@@ -26,12 +26,12 @@
 			$usrname = $sucsDB->GetOne('SELECT username FROM members WHERE sid=?', $_POST['username']);
 			$session->data["recoveryuser"] = $usrname;
 			$mode = 'resetpass';
-		} 
+		}
 
 	//Things to make smarty work
 	$smarty->assign("mode", $mode);
 	$smarty->assign("usrname", $usrname);
 	$output=$smarty->fetch("accountrecovery.tpl");
-	$smarty->assign("body", $output);	
+	$smarty->assign("body", $output);
 
 ?>
diff --git a/htdocs/index.php b/htdocs/index.php
index 32ecc1e..ee1c2f7 100644
--- a/htdocs/index.php
+++ b/htdocs/index.php
@@ -1,5 +1,5 @@
 <?php
-error_reporting(E_STRICT);
+//error_reporting(E_STRICT);
 // Display execution time?
 //$displaytime = TRUE;
 
diff --git a/templates/accountrecovery.tpl b/templates/accountrecovery.tpl
index b44688f..55b366c 100644
--- a/templates/accountrecovery.tpl
+++ b/templates/accountrecovery.tpl
@@ -8,20 +8,20 @@
 		{if $mode == 'auth'}
 			<p>Please enter your <b>university</b> username and password</p>
 			<form name ="userstuff" method ="POST" action = "{$url}">
-				<input type = "text" name ="username" placeholder="Username">
+				<input type="text" name="username" placeholder="Username">
 				<br>
-				<input type = "password" name ="password" placeholder="Password">
+				<input type="password" name="password" placeholder="Password">
 				<br>
-				<input type = "submit" name = "Userauth" VALUE = "Login">
+				<input type="submit" name="Userauth" VALUE="Login">
 			</form>
 		{elseif $mode == 'resetpass'}
 			<form name ="resetpass" method ="POST" action = "{$url}">
 				<p>Your SUCS username is <b>{$usrname}</b></p>
 				<p>Please enter the new password for your account:</p>
-				<input type = "password" name ="newpass" placeholder="Password">
+				<input type="password" name ="newpass" placeholder="Password">
 				<p>Enter the password again:</p>
-				<input type = "password" name ="newpass2" placeholder="Password">
-				<input type = "submit" name = "Resetpass" VALUE = "Reset password">
+				<input type="password" name ="newpass2" placeholder="Password">
+				<input type="submit" name="Resetpass" VALUE="Reset password">
 			</form>
 		{/if}
 	</div>
-- 
GitLab


From 747af423d366df8be0bc75f54d6a1c5f0a7a7d05 Mon Sep 17 00:00:00 2001
From: Laurence Sebastian Bowes <elbows@sucs.org>
Date: Tue, 16 Jun 2015 06:14:08 +0100
Subject: [PATCH 11/14] Added more comments and started bouncing them to signup
 if they aren't a member. More work to do.

---
 components/accountrecovery.php | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/components/accountrecovery.php b/components/accountrecovery.php
index d6bde0e..dedcb2d 100755
--- a/components/accountrecovery.php
+++ b/components/accountrecovery.php
@@ -1,6 +1,6 @@
 <?php
 	//This script will allow the user to reset their password using their university credentials
-
+	//2 modes, auth and resetpass which are sent to smarty so it can display the right form.
 	//default state
 	$mode = 'auth';
 
@@ -17,15 +17,27 @@
 			message_flash("Your password has been successfully changed.");
 		}
 	}
-
+		//if they have tried to log in, try and auth them
 		if (isset($_POST['username'])) $authd = ldapAuth($_POST['username'], $_POST['password']);
+		//auth failed, tell them they got something wrong
 		if ($authd == "nope") {
 			trigger_error("Bad username or password", E_USER_WARNING);
 		}
 		elseif ($authd == "uni"){
+			//if they are authd, try and get their username
 			$usrname = $sucsDB->GetOne('SELECT username FROM members WHERE sid=?', $_POST['username']);
-			$session->data["recoveryuser"] = $usrname;
-			$mode = 'resetpass';
+			//check if they are a member of sucs
+			if($usrname != ""){
+				$session->data["recoveryuser"] = $usrname;
+				$mode = 'resetpass';
+			}
+			//if not, redirect them to signup
+			else{
+				//this doesn't work yet. I'm not sure how to output while the script is still running, or how to properly handle a redirection.
+				trigger_error("You are not yet a sucs member. Redirecting you to signup.");
+				sleep(3);
+				header('Location: http://www.swansea-union.co.uk/mysociety/sucs/');
+			}
 		}
 
 	//Things to make smarty work
-- 
GitLab


From 3a6ce677c7d6456d8864b5750b69b0a9167f83c4 Mon Sep 17 00:00:00 2001
From: Laurence Sebastian Bowes <elbows@sucs.org>
Date: Fri, 7 Aug 2015 11:52:53 +0100
Subject: [PATCH 12/14] Wrote the ldif code and have a potentially usable
 system now.

---
 components/accountrecovery.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/components/accountrecovery.php b/components/accountrecovery.php
index dedcb2d..34940c6 100755
--- a/components/accountrecovery.php
+++ b/components/accountrecovery.php
@@ -3,7 +3,7 @@
 	//2 modes, auth and resetpass which are sent to smarty so it can display the right form.
 	//default state
 	$mode = 'auth';
-
+	$ldifpath = '/tmp/accountrecovery.ldif',
 	include_once("../lib/ldap-auth.php");
 	$smarty->assign("title", "Account Recovery");
 	//Have they already started resetting?
@@ -13,6 +13,16 @@
 		}
 		else{
 			//Reset their password
+			$hashpass = base64_encode(sha1($_POST['newpass'], true));
+			$ldif = "dn: uid=$session->data['recoveryuser'],ou=People,dc=sucs,dc=org
+changetype: modify
+replace: userPassword
+userPassword: {SHA}$hashpass";
+			file_put_contents($ldifpath, $ldif);
+			//for now specify the full command, would be nicer to have a shell script for this instead.
+			//commented out because I don't want people to actually run this yet
+			//system("ldapmodify -x -H ldap://silver -D'cn=Manager,dc=sucs,dc=org' -y /etc/ldap.secret -f /tmp/accountrecovery.ldif");
+			unlink($ldifpath);
 			unset($session->data['recoveryuser']);
 			message_flash("Your password has been successfully changed.");
 		}
-- 
GitLab


From 642c4064eeb494abfa6f2edd901816cf1eee4586 Mon Sep 17 00:00:00 2001
From: Laurence Sebastian Bowes <elbows@sucs.org>
Date: Fri, 7 Aug 2015 12:02:04 +0100
Subject: [PATCH 13/14] Added test for weak passwords

---
 components/accountrecovery.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/components/accountrecovery.php b/components/accountrecovery.php
index 34940c6..1cc6380 100755
--- a/components/accountrecovery.php
+++ b/components/accountrecovery.php
@@ -1,4 +1,5 @@
 <?php
+	require_once("../lib/validation.php");
 	//This script will allow the user to reset their password using their university credentials
 	//2 modes, auth and resetpass which are sent to smarty so it can display the right form.
 	//default state
@@ -11,6 +12,9 @@
 		if ($_POST['newpass'] != $_POST['newpass2']){
 			trigger_error("The passwords must match.", E_USER_WARNING);
 		}
+		else if (weakPassword($_POST['newpass'])){
+			trigger_error("Your password is too weak!", E_USER_WARNING);
+		}
 		else{
 			//Reset their password
 			$hashpass = base64_encode(sha1($_POST['newpass'], true));
-- 
GitLab


From 7ba3aa7e31fbd6972c76d5d2a79c8c0f54fae1aa Mon Sep 17 00:00:00 2001
From: Laurence Sebastian Bowes <elbows@sucs.org>
Date: Thu, 10 Sep 2015 18:39:14 +0100
Subject: [PATCH 14/14] Ready to merge and debug on beta

---
 components/accountrecovery.php | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/components/accountrecovery.php b/components/accountrecovery.php
index 1cc6380..1454a80 100755
--- a/components/accountrecovery.php
+++ b/components/accountrecovery.php
@@ -4,33 +4,36 @@
 	//2 modes, auth and resetpass which are sent to smarty so it can display the right form.
 	//default state
 	$mode = 'auth';
-	$ldifpath = '/tmp/accountrecovery.ldif',
 	include_once("../lib/ldap-auth.php");
 	$smarty->assign("title", "Account Recovery");
 	//Have they already started resetting?
-	if(isset($session->data['recoveryuser'])) {
-		if ($_POST['newpass'] != $_POST['newpass2']){
+	if(isset($session->data['recoveryuser']) && isset($_POST['newpass'])) {
+		$ldifpath = '/tmp/passreset_' . $session->data['recoveryuser'] . '.ldif';
+		if ($_POST['newpass'] !== $_POST['newpass2']){
 			trigger_error("The passwords must match.", E_USER_WARNING);
 		}
-		else if (weakPassword($_POST['newpass'])){
+		elseif (weakPassword($_POST['newpass'])){
 			trigger_error("Your password is too weak!", E_USER_WARNING);
+			unset($newpass);
 		}
 		else{
 			//Reset their password
 			$hashpass = base64_encode(sha1($_POST['newpass'], true));
-			$ldif = "dn: uid=$session->data['recoveryuser'],ou=People,dc=sucs,dc=org
+			$ldif = "dn: uid=" . $session->data['recoveryuser']. ",ou=People,dc=sucs,dc=org
 changetype: modify
 replace: userPassword
 userPassword: {SHA}$hashpass";
+
 			file_put_contents($ldifpath, $ldif);
 			//for now specify the full command, would be nicer to have a shell script for this instead.
-			//commented out because I don't want people to actually run this yet
-			//system("ldapmodify -x -H ldap://silver -D'cn=Manager,dc=sucs,dc=org' -y /etc/ldap.secret -f /tmp/accountrecovery.ldif");
+			system("ldapmodify -x -H ldap://silver -D'cn=Manager,dc=sucs,dc=org' -y /etc/ldap.secret -f " . $ldifpath);
 			unlink($ldifpath);
 			unset($session->data['recoveryuser']);
 			message_flash("Your password has been successfully changed.");
 		}
 	}
+	else{
+		$mode = 'auth';
 		//if they have tried to log in, try and auth them
 		if (isset($_POST['username'])) $authd = ldapAuth($_POST['username'], $_POST['password']);
 		//auth failed, tell them they got something wrong
@@ -41,19 +44,15 @@ userPassword: {SHA}$hashpass";
 			//if they are authd, try and get their username
 			$usrname = $sucsDB->GetOne('SELECT username FROM members WHERE sid=?', $_POST['username']);
 			//check if they are a member of sucs
-			if($usrname != ""){
+			if($usrname !== ""){
 				$session->data["recoveryuser"] = $usrname;
 				$mode = 'resetpass';
 			}
-			//if not, redirect them to signup
 			else{
-				//this doesn't work yet. I'm not sure how to output while the script is still running, or how to properly handle a redirection.
-				trigger_error("You are not yet a sucs member. Redirecting you to signup.");
-				sleep(3);
 				header('Location: http://www.swansea-union.co.uk/mysociety/sucs/');
 			}
 		}
-
+	}
 	//Things to make smarty work
 	$smarty->assign("mode", $mode);
 	$smarty->assign("usrname", $usrname);
-- 
GitLab