[aur-dev] [PATCH 1/3] Move reset key submission to a separate function
This allows for reusing reset key submission for other things, such as sending an initial password reset code during account registration. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/html/passreset.php | 22 +++++----------------- web/lib/acctfuncs.inc.php | 26 ++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 17 deletions(-) diff --git a/web/html/passreset.php b/web/html/passreset.php index 064e3de..94a1ad9 100644 --- a/web/html/passreset.php +++ b/web/html/passreset.php @@ -37,24 +37,12 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir } } elseif (isset($_POST['email'])) { $email = $_POST['email']; - $uid = uid_from_email($email); - if ($uid != NULL && $uid != 'None') { - # We (ab)use new_sid() to get a random 32 characters long string - $resetkey = new_sid(); - create_resetkey($resetkey, $uid); - # Send email with confirmation link - $body = __('A password reset request was submitted for the account '. - 'associated with your e-mail address. If you wish to reset '. - 'your password follow the link below, otherwise ignore '. - 'this message and nothing will happen.'). - "\n\n". - "{$AUR_LOCATION}/" . get_uri('/passreset/') . "?". - "resetkey={$resetkey}"; - $body = wordwrap($body, 70); - $headers = "Reply-to: nobody@archlinux.org\nFrom:aur-notify@archlinux.org\nX-Mailer: PHP\nX-MimeOLE: Produced By AUR"; - @mail($email, 'AUR Password Reset', $body, $headers); + $body = __('A password reset request was submitted for the account '. + 'associated with your e-mail address. If you wish to reset '. + 'your password follow the link below, otherwise ignore '. + 'this message and nothing will happen.'). + send_resetkey($email, $body); - } header('Location: ' . get_uri('/passreset/') . '?step=confirm'); exit(); } diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 9c0998a..edca8a3 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -582,6 +582,32 @@ function create_resetkey($resetkey, $uid) { } /** + * Send a reset key to a specific e-mail address + * + * @param string $email E-mail address of the user resetting their password + * @param string $body Body of the email + * + * @return void + */ +function send_resetkey($email, $body) { + global $AUR_LOCATION; + + $uid = uid_from_email($email); + if ($uid != NULL && $uid != 'None') { + # We (ab)use new_sid() to get a random 32 characters long string + $resetkey = new_sid(); + create_resetkey($resetkey, $uid); + # Send email with confirmation link + $body = wordwrap($body, 70); + $body .= "\n\n". + "{$AUR_LOCATION}/" . get_uri('/passreset/') . "?". + "resetkey={$resetkey}"; + $headers = "Reply-to: nobody@archlinux.org\nFrom:aur-notify@archlinux.org\nX-Mailer: PHP\nX-MimeOLE: Produced By AUR"; + @mail($email, 'AUR Password Reset', $body, $headers); + } +} + +/** * Change a user's password in the database if reset key and e-mail are correct * * @param string $hash New MD5 hash of a user's password -- 1.8.2.480.g556678c
If an empty password is passed during account registration, login for the new user is disabled and a reset key is sent to the new user's e-mail address so that they can set an initial password manually. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/lib/acctfuncs.inc.php | 38 +++++++++++++++++++++++++------------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index edca8a3..aabb096 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -91,7 +91,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $P="",$C="",$R="",$L="",$I="",$K="",$UID=0) { # error check and process request for a new/modified account - global $SUPPORTED_LANGS; + global $SUPPORTED_LANGS, $AUR_LOCATION; $dbh = DB::connect(); @@ -107,16 +107,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $error = __("Missing a required field."); } - if ($TYPE == "new") { - # they need password fields for this type of action - # - if (empty($P) || empty($C)) { - $error = __("Missing a required field."); - } - } else { - if (!$UID) { - $error = __("Missing User ID"); - } + if ($TYPE != "new" && !$UID) { + $error = __("Missing User ID"); } if (!$error && !valid_username($U) && !user_is_privileged($editor_user)) @@ -190,7 +182,13 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", if ($TYPE == "new") { # no errors, go ahead and create the unprivileged user $salt = generate_salt(); - $P = salted_hash($P, $salt); + if (empty($P)) { + $send_resetkey = true; + $email = $E; + } else { + $send_resetkey = false; + $P = salted_hash($P, $salt); + } $U = $dbh->quote($U); $E = $dbh->quote($E); $P = $dbh->quote($P); @@ -213,7 +211,21 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", print __("The account, %s%s%s, has been successfully created.", "<strong>", htmlspecialchars($U,ENT_QUOTES), "</strong>"); print "<p>\n"; - print __("Click on the Login link above to use your account."); + if ($send_resetkey) { + $body = __('Welcome to %s! In order ' . + 'to set an initial password ' . + 'for your new account, ' . + 'please click the link ' . + 'below. If the link does ' . + 'not work try copying and ' . + 'pasting it into your ' . + 'browser.', + $AUR_LOCATION); + send_resetkey($email, $body); + print __("A password reset key has been sent to your e-mail address."); + } else { + print __("Click on the Login link above to use your account."); + } print "</p>\n"; } -- 1.8.2.480.g556678c
Remove the password field from the account creation form and always send a password reset request via e-mail instead. This ensures that only users with valid e-mail addresses are able to login. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/html/account.php | 4 ++-- web/template/account_edit_form.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index f15a10a..50d376f 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -105,8 +105,8 @@ if (isset($_COOKIE["AURSID"])) { # process_account_form("","new", "NewAccount", in_request("U"), 1, 0, in_request("E"), - in_request("P"), in_request("C"), in_request("R"), - in_request("L"), in_request("I"), in_request("K")); + '', '', in_request("R"), in_request("L"), + in_request("I"), in_request("K")); } else { # display the account request form diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php index a41b34c..a0de2a3 100644 --- a/web/template/account_edit_form.php +++ b/web/template/account_edit_form.php @@ -60,17 +60,17 @@ <input type="text" size="30" maxlength="64" name="E" id="id_email" value="<?= htmlspecialchars($E,ENT_QUOTES) ?>" /> (<?= __("required") ?>) </p> + <?php if ($A == "UpdateAccount"): ?> <p> <label for="id_passwd1"><?= __("Password") ?>:</label> <input type="password" size="30" name="P" id="id_passwd1" value="<?= $P ?>" /> - <?php if ($A != "UpdateAccount"): print " (".__("required").")"; endif; ?> </p> <p> <label for="id_passwd2"><?= __("Re-type password") ?>:</label> <input type="password" size="30" name="C" id="id_passwd2" value="<?= $C ?>" /> - <?php if ($A != "UpdateAccount"): print " (".__("required").")"; endif; ?> </p> + <?php endif; ?> <p> <label for="id_realname"><?= __("Real Name") ?>:</label> -- 1.8.2.480.g556678c
participants (1)
-
Lukas Fleischer