mirror of
https://github.com/postfixadmin/postfixadmin.git
synced 2024-09-19 19:22:14 +02:00
when going through password recovery, only wipe the recovery token after the user has updated their password
see https://github.com/postfixadmin/postfixadmin/issues/550
This commit is contained in:
parent
5dfee5aa8d
commit
56dd787ce2
@ -424,7 +424,7 @@ function escape_string($string_or_int)
|
|||||||
*
|
*
|
||||||
* @param string $param parameter name.
|
* @param string $param parameter name.
|
||||||
* @param string $default (optional) - default value if key is not set.
|
* @param string $default (optional) - default value if key is not set.
|
||||||
* @return string
|
* @return string - can only return a string
|
||||||
*/
|
*/
|
||||||
function safeget($param, $default = "")
|
function safeget($param, $default = "")
|
||||||
{
|
{
|
||||||
@ -439,7 +439,7 @@ function safeget($param, $default = "")
|
|||||||
* safepost - similar to safeget() but for $_POST
|
* safepost - similar to safeget() but for $_POST
|
||||||
* @param string $param parameter name
|
* @param string $param parameter name
|
||||||
* @param string $default (optional) default value (defaults to "")
|
* @param string $default (optional) default value (defaults to "")
|
||||||
* @return string - value in $_POST[$param] or $default
|
* @return string - value in $_POST[$param] or $default - we do not support array like value(s) etc
|
||||||
* @see safeget()
|
* @see safeget()
|
||||||
*/
|
*/
|
||||||
function safepost($param, $default = "")
|
function safepost($param, $default = "")
|
||||||
|
@ -876,25 +876,29 @@ abstract class PFAHandler
|
|||||||
$now = date('Y-m-d H:i:s');
|
$now = date('Y-m-d H:i:s');
|
||||||
|
|
||||||
$query = "SELECT token FROM $table WHERE {$this->id_field} = :username AND token <> '' AND active = :active AND token_validity > :now ";
|
$query = "SELECT token FROM $table WHERE {$this->id_field} = :username AND token <> '' AND active = :active AND token_validity > :now ";
|
||||||
$values = array('username' => $username, 'active' => $active, 'now' => $now);
|
$values = ['username' => $username, 'active' => $active, 'now' => $now];
|
||||||
|
|
||||||
$result = db_query_all($query, $values);
|
$result = db_query_all($query, $values);
|
||||||
if (sizeof($result) == 1) {
|
if (sizeof($result) == 1) {
|
||||||
$row = $result[0];
|
$row = $result[0];
|
||||||
|
|
||||||
$crypt_token = pacrypt($token, $row['token'], $username);
|
$crypt_token = pacrypt($token, $row['token'], $username);
|
||||||
|
return $row['token'] == $crypt_token;
|
||||||
if ($row['token'] == $crypt_token) {
|
|
||||||
db_update($this->db_table, $this->id_field, $username, array(
|
|
||||||
'token' => '',
|
|
||||||
'token_validity' => '2000-01-01 00:00:00',
|
|
||||||
));
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Blindly wipe someone's password recovery token (even if they don't have one set!)
|
||||||
|
* @param string $username
|
||||||
|
* @return bool
|
||||||
|
* @throws Exception
|
||||||
|
*/
|
||||||
|
public function wipePasswordRecoveryCode($username)
|
||||||
|
{
|
||||||
|
db_update($this->db_table, $this->id_field, $username, ['token' => '', 'token_validity' => '2000-01-01 00:00:00']);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
/**************************************************************************
|
/**************************************************************************
|
||||||
* functions to read protected variables
|
* functions to read protected variables
|
||||||
*/
|
*/
|
||||||
|
@ -40,6 +40,9 @@ $CONF = Config::getInstance()->getAll();
|
|||||||
|
|
||||||
$smarty->configureTheme($rel_path);
|
$smarty->configureTheme($rel_path);
|
||||||
|
|
||||||
|
$tCode = null;
|
||||||
|
$tUsername = null;
|
||||||
|
|
||||||
if ($context === 'admin' && !Config::read('forgotten_admin_password_reset')) {
|
if ($context === 'admin' && !Config::read('forgotten_admin_password_reset')) {
|
||||||
die('Password change is disabled by configuration option: forgotten_admin_password_reset or mailbox_postpassword_script');
|
die('Password change is disabled by configuration option: forgotten_admin_password_reset or mailbox_postpassword_script');
|
||||||
}
|
}
|
||||||
@ -82,6 +85,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
|||||||
$values['password2'] = $fPassword2;
|
$values['password2'] = $fPassword2;
|
||||||
if ($handler->set($values) && $handler->save()) {
|
if ($handler->set($values) && $handler->save()) {
|
||||||
flash_info(Config::lang_f('pPassword_result_success', $tUsername));
|
flash_info(Config::lang_f('pPassword_result_success', $tUsername));
|
||||||
|
$handler->wipePasswordRecoveryCode($tUsername); // so we only wipe the recovery token if they've managed to change their password.
|
||||||
header('Location: main.php');
|
header('Location: main.php');
|
||||||
exit(0);
|
exit(0);
|
||||||
} else {
|
} else {
|
||||||
@ -95,8 +99,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$smarty->assign('language_selector', language_selector(), false);
|
$smarty->assign('language_selector', language_selector(), false);
|
||||||
$smarty->assign('tUsername', @$tUsername);
|
$smarty->assign('tUsername', $tUsername);
|
||||||
$smarty->assign('tCode', @$tCode);
|
$smarty->assign('tCode', $tCode);
|
||||||
$smarty->assign('smarty_template', 'password-change');
|
$smarty->assign('smarty_template', 'password-change');
|
||||||
$smarty->display('index.tpl');
|
$smarty->display('index.tpl');
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user