kienan
/
AlternC
mirror of https://github.com/kienanstewart/AlternC.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Restrict password reset requests to username

This commit is contained in:
Nina 2022-07-07 15:36:53 -04:00 committed by Camille Lafitte
parent b4062026d9
commit 5eac4b375d
2 changed files with 14 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
bureau/admin/request_reset.php
View File

@ -4,7 +4,7 @@ require_once("../class/config_nochk.php");
$request = FALSE;
$valid_request = TRUE;
if (isset($_REQUEST['name_or_email'])) {
if (isset($_REQUEST['name'])) {
$request = TRUE;
// Inserted into the global namespace by config.php
$valid_request = !$fatalcsrf;
@ -19,7 +19,7 @@ if (isset($_REQUEST['name_or_email'])) {
$show_form = !$request || ($request && !$valid_request);
if ($request && $valid_request) {
$mem->send_reset_url($_REQUEST['name_or_email']);
$mem->send_reset_url($_REQUEST['name']);
}
if (!isset($charset) || ! $charset) {
@ -53,8 +53,8 @@ require_once("html-head.php");
<form action="request_reset.php" method="post" name="passwordreset">
<?php csrf_get(); ?>
<div>
<label for="name_or_email"><?php echo _('Username or e-mail'); ?></label>
<input type="text" class="int" name="name_or_email">
<label for="name"><?php echo _('Username'); ?></label>
<input type="text" class="int" name="name">
</div>
<div class="submit"><input type="submit" class="inb" name="submit"></div>
</form>

21
bureau/class/m_mem.php
View File

@ -685,20 +685,19 @@ Cordially.
/**
* Sends a password-reset URL.
*/
public function send_reset_url($email_or_login) {
public function send_reset_url($login) {
global $msg, $L_FQDN, $L_HOSTING, $db;
// Look up user by email_or_login.
$db->query("SELECT * FROM membres WHERE login = ? OR mail = ? ;", array($email_or_login, $email_or_login));
// Look up user by login.
// 'mail' is not a unique key so we can't rely on it.
$db->query("SELECT * FROM membres WHERE login = ? ;", array($login));
$msg->log('mem', 'send_reset_url', 'Password reset requested for: ' . $email_or_login);
$msg->log('mem', 'send_reset_url', 'Password reset requested for: ' . $login);
// Give user feedback, even if we don't have an account stored.
$msg->raise('INFO', 'mem', _('An e-mail with information on how to connect has been sent to the owner of the account if one exists'));
// It is possible here that a user could have multiple accounts for a
// single e-mail since 'mail' is not a uniqe key in the membres table.
// For the moment we'll just take the first account.
// Get the corresponding account.
if (!$db->num_rows()) {
$msg->log('mem', 'send_reset_url', 'No member found with login or mail ' . $email_or_login);
$msg->log('mem', 'send_reset_url', 'No member found with login ' . $login);
return FALSE;
}
if ($db->num_rows()) {
@ -728,10 +727,10 @@ This link may only be used once. You should change your password in your account
}
/**
* Generate a reset URL for an account given it's e-mail or login.
* Generate a reset URL for an account given its login.
*
* @param $email_or_login
* A string with the email or login.
* @param $login
* A string with the login.
*
* @returns string|boolean
* A reset URL or FALSE in case of error.