function doModel() { switch ($this->action) { case 'login_post': //post execution for the login if (!osc_users_enabled()) { osc_add_flash_error_message(_m('Users are not enabled')); $this->redirectTo(osc_base_url()); } osc_csrf_check(); osc_run_hook('before_validating_login'); // e-mail or/and password is/are empty or incorrect $wrongCredentials = false; $email = Params::getParam('email'); $password = Params::getParam('password', false, false); if ($email == '') { osc_add_flash_error_message(_m('Please provide an email address')); $wrongCredentials = true; } if ($password == '') { osc_add_flash_error_message(_m('Empty passwords are not allowed. Please provide a password')); $wrongCredentials = true; } if ($wrongCredentials) { $this->redirectTo(osc_user_login_url()); } if (osc_validate_email($email)) { $user = User::newInstance()->findByEmail($email); } if (empty($user)) { $user = User::newInstance()->findByUsername($email); } if (empty($user)) { osc_add_flash_error_message(_m("The user doesn't exist")); $this->redirectTo(osc_user_login_url()); } if (!osc_verify_password($password, isset($user['s_password']) ? $user['s_password'] : '')) { osc_add_flash_error_message(_m('The password is incorrect')); $this->redirectTo(osc_user_login_url()); // @TODO if valid user, send email parameter back to the login form } else { if (@$user['s_password'] != '') { if (preg_match('|\\$2y\\$([0-9]{2})\\$|', $user['s_password'], $cost)) { if ($cost[1] != BCRYPT_COST) { User::newInstance()->update(array('s_password' => osc_hash_password($password)), array('pk_i_id' => $user['pk_i_id'])); } } else { User::newInstance()->update(array('s_password' => osc_hash_password($password)), array('pk_i_id' => $user['pk_i_id'])); } } } // e-mail or/and IP is/are banned $banned = osc_is_banned($email); // int 0: not banned or unknown, 1: email is banned, 2: IP is banned, 3: both email & IP are banned if ($banned & 1) { osc_add_flash_error_message(_m('Your current email is not allowed')); } if ($banned & 2) { osc_add_flash_error_message(_m('Your current IP is not allowed')); } if ($banned !== 0) { $this->redirectTo(osc_user_login_url()); } osc_run_hook('before_login'); $url_redirect = osc_get_http_referer(); $page_redirect = ''; if (osc_rewrite_enabled()) { if ($url_redirect != '') { $request_uri = urldecode(preg_replace('@^' . osc_base_url() . '@', "", $url_redirect)); $tmp_ar = explode("?", $request_uri); $request_uri = $tmp_ar[0]; $rules = Rewrite::newInstance()->listRules(); foreach ($rules as $match => $uri) { if (preg_match('#' . $match . '#', $request_uri, $m)) { $request_uri = preg_replace('#' . $match . '#', $uri, $request_uri); if (preg_match('|([&?]{1})page=([^&]*)|', '&' . $request_uri . '&', $match)) { $page_redirect = $match[2]; if ($page_redirect == '' || $page_redirect == 'login') { $url_redirect = osc_user_dashboard_url(); } } break; } } } } require_once LIB_PATH . 'osclass/UserActions.php'; $uActions = new UserActions(false); $logged = $uActions->bootstrap_login($user['pk_i_id']); if ($logged == 0) { osc_add_flash_error_message(_m("The user doesn't exist")); } else { if ($logged == 1) { if (time() - strtotime($user['dt_access_date']) > 1200) { // EACH 20 MINUTES osc_add_flash_error_message(sprintf(_m('The user has not been validated yet. Would you like to re-send your <a href="%s">activation?</a>'), osc_user_resend_activation_link($user['pk_i_id'], $user['s_email']))); } else { osc_add_flash_error_message(_m('The user has not been validated yet')); } } else { if ($logged == 2) { osc_add_flash_error_message(_m('The user has been suspended')); } else { if ($logged == 3) { if (Params::getParam('remember') == 1) { //this include contains de osc_genRandomPassword function require_once osc_lib_path() . 'osclass/helpers/hSecurity.php'; $secret = osc_genRandomPassword(); User::newInstance()->update(array('s_secret' => $secret), array('pk_i_id' => $user['pk_i_id'])); Cookie::newInstance()->set_expires(osc_time_cookie()); Cookie::newInstance()->push('oc_userId', $user['pk_i_id']); Cookie::newInstance()->push('oc_userSecret', $secret); Cookie::newInstance()->set(); } if ($url_redirect == '') { $url_redirect = osc_user_dashboard_url(); } osc_run_hook("after_login", $user, $url_redirect); $this->redirectTo(osc_apply_filter('correct_login_url_redirect', $url_redirect)); } else { osc_add_flash_error_message(_m('This should never happen')); } } } } if (!$user['b_enabled']) { $this->redirectTo(osc_user_login_url()); } $this->redirectTo(osc_user_login_url()); break; case 'resend': $id = Params::getParam('id'); $email = Params::getParam('email'); $user = User::newInstance()->findByPrimaryKey($id); if ($id == '' || $email == '' || !isset($user) || $user['b_active'] == 1 || $email != $user['s_email']) { osc_add_flash_error_message(_m('Incorrect link')); $this->redirectTo(osc_user_login_url()); } if (time() - strtotime($user['dt_access_date']) > 1200) { // EACH 20 MINUTES if (osc_notify_new_user()) { osc_run_hook('hook_email_admin_new_user', $user); } if (osc_user_validation_enabled()) { osc_run_hook('hook_email_user_validation', $user, $user); } User::newInstance()->update(array('dt_access_date' => date('Y-m-d H:i:s')), array('pk_i_id' => $user['pk_i_id'])); osc_add_flash_ok_message(_m('Validation email re-sent')); } else { osc_add_flash_warning_message(_m('We have just sent you an email to validate your account, you will have to wait a few minutes to resend it again')); } $this->redirectTo(osc_user_login_url()); break; case 'recover': //form to recover the password (in this case we have the form in /gui/) $this->doView('user-recover.php'); break; case 'recover_post': //post execution to recover the password osc_csrf_check(); require_once LIB_PATH . 'osclass/UserActions.php'; // e-mail is incorrect if (!preg_match('|^[a-z0-9\\.\\_\\+\\-]+@[a-z0-9\\.\\-]+\\.[a-z]{2,3}$|i', Params::getParam('s_email'))) { osc_add_flash_error_message(_m('Invalid email address')); $this->redirectTo(osc_recover_user_password_url()); } $userActions = new UserActions(false); $success = $userActions->recover_password(); switch ($success) { case 0: // recover ok osc_add_flash_ok_message(_m('We have sent you an email with the instructions to reset your password')); $this->redirectTo(osc_base_url()); break; case 1: // e-mail does not exist osc_add_flash_error_message(_m('We were not able to identify you given the information provided')); $this->redirectTo(osc_recover_user_password_url()); break; case 2: // recaptcha wrong osc_add_flash_error_message(_m('The recaptcha code is wrong')); $this->redirectTo(osc_recover_user_password_url()); break; } break; case 'forgot': //form to recover the password (in this case we have the form in /gui/) $user = User::newInstance()->findByIdPasswordSecret(Params::getParam('userId'), Params::getParam('code')); if ($user) { $this->doView('user-forgot_password.php'); } else { osc_add_flash_error_message(_m('Sorry, the link is not valid')); $this->redirectTo(osc_base_url()); } break; case 'forgot_post': osc_csrf_check(); if (Params::getParam('new_password', false, false) == '' || Params::getParam('new_password2', false, false) == '') { osc_add_flash_warning_message(_m('Password cannot be blank')); $this->redirectTo(osc_forgot_user_password_confirm_url(Params::getParam('userId'), Params::getParam('code'))); } $user = User::newInstance()->findByIdPasswordSecret(Params::getParam('userId'), Params::getParam('code')); if ($user['b_enabled'] == 1) { if (Params::getParam('new_password', false, false) == Params::getParam('new_password2', false, false)) { User::newInstance()->update(array('s_pass_code' => osc_genRandomPassword(50), 's_pass_date' => date('Y-m-d H:i:s', 0), 's_pass_ip' => Params::getServerParam('REMOTE_ADDR'), 's_password' => osc_hash_password(Params::getParam('new_password', false, false))), array('pk_i_id' => $user['pk_i_id'])); osc_add_flash_ok_message(_m('The password has been changed')); $this->redirectTo(osc_user_login_url()); } else { osc_add_flash_error_message(_m("Error, the password don't match")); $this->redirectTo(osc_forgot_user_password_confirm_url(Params::getParam('userId'), Params::getParam('code'))); } } else { osc_add_flash_error_message(_m('Sorry, the link is not valid')); } $this->redirectTo(osc_base_url()); break; default: //login Session::newInstance()->_setReferer(osc_get_http_referer()); if (osc_logged_user_id() != '') { $this->redirectTo(osc_user_dashboard_url()); } $this->doView('user-login.php'); } }
/** * @return boolean */ public function add() { $aItem = $this->data; $is_spam = 0; $enabled = 1; $code = osc_genRandomPassword(); $flash_error = ''; // Requires email validation? $has_to_validate = (osc_moderate_items() != -1) ? true : false; // Check status $active = $aItem['active']; // Sanitize foreach(@$aItem['title'] as $key=>$value) { $aItem['title'][$key] = strip_tags( trim ( $value ) ); } $aItem['price'] = !is_null($aItem['price']) ? strip_tags( trim( $aItem['price'] ) ) : $aItem['price']; $contactName = strip_tags( trim( $aItem['contactName'] ) ); $contactEmail = strip_tags( trim( $aItem['contactEmail'] ) ); $aItem['cityArea'] = osc_sanitize_name( strip_tags( trim( $aItem['cityArea'] ) ) ); $aItem['address'] = osc_sanitize_name( strip_tags( trim( $aItem['address'] ) ) ); // Anonymous $contactName = (osc_validate_text($contactName,3))? $contactName : __("Anonymous"); // Validate if ( !$this->checkAllowedExt($aItem['photos']) ) { $flash_error .= _m("Image with an incorrect extension.") . PHP_EOL; } if ( !$this->checkSize($aItem['photos']) ) { $flash_error .= _m("Image is too big. Max. size") . osc_max_size_kb() ." Kb" . PHP_EOL; } $title_message = ''; foreach(@$aItem['title'] as $key => $value) { if( osc_validate_text($value, 1) && osc_validate_max($value, osc_max_characters_per_title()) ) { $title_message = ''; break; } $title_message .= (!osc_validate_text($value, 1) ? sprintf(_m("Title too short (%s)."), $key) . PHP_EOL : '' ) . (!osc_validate_max($value, osc_max_characters_per_title()) ? sprintf(_m("Title too long (%s)."), $key) . PHP_EOL : '' ); } $flash_error .= $title_message; $desc_message = ''; foreach(@$aItem['description'] as $key => $value) { if( osc_validate_text($value, 3) && osc_validate_max($value, osc_max_characters_per_description()) ) { $desc_message = ''; break; } $desc_message .= (!osc_validate_text($value, 3) ? sprintf(_m("Description too short (%s)."), $key) . PHP_EOL : '' ) . (!osc_validate_max($value, osc_max_characters_per_description()) ? sprintf(_m("Description too long (%s)."), $key). PHP_EOL : '' ); } $flash_error .= $desc_message; // akismet check spam ... if( $this->_akismet_text( $aItem['title'], $aItem['description'] , $contactName, $contactEmail) ) { $is_spam = 1; } $flash_error .= ((!osc_validate_category($aItem['catId'])) ? _m("Category invalid.") . PHP_EOL : '' ) . ((!osc_validate_number($aItem['price'])) ? _m("Price must be a number.") . PHP_EOL : '' ) . ((!osc_validate_max(number_format($aItem['price'],0,'',''), 15)) ? _m("Price too long.") . PHP_EOL : '' ) . ((!is_null($aItem['price']) && (int)$aItem['price']<0 ) ? _m('Price must be positive number.') . PHP_EOL : '' ) . ((!osc_validate_max($contactName, 35)) ? _m("Name too long.") . PHP_EOL : '' ) . ((!osc_validate_email($contactEmail)) ? _m("Email invalid.") . PHP_EOL : '' ) . ((!osc_validate_text($aItem['countryName'], 2, false)) ? _m("Country too short.") . PHP_EOL : '' ) . ((!osc_validate_max($aItem['countryName'], 50)) ? _m("Country too long.") . PHP_EOL : '' ) . ((!osc_validate_text($aItem['regionName'], 2, false)) ? _m("Region too short.") . PHP_EOL : '' ) . ((!osc_validate_max($aItem['regionName'], 50)) ? _m("Region too long.") . PHP_EOL : '' ) . ((!osc_validate_text($aItem['cityName'], 2, false)) ? _m("City too short.") . PHP_EOL : '' ) . ((!osc_validate_max($aItem['cityName'], 50)) ? _m("City too long.") . PHP_EOL : '' ) . ((!osc_validate_text($aItem['cityArea'], 2, false)) ? _m("Municipality too short.") . PHP_EOL : '' ) . ((!osc_validate_max($aItem['cityArea'], 50)) ? _m("Municipality too long.") . PHP_EOL : '' ) . ((!osc_validate_text($aItem['address'], 3, false)) ? _m("Address too short.") . PHP_EOL : '' ) . ((!osc_validate_max($aItem['address'], 100)) ? _m("Address too long.") . PHP_EOL : '' ) . ((((time() - Session::newInstance()->_get('last_submit_item')) < osc_items_wait_time()) && !$this->is_admin) ? _m("Too fast. You should wait a little to publish your ad.") . PHP_EOL : '' ); $_meta = Field::newInstance()->findByCategory($aItem['catId']); $meta = Params::getParam("meta"); foreach($_meta as $_m) { $meta[$_m['pk_i_id']] = (isset($meta[$_m['pk_i_id']]))?$meta[$_m['pk_i_id']]:''; } if($meta!='' && count($meta)>0) { $mField = Field::newInstance(); foreach($meta as $k => $v) { if($v=='') { $field = $mField->findByPrimaryKey($k); if($field['b_required']==1) { $flash_error .= sprintf(_m("%s field is required."), $field['s_name']) . PHP_EOL; } } } } // hook pre add or edit // DEPRECATED: pre_item_post will be removed in 3.4 osc_run_hook('pre_item_post'); osc_run_hook('pre_item_add', $aItem); // Handle error if ($flash_error) { $success = $flash_error; } else { if($aItem['price']!='') { $aItem['currency'] = $aItem['currency']; } else { $aItem['currency'] = NULL; } $this->manager->insert(array( 'fk_i_user_id' => $aItem['userId'], 'dt_pub_date' => date('Y-m-d H:i:s'), 'fk_i_category_id' => $aItem['catId'], 'i_price' => $aItem['price'], 'fk_c_currency_code' => $aItem['currency'], 's_contact_name' => $contactName, 's_contact_email' => $contactEmail, 's_secret' => $code, 'b_active' => ($active=='ACTIVE'?1:0), 'b_enabled' => $enabled, 'b_show_email' => $aItem['showEmail'], 'b_spam' => $is_spam, 's_ip' => $aItem['s_ip'] )); if(!$this->is_admin) { // Track spam delay: Session Session::newInstance()->_set('last_submit_item', time()); // Track spam delay: Cookie Cookie::newInstance()->set_expires( osc_time_cookie() ); Cookie::newInstance()->push('last_submit_item', time()); Cookie::newInstance()->set(); } $itemId = $this->manager->dao->insertedId(); Log::newInstance()->insertLog('item', 'add', $itemId, current(array_values($aItem['title'])), $this->is_admin?'admin':'user', $this->is_admin?osc_logged_admin_id():osc_logged_user_id()); Params::setParam('itemId', $itemId); // INSERT title and description locales $this->insertItemLocales('ADD', $aItem['title'], $aItem['description'], $itemId ); $location = array( 'fk_i_item_id' => $itemId, 'fk_c_country_code' => $aItem['countryId'], 's_country' => $aItem['countryName'], 'fk_i_region_id' => $aItem['regionId'], 's_region' => $aItem['regionName'], 'fk_i_city_id' => $aItem['cityId'], 's_city' => $aItem['cityName'], 's_city_area' => $aItem['cityArea'], 's_address' => $aItem['address'], 'd_coord_lat' => $aItem['d_coord_lat'], 'd_coord_long' => $aItem['d_coord_long'], 's_zip' => $aItem['s_zip'] ); $locationManager = ItemLocation::newInstance(); $locationManager->insert($location); $this->uploadItemResources( $aItem['photos'] , $itemId); // update dt_expiration at t_item $dt_expiration = Item::newInstance()->updateExpirationDate($itemId, $aItem['dt_expiration']); /** * META FIELDS */ if($meta!='' && count($meta)>0) { $mField = Field::newInstance(); foreach($meta as $k => $v) { // if dateinterval if(is_array($v) && !isset($v['from']) && !isset($v['to']) ) { $v = implode(',', $v); } $mField->replace($itemId, $k, $v); } } // We need at least one record in t_item_stats $mStats = new ItemStats(); $mStats->emptyRow($itemId); $item = $this->manager->findByPrimaryKey($itemId); $aItem['item'] = $item; Session::newInstance()->_set('last_publish_time', time()); if(!$this->is_admin) { $this->sendEmails($aItem); } if($active=='INACTIVE') { $success = 1; } else { $aAux = array( 'fk_i_user_id' => $aItem['userId'], 'fk_i_category_id' => $aItem['catId'], 'fk_c_country_code' => $location['fk_c_country_code'], 'fk_i_region_id' => $location['fk_i_region_id'], 'fk_i_city_id' => $location['fk_i_city_id'] ); // if is_spam not increase stats if($is_spam == 0) { $this->_increaseStats($aAux); } $success = 2; } // THIS HOOK IS FINE, YAY! osc_run_hook('posted_item', $item); } return $success; }
function doModel() { switch ($this->action) { case 'login_post': //post execution for the login if (!osc_users_enabled()) { osc_add_flash_error_message(_m('Users are not enabled')); $this->redirectTo(osc_base_url()); } require_once LIB_PATH . 'osclass/UserActions.php'; $user = User::newInstance()->findByEmail(Params::getParam('email')); $url_redirect = osc_user_dashboard_url(); $page_redirect = ''; if (osc_rewrite_enabled()) { if (isset($_SERVER['HTTP_REFERER'])) { $request_uri = urldecode(preg_replace('@^' . osc_base_url() . '@', "", $_SERVER['HTTP_REFERER'])); $tmp_ar = explode("?", $request_uri); $request_uri = $tmp_ar[0]; $rules = Rewrite::newInstance()->listRules(); foreach ($rules as $match => $uri) { if (preg_match('#' . $match . '#', $request_uri, $m)) { $request_uri = preg_replace('#' . $match . '#', $uri, $request_uri); if (preg_match('|([&?]{1})page=([^&]*)|', '&' . $request_uri . '&', $match)) { $page_redirect = $match[2]; } break; } } } } else { if (preg_match('|[\\?&]page=([^&]+)|', $_SERVER['HTTP_REFERER'] . '&', $match)) { $page_redirect = $match[1]; } } if (Params::getParam('http_referer') != '') { Session::newInstance()->_setReferer(Params::getParam('http_referer')); $url_redirect = Params::getParam('http_referer'); } else { if (Session::newInstance()->_getReferer() != '') { Session::newInstance()->_setReferer(Session::newInstance()->_getReferer()); $url_redirect = Session::newInstance()->_getReferer(); } else { if ($page_redirect != '' && $page_redirect != 'login') { Session::newInstance()->_setReferer($_SERVER['HTTP_REFERER']); $url_redirect = $_SERVER['HTTP_REFERER']; } } } if (!$user) { osc_add_flash_error_message(_m('The username doesn\'t exist')); $this->redirectTo(osc_user_login_url()); } if ($user["s_password"] != sha1(Params::getParam('password'))) { osc_add_flash_error_message(_m('The password is incorrect')); $this->redirectTo(osc_user_login_url()); } $uActions = new UserActions(false); $logged = $uActions->bootstrap_login($user['pk_i_id']); if ($logged == 0) { osc_add_flash_error_message(_m('The username doesn\'t exist')); } else { if ($logged == 1) { osc_add_flash_error_message(_m('The user has not been validated yet')); } else { if ($logged == 2) { osc_add_flash_error_message(_m('The user has been suspended')); } else { if ($logged == 3) { if (Params::getParam('remember') == 1) { //this include contains de osc_genRandomPassword function require_once osc_lib_path() . 'osclass/helpers/hSecurity.php'; $secret = osc_genRandomPassword(); User::newInstance()->update(array('s_secret' => $secret), array('pk_i_id' => $user['pk_i_id'])); Cookie::newInstance()->set_expires(osc_time_cookie()); Cookie::newInstance()->push('oc_userId', $user['pk_i_id']); Cookie::newInstance()->push('oc_userSecret', $secret); Cookie::newInstance()->set(); } $this->redirectTo($url_redirect); } else { osc_add_flash_error_message(_m('This should never happens')); } } } } if (!$user['b_enabled']) { $this->redirectTo(osc_user_login_url()); } $this->redirectTo(osc_user_login_url()); break; case 'recover': //form to recover the password (in this case we have the form in /gui/) $this->doView('user-recover.php'); break; case 'recover_post': //post execution to recover the password require_once LIB_PATH . 'osclass/UserActions.php'; // e-mail is incorrect if (!preg_match('|^[a-z0-9\\.\\_\\+\\-]+@[a-z0-9\\.\\-]+\\.[a-z]{2,3}$|i', Params::getParam('s_email'))) { osc_add_flash_error_message(_m('Invalid email address')); $this->redirectTo(osc_recover_user_password_url()); } $userActions = new UserActions(false); $success = $userActions->recover_password(); switch ($success) { case 0: // recover ok osc_add_flash_ok_message(_m('We have sent you an email with the instructions to reset your password')); $this->redirectTo(osc_base_url()); break; case 1: // e-mail does not exist osc_add_flash_error_message(_m('We were not able to identify you given the information provided')); $this->redirectTo(osc_recover_user_password_url()); break; case 2: // recaptcha wrong osc_add_flash_error_message(_m('The recaptcha code is wrong')); $this->redirectTo(osc_recover_user_password_url()); break; } break; case 'forgot': //form to recover the password (in this case we have the form in /gui/) $user = User::newInstance()->findByIdPasswordSecret(Params::getParam('userId'), Params::getParam('code')); if ($user) { $this->doView('user-forgot_password.php'); } else { osc_add_flash_error_message(_m('Sorry, the link is not valid')); $this->redirectTo(osc_base_url()); } break; case 'forgot_post': if (Params::getParam('new_password') == '' || Params::getParam('new_password2') == '') { osc_add_flash_warning_message(_m('Password cannot be blank')); $this->redirectTo(osc_forgot_user_password_confirm_url(Params::getParam('userId'), Params::getParam('code'))); } $user = User::newInstance()->findByIdPasswordSecret(Params::getParam('userId'), Params::getParam('code')); if ($user['b_enabled'] == 1) { if (Params::getParam('new_password') == Params::getParam('new_password2')) { User::newInstance()->update(array('s_pass_code' => osc_genRandomPassword(50), 's_pass_date' => date('Y-m-d H:i:s', 0), 's_pass_ip' => $_SERVER['REMOTE_ADDR'], 's_password' => sha1(Params::getParam('new_password'))), array('pk_i_id' => $user['pk_i_id'])); osc_add_flash_ok_message(_m('The password has been changed')); $this->redirectTo(osc_user_login_url()); } else { osc_add_flash_error_message(_m('Error, the password don\'t match')); $this->redirectTo(osc_forgot_user_password_confirm_url(Params::getParam('userId'), Params::getParam('code'))); } } else { osc_add_flash_error_message(_m('Sorry, the link is not valid')); } $this->redirectTo(osc_base_url()); break; default: //login if (osc_logged_user_id() != '') { $this->redirectTo(osc_user_dashboard_url()); } $this->doView('user-login.php'); } }
function doModel() { switch ($this->action) { case 'login_post': //post execution for the login if (Params::getParam('user') == '' && Params::getParam('password', false, false) == '') { $this->redirectTo(osc_admin_base_url()); } if (Params::getParam('user') == '') { osc_add_flash_error_message(_m('The username field is empty'), 'admin'); $this->redirectTo(osc_admin_base_url()); } if (Params::getParam('password') == '') { osc_add_flash_error_message(_m('The password field is empty'), 'admin'); $this->redirectTo(osc_admin_base_url()); } // fields are not empty $admin = Admin::newInstance()->findByUsername(Params::getParam('user')); if (!$admin) { osc_add_flash_error_message(sprintf(_m('Sorry, incorrect username. <a href="%s">Have you lost your password?</a>'), osc_admin_base_url(true) . '?page=login&action=recover'), 'admin'); $this->redirectTo(osc_admin_base_url()); } if ($admin["s_password"] !== sha1(Params::getParam('password', false, false))) { osc_add_flash_error_message(sprintf(_m('Sorry, incorrect password. <a href="%s">Have you lost your password?</a>'), osc_admin_base_url(true) . '?page=login&action=recover'), 'admin'); $this->redirectTo(osc_admin_base_url()); } if (Params::getParam('remember')) { // this include contains de osc_genRandomPassword function require_once osc_lib_path() . 'osclass/helpers/hSecurity.php'; $secret = osc_genRandomPassword(); Admin::newInstance()->update(array('s_secret' => $secret), array('pk_i_id' => $admin['pk_i_id'])); Cookie::newInstance()->set_expires(osc_time_cookie()); Cookie::newInstance()->push('oc_adminId', $admin['pk_i_id']); Cookie::newInstance()->push('oc_adminSecret', $secret); Cookie::newInstance()->push('oc_adminLocale', Params::getParam('locale')); Cookie::newInstance()->set(); } // we are logged in... let's go! Session::newInstance()->_set('adminId', $admin['pk_i_id']); Session::newInstance()->_set('adminUserName', $admin['s_username']); Session::newInstance()->_set('adminName', $admin['s_name']); Session::newInstance()->_set('adminEmail', $admin['s_email']); Session::newInstance()->_set('adminLocale', Params::getParam('locale')); $this->redirectTo(osc_admin_base_url()); break; case 'recover': // form to recover the password (in this case we have the form in /gui/) $this->doView('gui/recover.php'); break; case 'recover_post': if (defined('DEMO')) { osc_add_flash_warning_message(_m("This action cannot be done because is a demo site"), 'admin'); $this->redirectTo(osc_admin_base_url()); } // post execution to recover the password $admin = Admin::newInstance()->findByEmail(Params::getParam('email')); if ($admin) { if (osc_recaptcha_private_key() != '' && Params::existParam("recaptcha_challenge_field")) { if (!osc_check_recaptcha()) { osc_add_flash_error_message(_m('The Recaptcha code is wrong'), 'admin'); $this->redirectTo(osc_admin_base_url(true) . '?page=login&action=recover'); return false; // BREAK THE PROCESS, THE RECAPTCHA IS WRONG } } require_once osc_lib_path() . 'osclass/helpers/hSecurity.php'; $newPassword = osc_genRandomPassword(40); Admin::newInstance()->update(array('s_secret' => $newPassword), array('pk_i_id' => $admin['pk_i_id'])); $password_url = osc_forgot_admin_password_confirm_url($admin['pk_i_id'], $newPassword); osc_run_hook('hook_email_user_forgot_password', $admin, $password_url); } osc_add_flash_ok_message(_m('A new password has been sent to your e-mail'), 'admin'); $this->redirectTo(osc_admin_base_url()); break; case 'forgot': // form to recover the password (in this case we have the form in /gui/) $admin = Admin::newInstance()->findByIdSecret(Params::getParam('adminId'), Params::getParam('code')); if (!$admin) { osc_add_flash_error_message(_m('Sorry, the link is not valid'), 'admin'); $this->redirectTo(osc_admin_base_url()); } $this->doView('gui/forgot_password.php'); break; case 'forgot_post': $admin = Admin::newInstance()->findByIdSecret(Params::getParam('adminId'), Params::getParam('code')); if (!$admin) { osc_add_flash_error_message(_m('Sorry, the link is not valid'), 'admin'); $this->redirectTo(osc_admin_base_url()); } if (Params::getParam('new_password', false, false) == Params::getParam('new_password2', false, false)) { Admin::newInstance()->update(array('s_secret' => osc_genRandomPassword(), 's_password' => sha1(Params::getParam('new_password', false, false))), array('pk_i_id' => $admin['pk_i_id'])); osc_add_flash_ok_message(_m('The password has been changed'), 'admin'); $this->redirectTo(osc_admin_base_url()); } else { osc_add_flash_error_message(_m("Error, the password don't match"), 'admin'); $this->redirectTo(osc_forgot_admin_password_confirm_url(Params::getParam('adminId'), Params::getParam('code'))); } break; } }
function doModel() { switch ($this->action) { case 'login_post': //post execution for the login $user = User::newInstance()->findByEmail(Params::getParam('email')); if (!$user) { osc_add_flash_message(_m('The username doesn\'t exist')); $this->redirectTo(osc_user_login_url()); } if (!$user['b_enabled']) { osc_add_flash_message(_m('The user has not been validated yet')); $this->redirectTo(osc_user_login_url()); } if ($user["s_password"] == sha1(Params::getParam('password'))) { if (Params::getParam('remember') == 1) { //this include contains de osc_genRandomPassword function require_once osc_lib_path() . 'osclass/helpers/hSecurity.php'; $secret = osc_genRandomPassword(); User::newInstance()->update(array('s_secret' => $secret), array('pk_i_id' => $user['pk_i_id'])); Cookie::newInstance()->set_expires(osc_time_cookie()); Cookie::newInstance()->push('oc_userId', $user['pk_i_id']); Cookie::newInstance()->push('oc_userSecret', $secret); Cookie::newInstance()->set(); } //we are logged in... let's go! Session::newInstance()->_set('userId', $user['pk_i_id']); Session::newInstance()->_set('userName', $user['s_name']); Session::newInstance()->_set('userEmail', $user['s_email']); $phone = $user['s_phone_mobile'] ? $user['s_phone_mobile'] : $user['s_phone_land']; Session::newInstance()->_set('userPhone', $phone); } else { osc_add_flash_message(_m('The password is incorrect')); } //returning logged in to the main page... $this->redirectTo(osc_user_dashboard_url()); break; case 'recover': //form to recover the password (in this case we have the form in /gui/) $this->doView('user-recover.php'); break; case 'recover_post': //post execution to recover the password require_once LIB_PATH . 'osclass/UserActions.php'; $userActions = new UserActions(false); $recaptcha_ok = $userActions->recover_password(); if ($recaptcha_ok) { // We ALWAYS show the same message, so we don't give clues about which emails are in our database and which don't! osc_add_flash_message(_m('We have sent you an email with the instructions to reset your password')); $this->redirectTo(osc_base_url()); } else { osc_add_flash_message(_m('The recaptcha code is wrong')); $this->redirectTo(osc_recover_user_password_url()); } break; case 'forgot': //form to recover the password (in this case we have the form in /gui/) $user = User::newInstance()->findByIdPasswordSecret(Params::getParam('userId'), Params::getParam('code')); if ($user) { $this->doView('user-forgot_password.php'); } else { osc_add_flash_message(_m('Sorry, the link is not valid')); $this->redirectTo(osc_base_url()); } break; case 'forgot_post': $user = User::newInstance()->findByIdPasswordSecret(Params::getParam('userId'), Params::getParam('code')); if ($user) { if (Params::getParam('new_password') == Params::getParam('new_password2')) { User::newInstance()->update(array('s_pass_code' => osc_genRandomPassword(50), 's_pass_date' => date('Y-m-d H:i:s', 0), 's_pass_ip' => $_SERVER['REMOTE_ADDR'], 's_password' => sha1(Params::getParam('new_password'))), array('pk_i_id' => $user['pk_i_id'])); osc_add_flash_message(_m('The password has been changed')); $this->redirectTo(osc_user_login_url()); } else { osc_add_flash_message(_m('Error, the password don\'t match')); $this->redirectTo(osc_forgot_user_password_confirm_url(Params::getParam('userId'), Params::getParam('code'))); } } else { osc_add_flash_message(_m('Sorry, the link is not valid')); } $this->redirectTo(osc_base_url()); break; default: //login if (osc_logged_user_id() != '') { $this->redirectTo(osc_user_dashboard_url()); } $this->doView('user-login.php'); } }
function doModel() { switch ($this->action) { case 'login_post': //post execution for the login osc_csrf_check(); osc_run_hook('before_login_admin'); $url_redirect = osc_get_http_referer(); $page_redirect = ''; $password = Params::getParam('password', false, false); if (preg_match('|[\\?&]page=([^&]+)|', $url_redirect . '&', $match)) { $page_redirect = $match[1]; } if ($page_redirect == '' || $page_redirect == 'login' || $url_redirect == '') { $url_redirect = osc_admin_base_url(); } if (Params::getParam('user') == '') { osc_add_flash_error_message(_m('The username field is empty'), 'admin'); $this->redirectTo(osc_admin_base_url(true) . "?page=login"); } if (Params::getParam('password', false, false) == '') { osc_add_flash_error_message(_m('The password field is empty'), 'admin'); $this->redirectTo(osc_admin_base_url(true) . "?page=login"); } // fields are not empty $admin = Admin::newInstance()->findByUsername(Params::getParam('user')); if (!$admin) { osc_add_flash_error_message(sprintf(_m('Sorry, incorrect username. <a href="%s">Have you lost your password?</a>'), osc_admin_base_url(true) . '?page=login&action=recover'), 'admin'); $this->redirectTo(osc_admin_base_url(true) . "?page=login"); } if (!osc_verify_password($password, $admin['s_password'])) { osc_add_flash_error_message(sprintf(_m('Sorry, incorrect password. <a href="%s">Have you lost your password?</a>'), osc_admin_base_url(true) . '?page=login&action=recover'), 'admin'); $this->redirectTo(osc_admin_base_url(true) . "?page=login"); } else { if (@$admin['s_password'] != '') { if (preg_match('|\\$2y\\$([0-9]{2})\\$|', $admin['s_password'], $cost)) { if ($cost[1] != BCRYPT_COST) { Admin::newInstance()->update(array('s_password' => osc_hash_password($password)), array('pk_i_id' => $admin['pk_i_id'])); } } else { Admin::newInstance()->update(array('s_password' => osc_hash_password($password)), array('pk_i_id' => $admin['pk_i_id'])); } } } if (Params::getParam('remember')) { // this include contains de osc_genRandomPassword function require_once osc_lib_path() . 'osclass/helpers/hSecurity.php'; $secret = osc_genRandomPassword(); Admin::newInstance()->update(array('s_secret' => $secret), array('pk_i_id' => $admin['pk_i_id'])); Cookie::newInstance()->set_expires(osc_time_cookie()); Cookie::newInstance()->push('oc_adminId', $admin['pk_i_id']); Cookie::newInstance()->push('oc_adminSecret', $secret); Cookie::newInstance()->push('oc_adminLocale', Params::getParam('locale')); Cookie::newInstance()->set(); } // we are logged in... let's go! Session::newInstance()->_set('adminId', $admin['pk_i_id']); Session::newInstance()->_set('adminUserName', $admin['s_username']); Session::newInstance()->_set('adminName', $admin['s_name']); Session::newInstance()->_set('adminEmail', $admin['s_email']); Session::newInstance()->_set('adminLocale', Params::getParam('locale')); osc_run_hook('login_admin', $admin); $this->redirectTo($url_redirect); break; case 'recover': // form to recover the password (in this case we have the form in /gui/) $this->doView('gui/recover.php'); break; case 'recover_post': if (defined('DEMO')) { osc_add_flash_warning_message(_m("This action can't be done because it's a demo site"), 'admin'); $this->redirectTo(osc_admin_base_url()); } osc_csrf_check(); // post execution to recover the password $admin = Admin::newInstance()->findByEmail(Params::getParam('email')); if ($admin) { if (osc_recaptcha_private_key() != '') { if (!osc_check_recaptcha()) { osc_add_flash_error_message(_m('The reCAPTCHA code is wrong'), 'admin'); $this->redirectTo(osc_admin_base_url(true) . '?page=login&action=recover'); return false; // BREAK THE PROCESS, THE RECAPTCHA IS WRONG } } require_once osc_lib_path() . 'osclass/helpers/hSecurity.php'; $newPassword = osc_genRandomPassword(40); Admin::newInstance()->update(array('s_secret' => $newPassword), array('pk_i_id' => $admin['pk_i_id'])); $password_url = osc_forgot_admin_password_confirm_url($admin['pk_i_id'], $newPassword); osc_run_hook('hook_email_user_forgot_password', $admin, $password_url); } osc_add_flash_ok_message(_m('A new password has been sent to your e-mail'), 'admin'); $this->redirectTo(osc_admin_base_url(true) . '?page=login'); break; case 'forgot': // form to recover the password (in this case we have the form in /gui/) $admin = Admin::newInstance()->findByIdSecret(Params::getParam('adminId'), Params::getParam('code')); if (!$admin) { osc_add_flash_error_message(_m('Sorry, the link is not valid'), 'admin'); $this->redirectTo(osc_admin_base_url()); } $this->doView('gui/forgot_password.php'); break; case 'forgot_post': osc_csrf_check(); $admin = Admin::newInstance()->findByIdSecret(Params::getParam('adminId'), Params::getParam('code')); if (!$admin) { osc_add_flash_error_message(_m('Sorry, the link is not valid'), 'admin'); $this->redirectTo(osc_admin_base_url()); } if (Params::getParam('new_password', false, false) == Params::getParam('new_password2', false, false)) { Admin::newInstance()->update(array('s_secret' => osc_genRandomPassword(), 's_password' => osc_hash_password(Params::getParam('new_password', false, false))), array('pk_i_id' => $admin['pk_i_id'])); osc_add_flash_ok_message(_m('The password has been changed'), 'admin'); $this->redirectTo(osc_admin_base_url(true) . '?page=login'); } else { osc_add_flash_error_message(_m("Error, the passwords don't match"), 'admin'); $this->redirectTo(osc_forgot_admin_password_confirm_url(Params::getParam('adminId'), Params::getParam('code'))); } break; default: //osc_run_hook( 'init_admin' ); Session::newInstance()->_setReferer(osc_get_http_referer()); $this->doView('gui/login.php'); break; } }
/** * @return boolean */ public function add() { $success = true; $aItem = $this->data; $code = osc_genRandomPassword(); $flash_error = ''; // Initiate HTML Purifier require_once LIB_PATH . 'htmlpurifier/HTMLPurifier.auto.php'; $config = HTMLPurifier_Config::createDefault(); $config->set('HTML.Allowed', 'b,strong,i,em,u,a[href|title],ul,ol,li,p[style],br,span[style]'); $config->set('CSS.AllowedProperties', 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align'); $config->set('Cache.SerializerPath', ABS_PATH . 'oc-content/uploads'); $purifier = new HTMLPurifier($config); // Requires email validation? $has_to_validate = osc_moderate_items() != -1 ? true : false; // Check status $active = $aItem['active']; // Sanitize foreach (@$aItem['title'] as $key => $value) { $aItem['title'][$key] = strip_tags(trim($value)); } foreach (@$aItem['description'] as $key => $value) { $aItem['description'][$key] = $purifier->purify($value); } $aItem['price'] = !is_null($aItem['price']) ? strip_tags(trim($aItem['price'])) : $aItem['price']; $contactName = osc_sanitize_name(strip_tags(trim($aItem['contactName']))); $contactEmail = strip_tags(trim($aItem['contactEmail'])); $aItem['cityArea'] = osc_sanitize_name(strip_tags(trim($aItem['cityArea']))); $aItem['address'] = osc_sanitize_name(strip_tags(trim($aItem['address']))); // Anonymous $contactName = osc_validate_text($contactName, 3) ? $contactName : __("Anonymous"); // Validate if (!$this->checkAllowedExt($aItem['photos'])) { $flash_error .= _m("Image with incorrect extension.") . PHP_EOL; } if (!$this->checkSize($aItem['photos'])) { $flash_error .= _m("Images too big. Max. size ") . osc_max_size_kb() . " Kb" . PHP_EOL; } $title_message = ''; foreach (@$aItem['title'] as $key => $value) { if (osc_validate_text($value, 1) && osc_validate_max($value, 100)) { $title_message = ''; break; } $title_message .= (!osc_validate_text($value, 1) ? _m("Title too short.") . PHP_EOL : '') . (!osc_validate_max($value, 100) ? _m("Title too long.") . PHP_EOL : ''); } $flash_error .= $title_message; $desc_message = ''; foreach (@$aItem['description'] as $key => $value) { if (osc_validate_text($value, 3) && osc_validate_max($value, 5000)) { $desc_message = ''; break; } $desc_message .= (!osc_validate_text($value, 3) ? _m("Description too short.") . PHP_EOL : '') . (!osc_validate_max($value, 5000) ? _m("Description too long.") . PHP_EOL : ''); } $flash_error .= $desc_message; $flash_error .= (!osc_validate_category($aItem['catId']) ? _m("Category invalid.") . PHP_EOL : '') . (!osc_validate_number($aItem['price']) ? _m("Price must be number.") . PHP_EOL : '') . (!osc_validate_max($aItem['price'], 15) ? _m("Price too long.") . PHP_EOL : '') . (!osc_validate_max($contactName, 35) ? _m("Name too long.") . PHP_EOL : '') . (!osc_validate_email($contactEmail) ? _m("Email invalid.") . PHP_EOL : '') . (!osc_validate_text($aItem['countryName'], 3, false) ? _m("Country too short.") . PHP_EOL : '') . (!osc_validate_max($aItem['countryName'], 50) ? _m("Country too long.") . PHP_EOL : '') . (!osc_validate_text($aItem['regionName'], 3, false) ? _m("Region too short.") . PHP_EOL : '') . (!osc_validate_max($aItem['regionName'], 50) ? _m("Region too long.") . PHP_EOL : '') . (!osc_validate_text($aItem['cityName'], 3, false) ? _m("City too short.") . PHP_EOL : '') . (!osc_validate_max($aItem['cityName'], 50) ? _m("City too long.") . PHP_EOL : '') . (!osc_validate_text($aItem['cityArea'], 3, false) ? _m("Municipality too short.") . PHP_EOL : '') . (!osc_validate_max($aItem['cityArea'], 50) ? _m("Municipality too long.") . PHP_EOL : '') . (!osc_validate_text($aItem['address'], 3, false) ? _m("Address too short.") . PHP_EOL : '') . (!osc_validate_max($aItem['address'], 100) ? _m("Address too long.") . PHP_EOL : '') . (time() - Session::newInstance()->_get('last_submit_item') < osc_items_wait_time() && !$this->is_admin ? _m("Too fast. You should wait a little to publish your ad.") . PHP_EOL : ''); $meta = Params::getParam("meta"); if ($meta != '' && count($meta) > 0) { $mField = Field::newInstance(); foreach ($meta as $k => $v) { if ($v == '') { $field = $mField->findByPrimaryKey($k); if ($field['b_required'] == 1) { $flash_error .= sprintf(_m("%s field is required."), $field['s_name']); } } } } // hook pre add or edit osc_run_hook('pre_item_post'); // Handle error if ($flash_error) { return $flash_error; } else { $this->manager->insert(array('fk_i_user_id' => $aItem['userId'], 'dt_pub_date' => date('Y-m-d H:i:s'), 'fk_i_category_id' => $aItem['catId'], 'i_price' => $aItem['price'], 'fk_c_currency_code' => $aItem['currency'], 's_contact_name' => $contactName, 's_contact_email' => $contactEmail, 's_secret' => $code, 'b_active' => $active == 'ACTIVE' ? 1 : 0, 'b_enabled' => 1, 'b_show_email' => $aItem['showEmail'])); if (!$this->is_admin) { // Track spam delay: Session Session::newInstance()->_set('last_submit_item', time()); // Track spam delay: Cookie Cookie::newInstance()->set_expires(osc_time_cookie()); Cookie::newInstance()->push('last_submit_item', time()); Cookie::newInstance()->set(); } $itemId = $this->manager->dao->insertedId(); Log::newInstance()->insertLog('item', 'add', $itemId, current(array_values($aItem['title'])), $this->is_admin ? 'admin' : 'user', $this->is_admin ? osc_logged_admin_id() : osc_logged_user_id()); Params::setParam('itemId', $itemId); // INSERT title and description locales $this->insertItemLocales('ADD', $aItem['title'], $aItem['description'], $itemId); // INSERT location item $location = array('fk_i_item_id' => $itemId, 'fk_c_country_code' => $aItem['countryId'], 's_country' => $aItem['countryName'], 'fk_i_region_id' => $aItem['regionId'], 's_region' => $aItem['regionName'], 'fk_i_city_id' => $aItem['cityId'], 's_city' => $aItem['cityName'], 's_city_area' => $aItem['cityArea'], 's_address' => $aItem['address']); $locationManager = ItemLocation::newInstance(); $locationManager->insert($location); $this->uploadItemResources($aItem['photos'], $itemId); /** * META FIELDS */ if ($meta != '' && count($meta) > 0) { $mField = Field::newInstance(); foreach ($meta as $k => $v) { $mField->replace($itemId, $k, $v); } } osc_run_hook('item_form_post', $aItem['catId'], $itemId); // We need at least one record in t_item_stats $mStats = new ItemStats(); $mStats->emptyRow($itemId); $item = $this->manager->findByPrimaryKey($itemId); $aItem['item'] = $item; osc_run_hook('after_item_post'); Session::newInstance()->_set('last_publish_time', time()); if (!$this->is_admin) { $this->sendEmails($aItem); } if ($active == 'INACTIVE') { return 1; } else { if ($aItem['userId'] != null) { $user = User::newInstance()->findByPrimaryKey($aItem['userId']); if ($user) { User::newInstance()->update(array('i_items' => $user['i_items'] + 1), array('pk_i_id' => $user['pk_i_id'])); } } CategoryStats::newInstance()->increaseNumItems($aItem['catId']); return 2; } } return $success; }
function doModel() { switch ($this->action) { case 'login_post': //post execution for the login $admin = Admin::newInstance()->findByUsername(Params::getParam('user')); if ($admin) { if ($admin["s_password"] == sha1(Params::getParam('password'))) { if (Params::getParam('remember')) { //this include contains de osc_genRandomPassword function require_once osc_lib_path() . 'osclass/helpers/hSecurity.php'; $secret = osc_genRandomPassword(); Admin::newInstance()->update(array('s_secret' => $secret), array('pk_i_id' => $admin['pk_i_id'])); Cookie::newInstance()->set_expires(osc_time_cookie()); Cookie::newInstance()->push('oc_adminId', $admin['pk_i_id']); Cookie::newInstance()->push('oc_adminSecret', $secret); Cookie::newInstance()->push('oc_adminLocale', Params::getParam('locale')); Cookie::newInstance()->set(); } //we are logged in... let's go! Session::newInstance()->_set('adminId', $admin['pk_i_id']); Session::newInstance()->_set('adminUserName', $admin['s_username']); Session::newInstance()->_set('adminName', $admin['s_name']); Session::newInstance()->_set('adminEmail', $admin['s_email']); Session::newInstance()->_set('adminLocale', Params::getParam('locale')); } else { osc_add_flash_message(_m('The password is incorrect'), 'admin'); } } else { osc_add_flash_message(_m('That username does not exist'), 'admin'); } //returning logged in to the main page... $this->redirectTo(osc_admin_base_url()); break; case 'recover': //form to recover the password (in this case we have the form in /gui/) //#dev.conquer: we cannot use the doView here and only here $this->doView('gui/recover.php'); break; case 'recover_post': //post execution to recover the password $admin = Admin::newInstance()->findByEmail(Params::getParam('email')); if ($admin) { if (osc_recaptcha_private_key() != '' && Params::existParam("recaptcha_challenge_field")) { if (!osc_check_recaptcha()) { osc_add_flash_message(_m('The Recaptcha code is wrong'), 'admin'); $this->redirectTo(osc_admin_base_url(true) . '?page=login&action=recover'); return false; // BREAK THE PROCESS, THE RECAPTCHA IS WRONG } } require_once osc_lib_path() . 'osclass/helpers/hSecurity.php'; $newPassword = osc_genRandomPassword(40); Admin::newInstance()->update(array('s_secret' => $newPassword), array('pk_i_id' => $admin['pk_i_id'])); $password_link = osc_forgot_admin_password_confirm_url($admin['pk_i_id'], $newPassword); $aPage = Page::newInstance()->findByInternalName('email_user_forgot_password'); $content = array(); $locale = osc_current_user_locale(); if (isset($aPage['locale'][$locale]['s_title'])) { $content = $aPage['locale'][$locale]; } else { $content = current($aPage['locale']); } if (!is_null($content)) { $words = array(); $words[] = array('{USER_NAME}', '{USER_EMAIL}', '{WEB_TITLE}', '{IP_ADDRESS}', '{PASSWORD_LINK}', '{DATE_TIME}'); $words[] = array($admin['s_name'], $admin['s_email'], osc_page_title(), $_SERVER['REMOTE_ADDR'], $password_link, date(osc_time_format() . ' ' . osc_date_format())); $title = osc_mailBeauty($content['s_title'], $words); $body = osc_mailBeauty($content['s_text'], $words); $emailParams = array('subject' => $title, 'to' => $admin['s_email'], 'to_name' => $admin['s_name'], 'body' => $body, 'alt_body' => $body); osc_sendMail($emailParams); } } osc_add_flash_message(_m('A new password has been sent to your e-mail'), 'admin'); $this->redirectTo(osc_admin_base_url()); break; case 'forgot': //form to recover the password (in this case we have the form in /gui/) $admin = Admin::newInstance()->findByIdSecret(Params::getParam('adminId'), Params::getParam('code')); if ($admin) { $this->doView('gui/forgot_password.php'); } else { osc_add_flash_message(_m('Sorry, the link is not valid'), 'admin'); $this->redirectTo(osc_admin_base_url()); } break; case 'forgot_post': $admin = Admin::newInstance()->findByIdSecret(Params::getParam('adminId'), Params::getParam('code')); if ($admin) { if (Params::getParam('new_password') == Params::getParam('new_password2')) { Admin::newInstance()->update(array('s_secret' => osc_genRandomPassword(), 's_password' => sha1(Params::getParam('new_password'))), array('pk_i_id' => $admin['pk_i_id'])); osc_add_flash_message(_m('The password has been changed'), 'admin'); $this->redirectTo(osc_admin_base_url()); } else { osc_add_flash_message(_m('Error, the password don\'t match'), 'admin'); $this->redirectTo(osc_forgot_admin_password_confirm_url(Params::getParam('adminId'), Params::getParam('code'))); } } else { osc_add_flash_message(_m('Sorry, the link is not valid'), 'admin'); } $this->redirectTo(osc_admin_base_url()); break; } }