/** * Generates a page for the first step of password recovery process. * * @param Request $request * @return string Rendered page content */ public function indexAction(Request $request) { if ($this->getOperator()) { // If the operator is logged in just redirect him to the home page. return $this->redirect($request->getUriForPath('/operator')); } $page = array('version' => MIBEW_VERSION, 'title' => getlocal('Trouble Accessing Your Account?'), 'headertitle' => getlocal('Mibew Messenger'), 'show_small_login' => true, 'fixedwrap' => true, 'errors' => array()); $login_or_email = ''; if ($request->isMethod('POST')) { // When HTTP GET method is used the form is just rendered but the // user does not pass any data. Thus we need to prevent CSRF attacks // only for POST requests csrf_check_token($request); } if ($request->isMethod('POST') && $request->request->has('loginoremail')) { $login_or_email = $request->request->get('loginoremail'); $to_restore = MailUtils::isValidAddress($login_or_email) ? operator_by_email($login_or_email) : operator_by_login($login_or_email); if (!$to_restore) { $page['errors'][] = getlocal('No such Operator'); } $email = $to_restore['vcemail']; if (count($page['errors']) == 0 && !MailUtils::isValidAddress($email)) { $page['errors'][] = "Operator hasn't set his e-mail"; } if (count($page['errors']) == 0) { $token = sha1($to_restore['vclogin'] . (function_exists('openssl_random_pseudo_bytes') ? openssl_random_pseudo_bytes(32) : time() + microtime() . mt_rand(0, 99999999))); // Update the operator $to_restore['dtmrestore'] = time(); $to_restore['vcrestoretoken'] = $token; update_operator($to_restore); $href = $this->getRouter()->generate('password_recovery_reset', array('id' => $to_restore['operatorid'], 'token' => $token), UrlGeneratorInterface::ABSOLUTE_URL); // Load mail templates and substitute placeholders there. $mail_template = MailTemplate::loadByName('password_recovery', get_current_locale()); if (!$mail_template) { throw new \RuntimeException('Cannot load "password_recovery" mail template'); } $this->sendMail(MailUtils::buildMessage($email, $email, $mail_template->buildSubject(), $mail_template->buildBody(array(get_operator_name($to_restore), $href)))); $page['isdone'] = true; return $this->render('password_recovery', $page); } } $page['formloginoremail'] = $login_or_email; $page['localeLinks'] = get_locale_links(); $page['isdone'] = false; return $this->render('password_recovery', $page); }
* EPL, indicate your decision by deleting the provisions above and replace them * with the notice and other provisions required by the GPL. * * Contributors: * Evgeny Gryaznov - initial API and implementation */ require_once '../libs/common.php'; require_once '../libs/operator.php'; require_once '../libs/settings.php'; require_once '../libs/notify.php'; $errors = array(); $page = array('version' => $version); $loginoremail = ""; if (isset($_POST['loginoremail'])) { $loginoremail = getparam("loginoremail"); $torestore = is_valid_email($loginoremail) ? operator_by_email($loginoremail) : operator_by_login($loginoremail); if (!$torestore) { $errors[] = getlocal("no_such_operator"); } $email = $torestore['vcemail']; if (count($errors) == 0 && !is_valid_email($email)) { $errors[] = "Operator hasn't set his e-mail"; } if (count($errors) == 0) { $token = md5(time() + microtime() . rand(0, 99999999)); $link = connect(); $query = "update {$mysqlprefix}chatoperator set dtmrestore = CURRENT_TIMESTAMP, vcrestoretoken = '{$token}' where operatorid = " . $torestore['operatorid']; perform_query($query, $link); $href = get_app_location(true, false) . "/operator/resetpwd.php?id=" . $torestore['operatorid'] . "&token={$token}"; webim_mail($email, $email, getstring("restore.mailsubj"), getstring2("restore.mailtext", array(get_operator_name($torestore), $href)), $link); mysql_close($link);
/** * Processes submitting of the form which is generated in * {@link \Mibew\Controller\OperatorController::showEditFormAction()} method. * * @param Request $request Incoming request. * @return string Rendered page content. */ public function submitFormAction(Request $request) { csrf_check_token($request); $errors = array(); $operator = $this->getOperator(); $op_id = $request->attributes->getInt('operator_id'); $login = $request->request->get('login'); $email = $request->request->get('email'); $password = $request->request->get('password'); $password_confirm = $request->request->get('passwordConfirm'); $local_name = $request->request->get('name'); $common_name = $request->request->get('commonname'); $code = $request->request->get('code'); if (!$local_name) { $errors[] = no_field('Name'); } if (!$common_name) { $errors[] = no_field('International name (Latin)'); } // The login is needed only for new operators. If login is changed for // existing operator the stored password hash becomes invalid. if (!$op_id) { if (!$login) { $errors[] = no_field('Login'); } elseif (!preg_match("/^[\\w_\\.]+\$/", $login)) { $errors[] = getlocal('Login should contain only latin characters, numbers and underscore symbol.'); } } if (!$email || !MailUtils::isValidAddress($email)) { $errors[] = wrong_field('E-mail'); } if ($code && !preg_match("/^[A-Za-z0-9_]+\$/", $code)) { $errors[] = getlocal('Code should contain only latin characters, numbers and underscore symbol.'); } if (!$op_id && !$password) { $errors[] = no_field('Password'); } if ($password != $password_confirm) { $errors[] = getlocal('Entered passwords do not match'); } $existing_operator = operator_by_login($login); $duplicate_login = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid']; if ($duplicate_login) { $errors[] = getlocal('Please choose another login because an operator with that login is already registered in the system.'); } // Check if operator with specified email already exists in the database. $existing_operator = operator_by_email($email); $duplicate_email = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid']; if ($duplicate_email) { $errors[] = getlocal('Please choose another email because an operator with that email is already registered in the system.'); } if (count($errors) != 0) { $request->attributes->set('errors', $errors); // The form should be rebuild. Invoke appropriate action. return $this->showFormAction($request); } if (!$op_id) { // Create new operator and redirect the current operator to avatar // page. $new_operator = create_operator($login, $email, $password, $local_name, $common_name, '', $code); $redirect_to = $this->generateUrl('operator_avatar', array('operator_id' => $new_operator['operatorid'])); return $this->redirect($redirect_to); } // Mix old operator's fields with updated values $target_operator = array('vcemail' => $email, 'vclocalename' => $local_name, 'vccommonname' => $common_name, 'code' => $code) + operator_by_id($op_id); // Set the password only if it's not an empty string. if ($password !== '') { $target_operator['vcpassword'] = calculate_password_hash($target_operator['vclogin'], $password); } // Update operator's fields in the database. update_operator($target_operator); // Operator's data are cached in the authentication manager, thus we need // to manually update them. if ($target_operator['operatorid'] == $operator['operatorid']) { // Check if the admin has set his password for the first time. $to_dashboard = check_password_hash($operator['vclogin'], '', $operator['vcpassword']) && $password != ''; // Update operator's fields. $this->getAuthenticationManager()->setOperator($target_operator); // Redirect the admin to the home page if needed. if ($to_dashboard) { return $this->redirect($this->generateUrl('home_operator')); } } // Redirect the operator to edit page again to use GET method instead of // POST. $redirect_to = $this->generateUrl('operator_edit', array('operator_id' => $op_id, 'stored' => true)); return $this->redirect($redirect_to); }