/**
* Generates a page for the first step of password recovery process.
*
* @param Request $request
* @return string Rendered page content
*/
public function indexAction(Request $request)
{
if ($this->getOperator()) {
// If the operator is logged in just redirect him to the home page.
return $this->redirect($request->getUriForPath('/operator'));
}
$page = array('version' => MIBEW_VERSION, 'title' => getlocal('Trouble Accessing Your Account?'), 'headertitle' => getlocal('Mibew Messenger'), 'show_small_login' => true, 'fixedwrap' => true, 'errors' => array());
$login_or_email = '';
if ($request->isMethod('POST')) {
// When HTTP GET method is used the form is just rendered but the
// user does not pass any data. Thus we need to prevent CSRF attacks
// only for POST requests
csrf_check_token($request);
}
if ($request->isMethod('POST') && $request->request->has('loginoremail')) {
$login_or_email = $request->request->get('loginoremail');
$to_restore = MailUtils::isValidAddress($login_or_email) ? operator_by_email($login_or_email) : operator_by_login($login_or_email);
if (!$to_restore) {
$page['errors'][] = getlocal('No such Operator');
}
$email = $to_restore['vcemail'];
if (count($page['errors']) == 0 && !MailUtils::isValidAddress($email)) {
$page['errors'][] = "Operator hasn't set his e-mail";
}
if (count($page['errors']) == 0) {
$token = sha1($to_restore['vclogin'] . (function_exists('openssl_random_pseudo_bytes') ? openssl_random_pseudo_bytes(32) : time() + microtime() . mt_rand(0, 99999999)));
// Update the operator
$to_restore['dtmrestore'] = time();
$to_restore['vcrestoretoken'] = $token;
update_operator($to_restore);
$href = $this->getRouter()->generate('password_recovery_reset', array('id' => $to_restore['operatorid'], 'token' => $token), UrlGeneratorInterface::ABSOLUTE_URL);
// Load mail templates and substitute placeholders there.
$mail_template = MailTemplate::loadByName('password_recovery', get_current_locale());
if (!$mail_template) {
throw new \RuntimeException('Cannot load "password_recovery" mail template');
}
$this->sendMail(MailUtils::buildMessage($email, $email, $mail_template->buildSubject(), $mail_template->buildBody(array(get_operator_name($to_restore), $href))));
$page['isdone'] = true;
return $this->render('password_recovery', $page);
}
}
$page['formloginoremail'] = $login_or_email;
$page['localeLinks'] = get_locale_links();
$page['isdone'] = false;
return $this->render('password_recovery', $page);
}
* EPL, indicate your decision by deleting the provisions above and replace them
* with the notice and other provisions required by the GPL.
*
* Contributors:
* Evgeny Gryaznov - initial API and implementation
*/
require_once '../libs/common.php';
require_once '../libs/operator.php';
require_once '../libs/settings.php';
require_once '../libs/notify.php';
$errors = array();
$page = array('version' => $version);
$loginoremail = "";
if (isset($_POST['loginoremail'])) {
$loginoremail = getparam("loginoremail");
$torestore = is_valid_email($loginoremail) ? operator_by_email($loginoremail) : operator_by_login($loginoremail);
if (!$torestore) {
$errors[] = getlocal("no_such_operator");
}
$email = $torestore['vcemail'];
if (count($errors) == 0 && !is_valid_email($email)) {
$errors[] = "Operator hasn't set his e-mail";
}
if (count($errors) == 0) {
$token = md5(time() + microtime() . rand(0, 99999999));
$link = connect();
$query = "update {$mysqlprefix}chatoperator set dtmrestore = CURRENT_TIMESTAMP, vcrestoretoken = '{$token}' where operatorid = " . $torestore['operatorid'];
perform_query($query, $link);
$href = get_app_location(true, false) . "/operator/resetpwd.php?id=" . $torestore['operatorid'] . "&token={$token}";
webim_mail($email, $email, getstring("restore.mailsubj"), getstring2("restore.mailtext", array(get_operator_name($torestore), $href)), $link);
mysql_close($link);
/**
* Processes submitting of the form which is generated in
* {@link \Mibew\Controller\OperatorController::showEditFormAction()} method.
*
* @param Request $request Incoming request.
* @return string Rendered page content.
*/
public function submitFormAction(Request $request)
{
csrf_check_token($request);
$errors = array();
$operator = $this->getOperator();
$op_id = $request->attributes->getInt('operator_id');
$login = $request->request->get('login');
$email = $request->request->get('email');
$password = $request->request->get('password');
$password_confirm = $request->request->get('passwordConfirm');
$local_name = $request->request->get('name');
$common_name = $request->request->get('commonname');
$code = $request->request->get('code');
if (!$local_name) {
$errors[] = no_field('Name');
}
if (!$common_name) {
$errors[] = no_field('International name (Latin)');
}
// The login is needed only for new operators. If login is changed for
// existing operator the stored password hash becomes invalid.
if (!$op_id) {
if (!$login) {
$errors[] = no_field('Login');
} elseif (!preg_match("/^[\\w_\\.]+\$/", $login)) {
$errors[] = getlocal('Login should contain only latin characters, numbers and underscore symbol.');
}
}
if (!$email || !MailUtils::isValidAddress($email)) {
$errors[] = wrong_field('E-mail');
}
if ($code && !preg_match("/^[A-Za-z0-9_]+\$/", $code)) {
$errors[] = getlocal('Code should contain only latin characters, numbers and underscore symbol.');
}
if (!$op_id && !$password) {
$errors[] = no_field('Password');
}
if ($password != $password_confirm) {
$errors[] = getlocal('Entered passwords do not match');
}
$existing_operator = operator_by_login($login);
$duplicate_login = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid'];
if ($duplicate_login) {
$errors[] = getlocal('Please choose another login because an operator with that login is already registered in the system.');
}
// Check if operator with specified email already exists in the database.
$existing_operator = operator_by_email($email);
$duplicate_email = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid'];
if ($duplicate_email) {
$errors[] = getlocal('Please choose another email because an operator with that email is already registered in the system.');
}
if (count($errors) != 0) {
$request->attributes->set('errors', $errors);
// The form should be rebuild. Invoke appropriate action.
return $this->showFormAction($request);
}
if (!$op_id) {
// Create new operator and redirect the current operator to avatar
// page.
$new_operator = create_operator($login, $email, $password, $local_name, $common_name, '', $code);
$redirect_to = $this->generateUrl('operator_avatar', array('operator_id' => $new_operator['operatorid']));
return $this->redirect($redirect_to);
}
// Mix old operator's fields with updated values
$target_operator = array('vcemail' => $email, 'vclocalename' => $local_name, 'vccommonname' => $common_name, 'code' => $code) + operator_by_id($op_id);
// Set the password only if it's not an empty string.
if ($password !== '') {
$target_operator['vcpassword'] = calculate_password_hash($target_operator['vclogin'], $password);
}
// Update operator's fields in the database.
update_operator($target_operator);
// Operator's data are cached in the authentication manager, thus we need
// to manually update them.
if ($target_operator['operatorid'] == $operator['operatorid']) {
// Check if the admin has set his password for the first time.
$to_dashboard = check_password_hash($operator['vclogin'], '', $operator['vcpassword']) && $password != '';
// Update operator's fields.
$this->getAuthenticationManager()->setOperator($target_operator);
// Redirect the admin to the home page if needed.
if ($to_dashboard) {
return $this->redirect($this->generateUrl('home_operator'));
}
}
// Redirect the operator to edit page again to use GET method instead of
// POST.
$redirect_to = $this->generateUrl('operator_edit', array('operator_id' => $op_id, 'stored' => true));
return $this->redirect($redirect_to);
}
