/**
* A function to handle the Forgot Password process
*/
public static function forgotPassword()
{
self::construct();
$curStatus = "initial";
// The Current Status of Forgot Password process
$identName = self::$config['features']['email_login'] === false ? "Username" : "Username / E-Mail";
if (!isset($_POST['logSysForgotPass']) && !isset($_GET['resetPassToken']) && !isset($_POST['logSysForgotPassChange'])) {
$html = '<form action="' . self::curPageURL() . '" method="POST">';
$html .= "<label>";
$html .= "<p>{$identName}</p>";
$html .= "<input type='text' id='logSysIdentification' placeholder='Enter your {$identName}' size='25' name='identification' />";
$html .= "</label>";
$html .= "<p><button name='logSysForgotPass' type='submit'>Reset Password</button></p>";
$html .= "</form>";
echo $html;
/**
* The user had moved to the reset password form ie she/he is currently seeing the forgot password form
*/
$curStatus = "resetPasswordForm";
} elseif (isset($_GET['resetPassToken']) && !isset($_POST['logSysForgotPassChange'])) {
/**
* The user gave the password reset token. Check if the token is valid.
*/
$reset_pass_token = urldecode($_GET['resetPassToken']);
$sql = self::$dbh->prepare("SELECT `uid` FROM `" . self::$config['db']['token_table'] . "` WHERE `token` = ?");
$sql->execute(array($reset_pass_token));
if ($sql->rowCount() == 0 || $reset_pass_token == "") {
echo "<h3>Error : Wrong/Invalid Token</h3>";
$curStatus = "invalidToken";
// The token user gave was not valid
} else {
/**
* The token is valid, display the new password form
*/
$html = "<p>The Token key was Authorized. Now, you can change the password</p>";
$html .= "<form action='{$_SERVER['PHP_SELF']}' method='POST'>";
$html .= "<input type='hidden' name='token' value='{$reset_pass_token}' />";
$html .= "<label>";
$html .= "<p>New Password</p>";
$html .= "<input type='password' name='logSysForgotPassNewPassword' />";
$html .= "</label><br/>";
$html .= "<label>";
$html .= "<p>Retype Password</p>";
$html .= "<input type='password' name='logSysForgotPassRetypedPassword'/>";
$html .= "</label><br/>";
$html .= "<p><button name='logSysForgotPassChange'>Reset Password</button></p>";
$html .= "</form>";
echo $html;
/**
* The token was correct, displayed the change/new password form
*/
$curStatus = "changePasswordForm";
}
} elseif (isset($_POST['logSysForgotPassChange']) && isset($_POST['logSysForgotPassNewPassword']) && isset($_POST['logSysForgotPassRetypedPassword'])) {
$reset_pass_token = urldecode($_POST['token']);
$sql = self::$dbh->prepare("SELECT `uid` FROM `" . self::$config['db']['token_table'] . "` WHERE `token` = ?");
$sql->execute(array($reset_pass_token));
if ($sql->rowCount() == 0 || $reset_pass_token == "") {
echo "<h3>Error : Wrong/Invalid Token</h3>";
$curStatus = "invalidToken";
// The token user gave was not valid
} else {
if ($_POST['logSysForgotPassNewPassword'] == "" || $_POST['logSysForgotPassRetypedPassword'] == "") {
echo "<h3>Error : Passwords Fields Left Blank</h3>";
$curStatus = "fieldsLeftBlank";
} elseif ($_POST['logSysForgotPassNewPassword'] != $_POST['logSysForgotPassRetypedPassword']) {
echo "<h3>Error : Passwords Don't Match</h3>";
$curStatus = "passwordDontMatch";
// The new password and retype password submitted didn't match
} else {
/**
* We must create a fake assumption that the user is logged in to
* change the password as \Fr\LS::changePassword()
* requires the user to be logged in.
*/
self::$user = $sql->fetchColumn();
self::$loggedIn = true;
if (self::changePassword($_POST['logSysForgotPassNewPassword'])) {
self::$user = false;
self::$loggedIn = false;
/**
* The token shall not be used again, so remove it.
*/
$sql = self::$dbh->prepare("DELETE FROM `" . self::$config['db']['token_table'] . "` WHERE `token` = ?");
$sql->execute(array($reset_pass_token));
echo "<h3>Success : Password Reset Successful</h3><p>You may now login with your new password.</p>";
$curStatus = "passwordChanged";
// The password was successfully changed
}
}
}
} elseif (isset($_POST['identification'])) {
/**
* Check if username/email is provided and if it's valid and exists
*/
$identification = $_POST['identification'];
if ($identification == "") {
echo "<h3>Error : {$identName} not provided</h3>";
$curStatus = "identityNotProvided";
// The identity was not given
} else {
$sql = self::$dbh->prepare("SELECT `email`, `id` FROM `" . self::$config['db']['table'] . "` WHERE `username`=:login OR `email`=:login");
$sql->bindValue(":login", $identification);
$sql->execute();
if ($sql->rowCount() == 0) {
echo "<h3>Error : User Not Found</h3>";
$curStatus = "userNotFound";
// The user with the identity given was not found in the users database
} else {
$rows = $sql->fetch(\PDO::FETCH_ASSOC);
$email = $rows['email'];
$uid = $rows['id'];
/**
* Make token and insert into the table
*/
$token = self::rand_string(40);
$sql = self::$dbh->prepare("INSERT INTO `" . self::$config['db']['token_table'] . "` (`token`, `uid`, `requested`) VALUES (?, ?, NOW())");
$sql->execute(array($token, $uid));
$encodedToken = urlencode($token);
/**
* Prepare the email to be sent
*/
$subject = "Reset Password";
$body = "You requested for resetting your password on " . self::$config['basic']['company'] . ". For this, please click the following link :\n <blockquote>\n <a href='" . self::curPageURL() . "?resetPassToken={$encodedToken}'>Reset Password : {$token}</a>\n </blockquote>";
self::sendMail($email, $subject, $body);
echo "<p>An email has been sent to your email inbox with instructions. Check Your Mail Inbox and SPAM Folders.</p><p>You can close this window.</p>";
$curStatus = "emailSent";
// E-Mail has been sent
}
}
}
return $curStatus;
}
