/**
* Start recovery of a users password
*/
public function startPasswordRecovery()
{
$form = new sfc\Form(SSP_Path(), "noTable", "startPasswordRecovery");
$form->tplf = "passwordrecover.tpl";
$form->tpl = $this->tpl(array("title" => "Password recovery"));
$form->errorAutoFormDisplay = false;
$form->tda("loginPath", $this->cfg->logonScript);
$form->fe("text", "email", "Enter your registered email");
$form->fep("required=true,width=30, dataType=email");
$form->fe("submit", "submit", "Recover Password");
$form->fep("elClass=SSPFormButton");
if ($form->processForm($_POST)) {
if (!$form->error) {
// check for the email
$fields = array("UserId", "UserEmail", "UserName", "UserPassword");
$where["UserEmail"] = SSP_encrypt(trim($form->getField("email")));
$row = $this->db->getf($this->cfg->userTable, $fields, $where, "SSP user admin: getting user info for password recovery");
if ($this->db->numRows()) {
// found the email
$rowMisc = $this->db->get($this->cfg->userMiscTable, array("UserId" => $row->UserId), "Getting user name for password recovery");
if ($this->cfg->passwordRecovery == 0 or $this->cfg->encryptPassword) {
// use user change of password method
// Generate user response token
$token = SSP_ResponseToken($row->UserId, $this->cfg->recoverTime);
// generate email
if ($this->cfg->loginType == 1) {
// Supply user name if used for login
$content["UserName"] = $row["UserName"];
}
$content["link"] = $this->cfg->newPassword;
$content['token'] = $token;
$content["adminEmail"] = $this->cfg->adminEmail;
$email = new Email($this->cfg);
$email->noReplyEmail($content, "emailpasswordrecovery0.tpl", $row->UserEmail, $rowMisc->FirstName . " " . $rowMisc->FamilyName);
} else {
// email all info to the user
// generate email
if ($this->cfg->loginType == 1) {
// Supply user name if used for login
$content["UserName"] = $row["UserName"];
}
$content["UserPassword"] = $row["UserPassword"];
$content["adminEmail"] = $this->cfg->adminEmail;
$email = new Email($this->cfg);
$email->noReplyEmail($content, "emailpasswordrecovery1.tpl", $row->UserEmail, $rowMisc->FirstName . " " . $rowMisc->FamilyName);
}
$form->tda("sent");
$result = $form->create();
} else {
// email not found
$form->tda("error");
$result = $form->create();
}
} else {
$result = $form->create(true);
}
} else {
// display form
$result = $form->create();
}
return $result;
}
/**
* Constructor
* @param string $pageAccessLevel - users allowed to access the page
* @param bool $pageCheckEquals - if true only this user type can access this page
* @param bool $doHistory - do history for this page
* @param ProtectConfig $config - Protected session configuration options
*/
public function __construct($pageAccessLevel = "", $pageCheckEquals = false, $doHistory = true, $config = false)
{
global $loginContent;
if ($config === false) {
$this->config = new \w34u\ssp\ProtectConfig();
} else {
$this->config = $config;
}
$this->cfg = Configuration::getConfiguration();
$this->db = SspDb::getConnection();
// set up db session handling
$handler = new SessionHandler();
session_set_save_handler(array($handler, 'open'), array($handler, 'close'), array($handler, 'read'), array($handler, 'write'), array($handler, 'destroy'), array($handler, 'gc'));
// the following prevents unexpected effects when using objects as save handlers
register_shutdown_function("session_write_close");
session_start();
$this->setupLanguage();
$this->maintenanceMode();
// turn off sql cacheing if it is set, but preserve the status to turn it back on after
if ($this->db->cache) {
$queryResultCacheing = true;
$this->db->cache = false;
} else {
$queryResultCacheing = false;
}
$pageAccessLevel = $this->checkParameters($pageAccessLevel, $pageCheckEquals);
if (isset($loginContent)) {
$_SESSION["SSP_LoginPageAddtionalContent"] = $loginContent;
}
// check https:// site, and if fail divert to correct url
if ($this->cfg->useSSL or $this->config->forceSSLPath) {
if (!isset($_SERVER['HTTPS']) or $_SERVER['HTTPS'] == "off") {
// script not called using https
SSP_Divert(SSP_Path(true, true));
}
}
$this->country = "";
// do any external routines before history is called
$this->autoLogin();
if ($doHistory) {
$this->pageHistory();
}
// get all session information for valid sessions
$query = sprintf("select * from %s where %s = ? and %s = ?", $this->cfg->sessionTable, $this->db->qt("SessionId"), $this->db->qt("SessionName"));
$values = array(session_id(), session_name());
$this->db->query($query, $values, "SSP session handling: Get session information");
if ($this->db->numRows() > 0) {
// get result if existing session
$sessionInfo = $this->db->fetchRow();
$newSession = false;
} else {
$newSession = true;
$this->log("New session started");
}
// process user information if logged in.
$userFault = false;
$needHigherLogin = false;
$userInfo = null;
if (!$newSession and trim($sessionInfo->UserId) != "") {
$where = array("UserId" => $sessionInfo->UserId);
$userInfo = $this->db->get($this->cfg->userTable, $where, "SSP Session: getting login data");
if ($this->db->numRows()) {
// user found
// check for login expiry
if ($sessionInfo->SessionTime + $this->cfg->loginExpiry > time()) {
$this->loggedIn = true;
$this->userId = $userInfo->UserId;
$this->userName = $userInfo->UserName;
$this->userAccessLevel = $userInfo->UserAccess;
if ($this->cfg->userLevels[$this->userAccessLevel] >= $this->cfg->adminLevel) {
// admin user
$this->admin = true;
}
$this->userEmail = SSP_decrypt($userInfo->UserEmail);
if (isset($userInfo->country) and trim($userInfo->country) != "") {
$this->country = $userInfo->country;
}
} else {
$this->log("Login expired");
$this->loggedIn = false;
$this->db->update($this->cfg->sessionTable, array('UserId' => ''), array('SessionId' => session_id(), 'SessionName' => session_name()), 'SSP Session: clearing user id from expired login');
}
} else {
$this->log("User not found from ID");
$userFault = true;
}
}
$pageAccess = $this->cfg->userLevels[$pageAccessLevel];
if ($this->loggedIn) {
// do security checking for user if logged in
// validate flags
$flagsValid = true;
foreach ($this->cfg->validUserFlags as $flagName => $validFlagValue) {
if ($userInfo->{$flagName} != $validFlagValue) {
$flagsValid = false;
$this->log("Invalid user flag " . $flagName . " value required: " . $validFlagValue . " actual: " . $userInfo->{$flagName});
break;
}
}
if (!$flagsValid) {
$userFault = true;
} elseif ($this->cfg->userLevels[$userInfo->UserAccess] < $pageAccess) {
// user does not have a high enough access level
$userFault = true;
$needHigherLogin = true;
// flag higher login needed
$this->log("User Access level not high enough Level: " . $userInfo->UserAccess . " " . $this->cfg->userLevels[$userInfo->UserAccess] . " Page " . $pageAccess);
} elseif ($pageCheckEquals and $this->cfg->userLevels[$userInfo->UserAccess] != $pageAccess) {
// user does not have the correct user access level
$userFault = true;
$needHigherLogin = true;
// flag different login needed
$this->log("User Access level not equal to the page's level");
} elseif ($this->cfg->checkIpAddress and SSP_trimIp($sessionInfo->SessionIp) !== SSP_trimIp($_SERVER["REMOTE_ADDR"])) {
// users IP address has changed
$userFault = true;
$this->log("User IP address changed " . SSP_paddIp($_SERVER["REMOTE_ADDR"]));
} elseif (($this->cfg->fixedIpAddress or $userInfo->UserIpCheck) and SSP_paddIp($sessionInfo->SessionUserIp) !== SSP_paddIp($_SERVER["REMOTE_ADDR"])) {
// user is at incorrect IP address
$userFault = true;
$this->log("User IP address incorrect, UserIP: " . SSP_paddIp($sessionInfo->SessionUserIp) . " Remote IP: " . SSP_paddIp($_SERVER["REMOTE_ADDR"]));
}
$userFault = $this->chackRandom($sessionInfo);
} else {
$this->log("User not logged in");
}
// handle user faults
$this->userFaultHandling($pageAccess, $userFault, $needHigherLogin, $queryResultCacheing);
// final setup of page
$this->finalSetup($userInfo);
// restore query cacheing mode
$this->db->cache = $queryResultCacheing;
}