password reset

mod/lostpass.php

@@ -0,0 +1,104 @@
+<?php
+
+
+function lostpass_post(&$a) {
+
+	$email = notags(trim($_POST['login-name']));
+	if(! $email)
+		goaway($a->get_baseurl());
+
+	$r = q("SELECT * FROM `user` WHERE `email` = '%s' LIMIT 1",
+		dbesc($email)
+	);
+	if(! count($r))
+		goaway($a->get_baseurl());
+	$uid = $r[0]['uid'];
+	$username = $r[0]['username'];
+
+	$new_password = autoname(12) . mt_rand(100,9999);
+	$new_password_encoded = hash('whirlpool',$new_password);
+
+	$r = q("UPDATE `user` SET `pwdreset` = '%s' WHERE `uid` = %d LIMIT 1",
+		dbesc($new_password_encoded),
+		intval($uid)
+	);
+	if($r)
+		notice("Password reset request issued. Check your email.");
+
+	$email_tpl = file_get_contents("view/lostpass_eml.tpl");
+	$email_tpl = replace_macros($email_tpl, array(
+			'$sitename' => $a->config['sitename'],
+			'$siteurl' =>  $a->get_baseurl(),
+			'$username' => $username,
+			'$email' => $email,
+			'$reset_link' => $a->get_baseurl() . '/lostpass?verify=' . $new_password
+	));
+
+	$res = mail($email,"Password reset requested at {$a->config['sitename']}",$email_tpl,"From: Administrator@{$_SERVER[SERVER_NAME]}");
+
+	
+
+	goaway($a->get_baseurl());
+}
+
+
+function lostpass_content(&$a) {
+
+
+	if(x($_GET,'verify')) {
+		$verify = $_GET['verify'];
+		$hash = hash('whirlpool', $verify);
+
+		$r = q("SELECT * FROM `user` WHERE `pwdreset` = '%s' LIMIT 1",
+			dbesc($hash)
+		);
+		if(! count($r)) {
+			notice("Request could not be verified. (You may have previously submitted it.) Password reset failed." . EOL);
+			goaway($a->get_baseurl());
+			return;
+		}
+		$uid = $r[0]['uid'];
+		$username = $r[0]['username'];
+		$email = $r[0]['email'];
+
+		$new_password = autoname(6) . mt_rand(100,9999);
+		$new_password_encoded = hash('whirlpool',$new_password);
+
+		$r = q("UPDATE `user` SET `password` = '%s', `pwdreset` = ''  WHERE `uid` = %d LIMIT 1",
+			dbesc($new_password_encoded),
+			intval($uid)
+		);
+		if($r) {
+			$tpl = file_get_contents('view/pwdreset.tpl');
+			$o .= replace_macros($tpl,array(
+				'$newpass' => $new_password,
+				'$baseurl' => $a->get_baseurl()
+			));
+				notice("Your password has been reset." . EOL);
+
+
+
+			$email_tpl = file_get_contents("view/passchanged_eml.tpl");
+			$email_tpl = replace_macros($email_tpl, array(
+			'$sitename' => $a->config['sitename'],
+			'$siteurl' =>  $a->get_baseurl(),
+			'$username' => $username,
+			'$email' => $email,
+			'$new_password' => $new_password,
+			'$uid' => $newuid ));
+
+			$res = mail($email,"Your password has changed at {$a->config['sitename']}",$email_tpl,"From: Administrator@{$_SERVER[SERVER_NAME]}");
+
+			return $o;
+		}
+	
+	}
+	else {
+		$tpl = file_get_contents('view/lostpass.tpl');
+
+		$o .= $tpl;
+
+		return $o;
+	}
+
+}

update.sql

@@ -13,4 +13,4 @@ ALTER TABLE `item` ADD `owner-name` CHAR( 255 ) CHARACTER SET utf8 COLLATE utf8_
 ADD `owner-link` CHAR( 255 ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL AFTER `owner-name` ,
 ADD `owner-avatar` CHAR( 255 ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL AFTER `owner-link` ;
 
-ALTER TABLE `item` ADD `remote-parent` CHAR( 255 ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL AFTER `parent` ;
+ALTER TABLE `user` ADD `pwdreset` CHAR( 255 ) NOT NULL AFTER `blocked` ;

view/login.tpl

@@ -14,7 +14,7 @@
 <div id="login-extra-links">
 	<div id="login-extra-filler">&nbsp;</div>
 	$register_html
-        <a href="lost-password" name="Lost your password?" id="lost-password-link" >Password Reset</a>
+        <a href="lostpass" title="Lost your password?" id="lost-password-link" >Password Reset</a>
 </div>
 <div id="login-extra-end"></div>
 <div id="login-submit-wrapper" >

view/lostpass.tpl

@@ -0,0 +1,18 @@
+<h3>Forgot your Password?</h3>
+
+<p id="lostpass-desc">
+Enter your email address and submit to have your password reset. Then check your email for further instructions.
+</p>
+
+<form action="lostpass" method="post" >
+<div id="login-name-wrapper">
+        <label for="login-name" id="label-login-name">Email address: </label>
+        <input type="text" maxlength="60" name="login-name" id="login-name" value="" />
+</div>
+<div id="login-extra-end"></div>
+<div id="login-submit-wrapper" >
+        <input type="submit" name="submit" id="lostpass-submit-button" value="Reset" />
+</div>
+<div id="login-submit-end"></div>
+</form>
+

view/lostpass_eml.tpl

@@ -0,0 +1,32 @@
+
+Dear $username,
+	A request was recently received at $sitename to reset your account 
+password. In order to confirm this request, please select the verification link
+below or paste it into your web browser address bar. 
+
+If you did NOT request this change, please DO NOT follow the link
+provided and ignore and/or delete this email. 
+
+Your password will not be changed unless we can verify that you
+issued this request. 
+
+Follow this link to verify your identity:
+
+$reset_link
+
+You will then receive a follow-up message containing the new password.
+
+You may change that password from your account settings page after logging in.
+
+The login details are as follows:
+
+Site Location:	$siteurl
+Login Name:	$email
+
+
+
+
+Sincerely,
+	$sitename Administrator
+
+ 

view/passchanged_eml.tpl

@@ -0,0 +1,20 @@
+
+Dear $username,
+	Your password has been changed as requested. Please retain this 
+information for your records (or change your password immediately to 
+something that you will remember).
+
+
+Your login details are as follows:
+
+Site Location:	$siteurl
+Login Name:	$email
+Password:	$new_password
+
+You may change that password from your account settings page after logging in.
+
+
+Sincerely,
+	$sitename Administrator
+
+ 

view/pwdreset.tpl

@@ -0,0 +1,16 @@
+<h3>Password Reset</h3>
+
+<p>
+Your password has been reset as requested.
+</p>
+<p>
+Your new password is
+</p>
+<p>
+$newpass
+</p>
+<p>
+Save or copy your new password - and then <a href="$baseurl" >click here to login</a>.
+</p>
+<p>
+Your password may be changed from the 'Settings' page after successful login.