diff options
Diffstat (limited to 'frontend/pages')
-rw-r--r-- | frontend/pages/login.php | 45 | ||||
-rw-r--r-- | frontend/pages/register.php | 6 | ||||
-rw-r--r-- | frontend/pages/users/forgot-password.php | 29 | ||||
-rw-r--r-- | frontend/pages/users/reset-password.php | 49 |
4 files changed, 108 insertions, 21 deletions
diff --git a/frontend/pages/login.php b/frontend/pages/login.php index 953d2c4..d821396 100644 --- a/frontend/pages/login.php +++ b/frontend/pages/login.php @@ -1,24 +1,35 @@ <?php function init_login(&$S) { if (isset($S['user'])) { + if (isset($_REQUEST['go'])) + header('Location: '.url($_REQUEST['go'])); // Should we let you continue to $_REQUEST['go'] instead? return 'welcome'; - } else { - if (isset($_REQUEST['email']) && isset($_REQUEST['password'])) { - $r=query('SELECT * FROM `users` WHERE `email`='.$S['pdo']->quote($_REQUEST['email']).' AND `passhash`="'.sha1($_REQUEST['password']).'"'); - if ($r->rowCount()) { - $S['user']=new sql_user($r->fetch(PDO::FETCH_ASSOC)); - $S['login.result']=sql_session::create(); - } else { - $S['login.result']=false; - } + } + if (substr($S['request'], 0, 5) != 'login') + $_REQUEST['go']=$S['request']; + $S['login']['form']=new form(url('login')); + $form=&$S['login']['form']; + if (isset($_REQUEST['go'])) + $form->hidden('go', 'go', $_REQUEST['go']); + $form->text_input('email', 'email', 'Email'); + $form->password('password', 'password', 'Password'); + $form->submit(); + $S['login']['data']=isset($_REQUEST['email'])?$form->process():array(); + $data=&$S['login']['data']; + if (isset($data['email'], $data['password'])) { + $r=query('SELECT * FROM `users` WHERE `email`='.$S['pdo']->quote($data['email']).' AND `passhash`="'.sha1($data['password']).'"'); + if ($r->rowCount()) { + $S['user']=new sql_user($r->fetch(PDO::FETCH_ASSOC)); + $S['login.result']=sql_session::create(); + } else { + $S['login.result']=false; } - return array('title' => 'Login'); } + $S['title']='Login'; } function body_login(&$S) { - if (substr($S['request'], 0, 5) != 'login') { - $_REQUEST['go']=$S['request']; + if (isset($_REQUEST['go']) && $_REQUEST['go'] == $S['request']) { echo print_warning('Please sign in to access this page.'); } if (isset($S['login.result'])) { @@ -27,15 +38,13 @@ function body_login(&$S) { } elseif ($S['login.result']) { echo print_success('Welcome, '.$S['user']->name); echo '<a href="'.url(isset($_REQUEST['go'])?$_REQUEST['go']:'').'">Continue</a>'; -die; + return; } else { echo print_error('Your email and password combination was not recognized.'); } } - echo '<h3>Login</h3><form action="'.url('login').'" method="post">'; - if (isset($_REQUEST['go'])) { - echo '<input type="hidden" name="go" value="'.htmlentities($_REQUEST['go']).'" />'; - } - echo 'Email: <input name="email" /><br/>Password: <input type="password" name="password" /><br/><input type="submit" value="Submit" /></form>'; + echo '<h3>Login</h3>'; + echo $S['login']['form']->output($S['login']['data']); + echo '<a href="'.url('forgot').'">Forgot password?</a>'; } ?> diff --git a/frontend/pages/register.php b/frontend/pages/register.php index 441269c..9f33e8b 100644 --- a/frontend/pages/register.php +++ b/frontend/pages/register.php @@ -4,8 +4,8 @@ function init_register(&$S) { header('Location: '.url()); return 'welcome'; } - if (isset($_REQUEST['token']) && preg_match('/^[a-zA-Z0-9]{30}$/', $_REQUEST['token'])) { - $r=query('SELECT * FROM `registrationtokens` WHERE `id`=\''.$_REQUEST['token'].'\''); + if (isset($_REQUEST['token']) && strlen($_REQUEST['token']) == 30 && ctype_alnum($_REQUEST['token'])) { + $r=query('SELECT * FROM `registrationtokens` WHERE `id`="'.$_REQUEST['token'].'" AND `expire` > '.time()); if ($r->rowCount()) { $S['register.token']=new sql_registrationtoken($r->fetch(PDO::FETCH_ASSOC)); if (isset($_REQUEST['password'])) { @@ -37,7 +37,7 @@ function body_register(&$S) { if (query('SELECT COUNT(*) FROM `users` WHERE `email`='.$S['pdo']->quote($_REQUEST['email']))->fetch(PDO::FETCH_COLUMN)) echo print_warning('An account already exists with this email address.').'<a href="'.url('login').'">Login</a>'; else { - if ($token=query('SELECT * FROM `registrationtokens` WHERE `email`='.$S['pdo']->quote($_REQUEST['email']))->fetch(PDO::FETCH_ASSOC)) { + if ($token=query('SELECT * FROM `registrationtokens` WHERE `expire` > '.time().' AND `email`='.$S['pdo']->quote($_REQUEST['email']))->fetch(PDO::FETCH_ASSOC)) { echo print_warning('A confirmation email has already been sent to this email address... sending another email.'); $token=new sql_registrationtoken($token); } else { diff --git a/frontend/pages/users/forgot-password.php b/frontend/pages/users/forgot-password.php new file mode 100644 index 0000000..b781cec --- /dev/null +++ b/frontend/pages/users/forgot-password.php @@ -0,0 +1,29 @@ +<?php +function init_users_forgot_password(&$S) { + if (isset($S['user'])) return 'login'; + $S['title']='Forgot Password'; +} +function body_users_forgot_password(&$S) { + $form=new form(); + $form->text('<h3>Reset password</h3>'); + $form->text_input('email', 'email', 'Email'); + $form->submit(); + if (isset($_REQUEST['email'])) { + $data=$form->process(); + $r=query('SELECT * FROM `users` WHERE `email`='.$S['pdo']->quote($data['email'])); + if ($r->rowCount()) { + $user=new sql_user($r->fetch(PDO::FETCH_ASSOC)); + $token=sql_registrationtoken::create(); + $token->owner=$user->id; + $token->email=$user->email; + $token->expire=time()+24*3600; + $token->write(); + $url=url('reset?email='.urlencode($token->email).'&token='.$token->id); + xhtmlemail($user->email, $S['conf']['emailfrom'], $S['conf']['title'].' password', 'You requested to reset your '.$S['conf']['title'].' password. You may do so by going to <a href="'.$url.'">'.$url.'</a> or by entering your email and the reset key "'.$token->id.'" at '.url('reset').'. This link will expire in twenty-four hours. If you did not request to reset your password, you may safely ignore this message.'); + } + echo print_success('Success.', 'You have been sent an email (if you have an '.$S['conf']['title'].' account) with further instructions to reset your password.'); + } else { + $form->output(); + } +} +?> diff --git a/frontend/pages/users/reset-password.php b/frontend/pages/users/reset-password.php new file mode 100644 index 0000000..683a67a --- /dev/null +++ b/frontend/pages/users/reset-password.php @@ -0,0 +1,49 @@ +<?php +function init_users_reset_password(&$S) { + if (isset($S['user'])) return 'login'; + $S['title']='Forgot Password'; +} +function body_users_reset_password(&$S) { + $form1=new form(); + $form1->text('<h3>Reset password</h3>'); + $form1->text_input('email', 'email', 'Email'); + $form1->text_input('token', 'token', 'Reset key'); + $form1->submit(); + $data=array(); + if (isset($_REQUEST['email']) && ($data=$form1->process()) && $form1->verify($data)) { + $user=new sql_user($data['email']); + $token=new sql_registrationtoken(query('SELECT * FROM `registrationtokens` WHERE `expire` > '.time().' AND `id`='.$S['pdo']->quote($data['token']))->fetch(PDO::FETCH_ASSOC)); + if ($token->email != $user->email) { + echo print_warning('Your email/key combination is invalid.'); + $form1->output($data); + } + $form2=new form(); + $form2->text('<h3>Reset password</h3>'); + $form2->hidden('email', 'email', $data['email']); + $form2->hidden('token', 'token', $data['token']); + $form2->password('pass', 'pass', 'New password'); + $form2->password('repeat', 'repeat', 'Repeat new password'); + $form2->submit(); + if (isset($_REQUEST['pass'])) { + $data=$form2->process(); + if ($form2->verify($data)) { + if ($data['pass'] == $data['repeat']) { + $user->passhash=sha1($data['pass']); + $user->write(); + $token->delete(); + echo print_success('Password changed.', '<a href="'.url('login').'">Login</a>'); + } else { + echo print_warning('The passwords you entered do not match.'); + $form2->output($data); + } + } else { + $form2->output($data); + } + } else { + $form2->output($data); + } + } else { + $form1->output($data); + } +} +?> |