$this->resetPassword($_REQUEST['id'], $_REQUEST['ts'], $_REQUEST['key'], $_REQUEST['password1'] );
}
+
+ if (!empty($_REQUEST['_verifyCheckSum'])) {
+ if (empty($_REQUEST['id']) ||
+ empty($_REQUEST['ts']) ||
+ empty($_REQUEST['key'])
+
+ ) {
+ $this->jerr("Invalid request to reset password");
+ }
+
+ $this->verifyResetPassword($_REQUEST['id'], $_REQUEST['ts'], $_REQUEST['key']);
+ $this->jok("Checksum is ok");
+ }
+
// this is 'classic' change password...
if (!empty($_REQUEST['changePassword'])) {
return $this->changePassword($_REQUEST);
// sort out sender.
$cm = DB_DataObject::factory('core_email');
if (!$cm->get('name', 'ADMIN_PASSWORD_RESET')) {
- $this->jerr("no template ADMIN_PASSWORD_RESET exists - please run importer ");
-
+ $this->jerr("no template Admin password reset (ADMIN_PASSWORD_RESET) exists - please run importer ");
}
+ if (!$cm->active) {
+ $this->jerr("template for Admin password reset has been disabled");
+ }
/*
$g = DB_DAtaObject::factory('Groups');
$sent = $mailer->send();
if (is_a($sent,'PEAR_Error') ) {
$this->addEvent('SYSERR',false, $sent->getMessage());
- $this->jerr($ret->getMessage());
+ $this->jerr($sent->getMessage());
}
$this->addEvent('PASSREQ',$u, $u->email);
}
-
- function resetPassword($id,$t, $key, $newpass)
+ function verifyResetPassword($id,$t, $key)
{
-
- $au = $this->getAuthUser();
+ $au = $this->getAuthUser();
+ print_R($au);
if ($au) {
- return "Already Logged in - no need to use Password Reset";
+ $this->jerr( "Already Logged in - no need to use Password Reset");
}
$u = DB_DataObject::factory('core_person');
//$u->company_id = $this->company->id;
$u->active = 1;
if (!$u->get($id) || !strlen($u->passwd)) {
- return "invalid id";
+ $this->jerr("Password reset link is not valid (id)");
}
// validate key..
if ($key != $u->genPassKey($t)) {
- return "invalid key";
+ $this->jerr("Password reset link is not valid (key)");
+ }
+
+ if ($t < strtotime("NOW - 1 DAY")) {
+ $this->jerr("Password reset link has expired");
}
+ return $u;
+
+
+
+ }
+
+
+ function resetPassword($id,$t, $key, $newpass )
+ {
+
+ $u = $this->verifyResetPassword($id,$t,$key);
+
+
$uu = clone($u);
$u->no_reset_sent = 0;
+ if ($newpass != false) {
+ $u->setPassword($newpass);
+ }
$u->update($uu);
-
- if ($t < strtotime("NOW - 1 DAY")) {
- return "expired";
- }
- $this->showNewPass = implode("/", array($id,$t,$key));
- return false;
+ $this->addEvent("CHANGEPASS", $u);
+
+ $this->jok("Password has been Updated");
}
function changePassword($r)
{
$au = $this->getAuthUser();
- if ($au) {
- $uu = clone($au);
- $au->setPassword($r['passwd1']);
- $au->update($uu);
- $this->addEvent("CHANGEPASS", $au);
- $this->jok($au);
- }
- // not logged in -> need to validate
- if (empty($r['passwordReset'])) {
- $this->jerr("invalid request");
- }
- // same code as reset pasword
-
- $bits = explode('/', $r['passwordReset']);
- //print_R($bits);
-
- $res= $this->resetPassword(@$bits[0],@$bits[1],@$bits[2]);
-
- if ($res !== false) {
- $this->jerr($res);
- }
- // key is correct.. let's change password...
-
- $u = DB_DataObject::factory('core_person');
-
- //$u->company_id = $this->company->id;
- $u->whereAdd('LENGTH(passwd) > 1');
- $u->active = 1;
- if (!$u->get($bits[0])) {
- $this->jerr("invalid id"); // should not happen!!!!
- }
- $uu = clone($u);
- $u->setPassword($r['passwd1']);
- $u->update($uu);
- $u->login();
- $this->addEvent("CHANGEPASS", $u);
- $this->jok($u);
+ if (!$au) {
+ $this->jerr("Password change attempted when not logged in");
+ }
+ $uu = clone($au);
+ $au->setPassword($r['passwd1']);
+ $au->update($uu);
+ $this->addEvent("CHANGEPASS", $au);
+ $this->jok($au);
+
}
function ip_checking()