0000948: Change in "Forgot Password" logic

Index: admin/system_presets/simple/users_u.php =================================================================== --- admin/system_presets/simple/users_u.php (revision 14446) +++ admin/system_presets/simple/users_u.php (working copy) @@ -71,8 +71,7 @@ $hidden_fields = Array ( /* 'PortalUserId', 'Login', 'Password', 'FirstName','LastName', 'Company', 'Email', 'CreatedOn', 'Phone', 'Fax', 'Street', 'Street2', 'City', 'State' , 'Zip', 'Country', 'ResourceId', 'Status', ~~- 'Modified', 'dob', 'tz', 'ip', 'IsBanned', 'PassResetTime', 'PwResetConfirm', 'PwRequestTime',~~ ~~- 'MinPwResetDelay', */~~ + 'Modified', 'dob', 'tz', 'ip', 'IsBanned', 'PwResetConfirm', 'PwRequestTime',*/ ); // virtual fields to hide @@ -84,8 +83,7 @@ $required_fields = Array ( /*'PortalUserId',*/ 'Login', /*'Password', 'FirstName', 'LastName', 'Company', */'Email', /*'CreatedOn', 'Phone', 'Fax', 'Street', 'Street2', 'City', 'State' , 'Zip', 'Country', 'ResourceId', 'Status', ~~- 'Modified', 'dob', 'tz', 'ip', 'IsBanned', 'PassResetTime', 'PwResetConfirm', 'PwRequestTime',~~ ~~- 'MinPwResetDelay'*/~~ + 'Modified', 'dob', 'tz', 'ip', 'IsBanned', 'PwResetConfirm', 'PwRequestTime',*/ ); // virtual fields to make required Index: core/install/english.lang =================================================================== --- core/install/english.lang (revision 14469) +++ core/install/english.lang (working copy) @@ -1590,8 +1590,6 @@ <EVENT MessageType="html" Event="USER.MEMBERSHIP.EXPIRED" Type="0">U3ViamVjdDogWW91ciBNZW1iZXJzaGlwIEV4cGlyZWQKCllvdXIgbWVtYmVyc2hpcCBvbiA8aW5wMjptX0Jhc2VVcmwvPiB3ZWJzaXRlIGhhcyBleHBpcmVkLg==</EVENT> <EVENT MessageType="html" Event="USER.MEMBERSHIP.EXPIRED" Type="1">U3ViamVjdDogVXNlcidzIE1lbWJlcnNoaXAgRXhwaXJlZCAgKCA8aW5wMjp1X0ZpZWxkIG5hbWU9IkxvZ2luIi8+KQoKVXNlcidzICg8aW5wMjp1X0ZpZWxkIG5hbWU9IkxvZ2luIi8+KSBtZW1iZXJzaGlwIG9uIDxpbnAyOm1fQmFzZVVybC8+IHdlYnNpdGUgaGFzIGV4cGlyZWQu</EVENT> <EVENT MessageType="text" Event="USER.NEW.PASSWORD" Type="0">U3ViamVjdDogTmV3IHBhc3N3b3JkIGdlbmVyYXRlZAoKRGVhciA8aW5wMjp1X0ZpZWxkIG5hbWU9IkZpcnN0TmFtZSIvPiwNCg0KQSBuZXcgcGFzc3dvcmQgaGFzIGJlZW4gZ2VuZXJhdGVkIGZvciB5b3VyIHVzZXIuDQoNCk5vdyB5b3UgY2FuIGxvZ2luIHVzaW5nIHRoZSBmb2xsb3dpbmcgY3JlZGVudGlhbHM6DQoNCjxpbnAyOm1faWYgY2hlY2s9InVfRmllbGQiIG5hbWU9IkxvZ2luIj5Vc2VybmFtZTogPGlucDI6dV9GaWVsZCBuYW1lPSJMb2dpbiIvPjxpbnAyOm1fZWxzZS8+RS1tYWlsOiA8aW5wMjp1X0ZpZWxkIG5hbWU9IkVtYWlsIi8+PC9pbnAyOm1faWY+IA0KUGFzc3dvcmQ6IDxpbnAyOnVfRmllbGQgbmFtZT0iUGFzc3dvcmRfcGxhaW4iLz4g</EVENT> - <EVENT MessageType="html" Event="USER.PSWD" Type="0">U3ViamVjdDogUGFzc3dvcmQgUmVjb3ZlcnkKCllvdXIgbG9zdCBwYXNzd29yZCBoYXMgYmVlbiByZXNldC4gPGJyLz48YnIvPg0KWW91ciBuZXcgcGFzc3dvcmQgaXM6ICI8aW5wMjp1X0ZvcmdvdHRlblBhc3N3b3JkIC8+Ii4=</EVENT> - <EVENT MessageType="html" Event="USER.PSWD" Type="1">U3ViamVjdDogUGFzc3dvcmQgUmVjb3ZlcnkgZm9yICI8aW5wMjp1X0ZpZWxkIG5hbWU9IkxvZ2luIiAvPiIKCkxvc3QgcGFzc3dvcmQgaGFzIGJlZW4gcmVzZXQgZm9yICI8aW5wMjp1X0ZpZWxkIG5hbWU9IkxvZ2luIiAvPiIgdXNlci4gPGJyLz48YnIvPg0KTmV3IHBhc3N3b3JkIGlzOiAiPGlucDI6dV9Gb3Jnb3R0ZW5QYXNzd29yZCAvPiIu</EVENT> <EVENT MessageType="html" Event="USER.PSWDC" Type="0">U3ViamVjdDogUmVzZXQgUGFzc3dvcmQgQ29uZmlybWF0aW9uCgpIZWxsbyw8YnIvPjxici8+DQoNCkl0IHNlZW1zIHRoYXQgeW91IGhhdmUgcmVxdWVzdGVkIGEgcGFzc3dvcmQgcmVzZXQgZm9yIHlvdXIgSW4tcG9ydGFsIGFjY291bnQuIElmIHlvdSB3b3VsZCBsaWtlIHRvIHByb2NlZWQgYW5kIGNoYW5nZSB0aGUgcGFzc3dvcmQsIHBsZWFzZSBjbGljayBvbiB0aGUgbGluayBiZWxvdzo8YnIvPjxici8+DQoNCjxhIGhyZWY9IjxpbnAyOnVfQ29uZmlybVBhc3N3b3JkTGluayBub19hbXA9IjEiLz4iPjxpbnAyOnVfQ29uZmlybVBhc3N3b3JkTGluayBub19hbXA9IjEiLz48L2E+PGJyLz48YnIvPg0KDQpZb3Ugd2lsbCByZWNlaXZlIGEgc2Vjb25kIGVtYWlsIHdpdGggeW91ciBuZXcgcGFzc3dvcmQgc2hvcnRseS48YnIvPjxici8+DQoNCklmIHlvdSBiZWxpZXZlIHlvdSBoYXZlIHJlY2VpdmVkIHRoaXMgZW1haWwgaW4gZXJyb3IsIHBsZWFzZSBpZ25vcmUgdGhpcyBlbWFpbC4gWW91ciBwYXNzd29yZCB3aWxsIG5vdCBiZSBjaGFuZ2VkIHVubGVzcyB5b3UgaGF2ZSBjbGlja2VkIG9uIHRoZSBhYm92ZSBsaW5rLg0K</EVENT> <EVENT MessageType="html" Event="USER.SUBSCRIBE" Type="0">U3ViamVjdDogU3Vic2NyaWJlZCB0byBhIE1haWxpbmcgTGlzdCBvbiA8aW5wMjptX0Jhc2VVcmwvPgoKWW91IGhhdmUgc3Vic2NyaWJlZCB0byBhIG1haWxpbmcgbGlzdCBvbiA8aW5wMjptX0Jhc2VVcmwvPiB3ZWJzaXRlLg==</EVENT> <EVENT MessageType="html" Event="USER.SUBSCRIBE" Type="1">U3ViamVjdDogTmV3IFVzZXIgaGFzIFN1YnNjcmliZWQgdG8gYSBNYWxsaW5nIExpc3QKCk5ldyB1c2VyIDxpbnAyOnVfRmllbGQgbmFtZT0iRW1haWwiLz4gaGFzIHN1YnNjcmliZWQgdG8gYSBtYWlsaW5nIGxpc3Qgb24gPGEgaHJlZj0iPGlucDI6bV9CYXNlVXJsLz4iPjxpbnAyOm1fQmFzZVVybC8+PC9hPiB3ZWJzaXRlLg==</EVENT> Index: core/install/install_data.sql =================================================================== --- core/install/install_data.sql (revision 14469) +++ core/install/install_data.sql (working copy) @@ -141,8 +141,6 @@ INSERT INTO Events (EventId, Event, ReplacementTags, Enabled, FrontEndOnly, Module, Description, Type, AllowChangingSender, AllowChangingRecipient) VALUES(DEFAULT, 'USER.VALIDATE', NULL, 1, 1, 'Core', 'Validate User', 1, 1, 1); INSERT INTO Events (EventId, Event, ReplacementTags, Enabled, FrontEndOnly, Module, Description, Type, AllowChangingSender, AllowChangingRecipient) VALUES(DEFAULT, 'USER.DENY', NULL, 1, 0, 'Core', 'Deny User', 0, 1, 1); INSERT INTO Events (EventId, Event, ReplacementTags, Enabled, FrontEndOnly, Module, Description, Type, AllowChangingSender, AllowChangingRecipient) VALUES(DEFAULT, 'USER.DENY', NULL, 1, 1, 'Core', 'Deny User', 1, 1, 1); -INSERT INTO Events (EventId, Event, ReplacementTags, Enabled, FrontEndOnly, Module, Description, Type, AllowChangingSender, AllowChangingRecipient) VALUES(DEFAULT, 'USER.PSWD', NULL, 1, 1, 'Core', 'Forgot Password', 1, 1, 1); -INSERT INTO Events (EventId, Event, ReplacementTags, Enabled, FrontEndOnly, Module, Description, Type, AllowChangingSender, AllowChangingRecipient) VALUES(DEFAULT, 'USER.PSWD', NULL, 1, 0, 'Core', 'Forgot Password', 0, 1, 1); INSERT INTO Events (EventId, Event, ReplacementTags, Enabled, FrontEndOnly, Module, Description, Type, AllowChangingSender, AllowChangingRecipient) VALUES(DEFAULT, 'USER.ADD.PENDING', NULL, 1, 0, 'Core', 'Add Pending User', 0, 1, 1); INSERT INTO Events (EventId, Event, ReplacementTags, Enabled, FrontEndOnly, Module, Description, Type, AllowChangingSender, AllowChangingRecipient) VALUES(DEFAULT, 'USER.ADD.PENDING', NULL, 1, 1, 'Core', 'Add Pending User', 1, 1, 1); INSERT INTO Events (EventId, Event, ReplacementTags, Enabled, FrontEndOnly, Module, Description, Type, AllowChangingSender, AllowChangingRecipient) VALUES(DEFAULT, 'CATEGORY.ADD', NULL, 1, 0, 'Core', 'Add Category', 0, 1, 1); Index: core/install/install_schema.sql =================================================================== --- core/install/install_schema.sql (revision 14468) +++ core/install/install_schema.sql (working copy) @@ -259,10 +259,8 @@ tz int(11) DEFAULT NULL, ip varchar(20) NOT NULL DEFAULT '', IsBanned tinyint(1) NOT NULL DEFAULT '0', ~~- PassResetTime int(11) unsigned DEFAULT NULL,~~ ~~- PwResetConfirm varchar(255) DEFAULT NULL,~~ + PwResetConfirm varchar(255) NOT NULL, PwRequestTime int(11) unsigned DEFAULT NULL, ~~- MinPwResetDelay int(11) NOT NULL DEFAULT '1800',~~ AdminLanguage int(11) DEFAULT NULL, DisplayToPublic text, UserType tinyint(4) NOT NULL, Index: core/install/upgrades.sql =================================================================== --- core/install/upgrades.sql (revision 14469) +++ core/install/upgrades.sql (working copy) @@ -2026,4 +2026,17 @@ UPDATE PortalUser SET OldStyleLogin = 1 ~~-WHERE (Login <> '') AND (Login NOT REGEXP '^[A-Z0-9_\\-\\.]+$');~~ \ No newline at end of file +WHERE (Login <> '') AND (Login NOT REGEXP '^[A-Z0-9_\\-\\.]+$'); + +DELETE FROM Events WHERE Event = 'USER.PSWD'; + +UPDATE Phrase +SET l<%PRIMARY_LANGUAGE%>_Translation = 'Your password has been reset.' +WHERE PhraseKey = 'LU_TEXT_FORGOTPASSHASBEENRESET' AND l<%PRIMARY_LANGUAGE%>_Translation = 'Your password has been reset. The new password has been sent to your e-mail address. You may now login with the new password.'; + +ALTER TABLE PortalUser + DROP MinPwResetDelay, + DROP PassResetTime, + CHANGE PwResetConfirm PwResetConfirm VARCHAR(255) NOT NULL; + +UPDATE PortalUser SET PwRequestTime = NULL WHERE PwRequestTime = 0; \ No newline at end of file Index: core/units/helpers/user_helper.php =================================================================== --- core/units/helpers/user_helper.php (revision 14468) +++ core/units/helpers/user_helper.php (working copy) @@ -441,4 +441,38 @@ return !$found; } + + public function validateUserCode($user_code, $code_type, $expiration_timeout = null) + { + $expiration_timeouts = Array ( + 'forgot_password' => 'config:Users_AllowReset', + 'activation' => 'config:UserEmailActivationTimeout', + 'custom' => '', + ); + + if ( !$user_code ) { + return 'code_is_not_valid'; + } + + $sql = 'SELECT PwRequestTime, PortalUserId + FROM ' . TABLE_PREFIX . 'PortalUser + WHERE PwResetConfirm = ' . $this->Conn->qstr( trim($user_code) ); + $user_info = $this->Conn->GetRow($sql); + + if ( $user_info === false ) { + return 'code_is_not_valid'; + } + + $expiration_timeout = isset($expiration_timeout) ? $expiration_timeout : $expiration_timeouts[$code_type]; + + if ( preg_match('/^config:(.*)$/', $expiration_timeout, $regs) ) { + $expiration_timeout = $this->Application->ConfigValue( $regs[1] ); + } + + if ( $expiration_timeout && $user_info['PwRequestTime'] < strtotime('-' . $expiration_timeout . ' minutes') ) { + return 'code_expired'; + } + + return $user_info['PortalUserId']; + } } Index: core/units/users/users_config.php =================================================================== --- core/units/users/users_config.php (revision 14468) +++ core/units/users/users_config.php (working copy) @@ -383,10 +383,8 @@ 'tz' => Array('type' => 'int', 'default' => NULL), 'ip' => Array('type' => 'string', 'not_null' => 1, 'default' => ''), 'IsBanned' => Array('type' => 'int','not_null' => 1, 'default' => 0), ~~- 'PassResetTime' => Array('type' => 'int','default' => NULL),~~ ~~- 'PwResetConfirm' => Array('type' => 'string','default' => NULL),~~ ~~- 'PwRequestTime' => Array('type' => 'int','default' => NULL),~~ - 'MinPwResetDelay' => Array('type' => 'int', 'formatter' => 'kOptionsFormatter', 'options' => Array(300 => '5', 600 => '10', 900 => '15', 1800 => '30', 3600 => '60'), 'use_phrases' => 0, 'not_null' => '1', 'default' => 1800), + 'PwResetConfirm' => Array('type' => 'string', 'not_null' => 1, 'default' => ''), + 'PwRequestTime' => Array('type' => 'int', 'formatter' => 'kDateFormatter', 'default' => NULL), 'AdminLanguage' => Array ( 'type' => 'int', 'formatter' => 'kOptionsFormatter', 'options_sql' => 'SELECT %s FROM ' . TABLE_PREFIX . 'Language ORDER BY PackName', 'option_key_field' => 'LanguageId', 'option_title_field' => 'LocalName', Index: core/units/users/users_event_handler.php =================================================================== --- core/units/users/users_event_handler.php (revision 14468) +++ core/units/users/users_event_handler.php (working copy) @@ -35,8 +35,6 @@ 'OnRefreshForm' => Array('self' => true), 'OnForgotPassword' => Array('self' => true), ~~- 'OnResetPassword' => Array('self' => true),~~ ~~- 'OnResetPasswordConfirmed' => Array('self' => true),~~ 'OnSubscribeQuery' => Array('self' => true), 'OnSubscribeUser' => Array('self' => true), @@ -52,6 +50,23 @@ } /** + * Builds item (loads if needed) + * + * Pattern: Prototype Manager + * + * @param kEvent $event + * @access protected + */ + function OnItemBuild(&$event) + { + parent::OnItemBuild($event); + + if ($event->Special == 'forgot') { + $this->_makePasswordRequired($event); + } + } + + /** * Shows only admins when required * * @param kEvent $event @@ -117,6 +132,7 @@ if ($event->Name == 'OnUpdate' && $user_id > 0) { $user_dummy =& $this->Application->recallObject($event->Prefix.'.-item', null, Array('skip_autoload' => true)); + foreach ($items_info as $id => $field_values) { if ($id != $user_id) { // registered users can update their record only @@ -136,9 +152,15 @@ return false; } } + return true; } + if ( $event->Name == 'OnResetLostPassword' && $event->Special == 'forgot' && $user_id == USER_GUEST ) { + // non-logged in users can reset their password, when reset code is valid + return is_numeric( $this->getPassedID($event) ); + } + if ($event->Name == 'OnUpdate' && $user_id <= 0) { // guests are not allowed to update their record, because they don't have it :) return false; @@ -814,152 +836,65 @@ $user_current_object =& $this->Application->recallObject('u', null, Array('skip_autoload' => true)); // TODO: change theme too /* @var $user_current_object UsersItem */ ~~- $username = $this->Application->GetVar('username');~~ + $found = $allow_reset = false; $email = $this->Application->GetVar('email'); ~~- $found = false;~~ ~~- $allow_reset = true;~~ + $username = $this->Application->GetVar('username'); ~~- if (strlen($username)) {~~ + if ( strlen($username) ) { $user_object->Load($username, 'Login'); ~~- if ($user_object->isLoaded()) {~~ ~~- $found = ($user_object->GetDBField("Login")==$username && $user_object->GetDBField("Status")==1) && strlen($user_object->GetDBField("Password"));~~ ~~- }~~ } ~~- else if(strlen($email)) {~~ + elseif( strlen($email) ) { $user_object->Load($email, 'Email'); ~~- if ($user_object->isLoaded()) {~~ ~~- $found = ($user_object->GetDBField("Email")==$email && $user_object->GetDBField("Status")==1) && strlen($user_object->GetDBField("Password"));~~ ~~- }~~ } ~~- if ($user_object->isLoaded()) {~~ ~~- $PwResetConfirm = $user_object->GetDBField('PwResetConfirm');~~ ~~- $PwRequestTime = $user_object->GetDBField('PwRequestTime');~~ ~~- $PassResetTime = $user_object->GetDBField('PassResetTime');~~ ~~- //$MinPwResetDelay = $user_object->GetDBField('MinPwResetDelay');~~ ~~- $MinPwResetDelay = $this->Application->ConfigValue('Users_AllowReset');~~ + if ( $user_object->isLoaded() ) { + $min_pwd_reset_delay = $this->Application->ConfigValue('Users_AllowReset'); + $found = ($user_object->GetDBField('Status') == STATUS_ACTIVE) && strlen( $user_object->GetDBField('Password') ); ~~- $allow_reset = (strlen($PwResetConfirm) ?~~ ~~- adodb_mktime() > $PwRequestTime + $MinPwResetDelay :~~ ~~- adodb_mktime() > $PassResetTime + $MinPwResetDelay);~~ + if ( !$user_object->GetDBField('PwResetConfirm') ) { + // no reset made -> allow + $allow_reset = true; + } + else { + // reset made -> wait N minutes, then allow + $allow_reset = adodb_mktime() > $user_object->GetDBField('PwRequestTime') + $min_pwd_reset_delay; + } } if ($found && $allow_reset) { ~~- $this->Application->StoreVar('tmp_user_id', $user_object->GetDBField("PortalUserId"));~~ ~~- $this->Application->StoreVar('tmp_email', $user_object->GetDBField("Email"));~~ + $this->Application->EmailEventUser('USER.PSWDC', $user_object->GetID()); ~~- $confirm_template = $this->Application->GetVar('reset_confirm_template');~~ ~~- if (!$confirm_template) {~~ ~~- $this->Application->SetVar('reset_confirm_template', 'platform/login/forgotpass_reset');~~ ~~- }~~ ~~- $this->Application->EmailEventUser('USER.PSWDC', $user_object->GetDBField('PortalUserId'));~~ - $event->redirect = $this->Application->GetVar('template_success'); + + return ; } ~~- else {~~ ~~- if (!strlen($username) && !strlen($email)) {~~ ~~- $user_current_object->SetError('Login', 'forgotpw_nodata', 'lu_ferror_forgotpw_nodata');~~ ~~- $user_current_object->SetError('Email', 'forgotpw_nodata', 'lu_ferror_forgotpw_nodata');~~ ~~- }~~ ~~- else {~~ ~~- if ($allow_reset) {~~ ~~- if (strlen($username)) {~~ ~~- $user_current_object->SetError('Login', 'unknown_username', 'lu_ferror_unknown_username');~~ ~~- }~~ ~~- if (strlen($email)) {~~ ~~- $user_current_object->SetError('Email', 'unknown_email', 'lu_ferror_unknown_email');~~ ~~- }~~ ~~- }~~ ~~- else {~~ ~~- if (strlen($username)) {~~ ~~- $user_current_object->SetError('Login', 'reset_denied', 'lu_ferror_reset_denied');~~ ~~- }~~ ~~- if (strlen($email)) {~~ ~~- $user_current_object->SetError('Email', 'reset_denied', 'lu_ferror_reset_denied');~~ ~~- }~~ ~~- }~~ + if ( !strlen($username) && !strlen($email) ) { + $user_current_object->SetError('Login', 'forgotpw_nodata', 'lu_ferror_forgotpw_nodata'); + $user_current_object->SetError('Email', 'forgotpw_nodata', 'lu_ferror_forgotpw_nodata'); + } + elseif ( !$found ) { + if ( strlen($username) ) { + $user_current_object->SetError('Login', 'unknown_username', 'lu_ferror_unknown_username'); } ~~- if ( $user_current_object->HasErrors() ) {~~ ~~- $event->redirect = false;~~ + if ( strlen($email) ) { + $user_current_object->SetError('Email', 'unknown_email', 'lu_ferror_unknown_email'); } } ~~- }~~ + elseif ( !$allow_reset ) { + if ( strlen($username) ) { + $user_current_object->SetError('Login', 'reset_denied', 'lu_ferror_reset_denied'); + } - /** ~~- * Enter description here...~~ - * ~~- * @param kEvent $event~~ ~~- */~~ ~~- function OnResetPassword(&$event)~~ ~~- {~~ ~~- $user_object =& $this->Application->recallObject('u.forgot');~~ - ~~- if($user_object->Load($this->Application->RecallVar('tmp_user_id'))){~~ - ~~- $this->Application->EmailEventUser('USER.PSWDC', $user_object->GetDBField("PortalUserId"));~~ ~~- $event->redirect = $this->Application->GetVar('template_success');~~ - ~~- $m_cat_id = $this->Application->findModule('Name', 'In-Commerce', 'RootCat');~~ ~~- $this->Application->SetVar('m_cat_id', $m_cat_id);~~ ~~- $event->SetRedirectParam('pass', 'm');~~ + if ( strlen($email) ) { + $user_current_object->SetError('Email', 'reset_denied', 'lu_ferror_reset_denied'); + } } ~~- }~~ ~~- function OnResetPasswordConfirmed(&$event)~~ ~~- {~~ ~~- // used for error reporting only -> rewrite code + theme (by Alex)~~ ~~- $user_current_object =& $this->Application->recallObject('u', null, Array('skip_autoload' => true));// TODO: change theme too~~ ~~- /* @var $user_current_object UsersItem */~~ - ~~- $passed_key = trim($this->Application->GetVar('user_key'));~~ - ~~- if (!$passed_key) {~~ ~~- $event->setRedirectParams(Array('opener' => 's', 'pass' => 'all'), true);~~ + if ( $user_current_object->HasErrors() ) { $event->redirect = false; - ~~- $user_current_object->SetError('PwResetConfirm', 'code_is_not_valid', 'lu_code_is_not_valid');~~ ~~- }~~ - ~~- $user_object =& $this->Application->recallObject('u.forgot', null, Array('skip_autoload' => true));~~ ~~- /* @var $user_object UsersItem */~~ - ~~- $user_object->Load($passed_key, 'PwResetConfirm');~~ - ~~- if ($user_object->isLoaded()) {~~ ~~- $exp_time = $user_object->GetDBField('PwRequestTime') + 3600;~~ ~~- $user_object->SetDBField('PwResetConfirm', '');~~ ~~- $user_object->SetDBField('PwRequestTime', 0);~~ - ~~- if ($exp_time > adodb_mktime()) {~~ ~~- $newpw = $user_object->generatePassword();~~ ~~- $this->Application->StoreVar('password', $newpw);~~ - ~~- $user_object->SetDBField('PassResetTime', adodb_mktime());~~ ~~- $user_object->SetDBField('PwResetConfirm', '');~~ ~~- $user_object->SetDBField('PwRequestTime', 0);~~ ~~- $user_object->Update();~~ - ~~- $this->Application->SetVar('ForgottenPassword', $newpw);~~ - ~~- $email_event_user =& $this->Application->EmailEventUser('USER.PSWD', $user_object->GetDBField('PortalUserId'));~~ ~~- $email_event_admin =& $this->Application->EmailEventAdmin('USER.PSWD');~~ - ~~- $this->Application->DeleteVar('ForgottenPassword');~~ - ~~- if ($email_event_user->status == kEvent::erSUCCESS) {~~ ~~- $event->setRedirectParams(array('opener' => 's', 'pass' => 'all'), true);~~ ~~- $event->redirect = $this->Application->GetVar('template_success');~~ ~~- }~~ ~~- } else {~~ ~~- $user_current_object->SetError('PwResetConfirm', 'code_expired', 'lu_code_expired');~~ ~~- $event->redirect = false;~~ ~~- }~~ ~~- } else {~~ ~~- $user_current_object->SetError('PwResetConfirm', 'code_is_not_valid', 'lu_code_is_not_valid');~~ ~~- $event->redirect = false;~~ ~~- }~~ + } } function OnUpdate(&$event) @@ -983,6 +918,15 @@ $cs_helper->CheckStateField($event, 'State', 'Country'); $cs_helper->PopulateStates($event, 'State', 'Country'); + + if ($event->Special == 'forgot') { + $object =& $event->getObject(); + /* @var $object kDBItem */ + + $object->SetDBField('PwResetConfirm', ''); + $object->SetDBField('PwRequestTime_date', NULL); + $object->SetDBField('PwRequestTime_time', NULL); + } } /** @@ -1104,23 +1048,33 @@ $order =& $this->Application->recallObject('ord'); /* @var $order OrdersItem */ ~~- $id = $order->GetDBField('PortalUserId');~~ + return $order->GetDBField('PortalUserId'); break; case 'profile': $id = $this->Application->GetVar('user_id'); + if (!$id) { // if none user_id given use current user id $id = $this->Application->RecallVar('user_id'); } + + return $id; break; ~~- default:~~ ~~- $id = parent::getPassedID($event);~~ + case 'forgot': + $user_helper =& $this->Application->recallObject('UserHelper'); + /* @var $user_helper UserHelper */ + + $id = $user_helper->validateUserCode( $this->Application->GetVar('user_key'), 'forgot_password' ); + + if ( is_numeric($id) ) { + return $id; + } break; } ~~- return $id;~~ + return parent::getPassedID($event); } /** @@ -1731,4 +1685,29 @@ echo kUtil::generatePassword(); } } + + /** + * Changes user's password and logges him in + * + * @param kEvent $event + */ + function OnResetLostPassword(&$event) + { + $object =& $event->getObject(); + /* @var $object kDBItem */ + + $event->CallSubEvent('OnUpdate'); + + if ( $event->status == kEvent::erSUCCESS ) { + $user_helper =& $this->Application->recallObject('UserHelper'); + /* @var $user_helper UserHelper */ + + $user =& $user_helper->getUserObject(); + $user->Load( $object->GetID() ); + + if ( $user_helper->checkLoginPermission() ) { + $user_helper->loginUserById( $user->GetID() ); + } + } + } } Index: core/units/users/users_tag_processor.php =================================================================== --- core/units/users/users_tag_processor.php (revision 14469) +++ core/units/users/users_tag_processor.php (working copy) @@ -41,18 +41,22 @@ function ConfirmPasswordLink($params) { + $user =& $this->Application->recallObject($this->Prefix . '.email-to'); + /* @var $user UsersItem */ + $code = $this->getCachedCode(); + $user->SetDBField('PwResetConfirm', $code); + $user->SetDBField('PwRequestTime_date', adodb_mktime()); + $user->SetDBField('PwRequestTime_time', adodb_mktime()); ~~- $fields_hash = Array (~~ ~~- 'PwResetConfirm' => $code,~~ ~~- 'PwRequestTime' => adodb_mktime(),~~ ~~- );~~ + if ( $user->GetChangedFields() ) { + // tag is called 2 times within USER.PWDC email event, so don't update user record twice + $user->Update(); + } ~~- $user_id = $this->Application->RecallVar('tmp_user_id');~~ ~~- $this->Conn->doUpdate($fields_hash, TABLE_PREFIX.'PortalUser', 'PortalUserId = '.$user_id);~~ - $params['user_key'] = $code; ~~- if (!$this->SelectParam($params, 'template,t')) {~~ + + if ( !$this->SelectParam($params, 'template,t') ) { $params['template'] = $this->Application->GetVar('reset_confirm_template'); } @@ -68,7 +72,7 @@ { static $code = null; ~~- if (!isset($code)) {~~ + if ( !isset($code) ) { $code = md5($this->GenerateCode()); } @@ -77,35 +81,53 @@ function GenerateCode() { ~~- list($usec, $sec) = explode(" ",microtime());~~ + list($usec, $sec) = explode(" ",microtime()); ~~- $id_part_1 = substr($usec, 4, 4);~~ ~~- $id_part_2 = mt_rand(1,9);~~ ~~- $id_part_3 = substr($sec, 6, 4);~~ ~~- $digit_one = substr($id_part_1, 0, 1);~~ ~~- if ($digit_one == 0) {~~ ~~- $digit_one = mt_rand(1,9);~~ ~~- $id_part_1 = preg_replace('/^0/', '', $id_part_1);~~ ~~- $id_part_1=$digit_one.$id_part_1;~~ ~~- }~~ ~~- return $id_part_1.$id_part_2.$id_part_3;~~ ~~- }~~ + $id_part_1 = substr($usec, 4, 4); + $id_part_2 = mt_rand(1,9); + $id_part_3 = substr($sec, 6, 4); + $digit_one = substr($id_part_1, 0, 1); ~~- function ForgottenPassword($params)~~ ~~- {~~ ~~- return $this->Application->GetVar('ForgottenPassword');~~ + if ($digit_one == 0) { + $digit_one = mt_rand(1,9); + $id_part_1 = preg_replace('/^0/', '', $id_part_1); + $id_part_1=$digit_one.$id_part_1; + } + + return $id_part_1.$id_part_2.$id_part_3; } function TestCodeIsValid($params) { ~~- $passed_key = trim($this->Application->GetVar('user_key'));~~ + $user_helper =& $this->Application->recallObject('UserHelper'); + /* @var $user_helper UserHelper */ ~~- // used for error reporting only -> rewrite code + theme (by Alex)~~ ~~- $user_current_object =& $this->Application->recallObject('u', null, Array('skip_autoload' => true)); // TODO: change theme too~~ ~~- /* @var $user_current_object UsersItem */~~ - $code_type = isset($params['code_type']) ? $params['code_type'] : 'forgot_password'; + $expiration_timeout = isset($params['expiration_timeout']) ? $params['expiration_timeout'] : null; + $user_id = $user_helper->validateUserCode($this->Application->GetVar('user_key'), $code_type, $expiration_timeout); + if ( !is_numeric($user_id) ) { + // used for error reporting only -> rewrite code + theme (by Alex) + $object =& $this->getObject( Array('skip_autoload' => true) ); // TODO: change theme too + /* @var $object UsersItem */ + + $object->SetError('PwResetConfirm', $user_id, $this->_getUserCodeErrorMsg($user_id, $code_type, $params)); + + return false; + } + + return true; + } + + /** + * Returns error message set by given code type + * + * @param string $error_code + * @param Array $params + * @return string + */ + function _getUserCodeErrorMsg($error_code, $code_type, $params) + { $error_messages = Array ( 'forgot_password' => Array ( 'code_is_not_valid' => 'lu_code_is_not_valid', @@ -126,45 +148,7 @@ ); } ~~- $expiration_timeouts = Array (~~ ~~- 'forgot_password' => 'config:Users_AllowReset',~~ ~~- 'activation' => 'config:UserEmailActivationTimeout',~~ ~~- 'custom' => '',~~ ~~- );~~ - ~~- if (!$passed_key) {~~ ~~- $user_current_object->SetError('PwResetConfirm', 'code_is_not_valid', $error_messages[$code_type]['code_is_not_valid']);~~ - ~~- return false;~~ ~~- }~~ - ~~- $user_object =& $this->Application->recallObject('u.forgot', null, Array('skip_autoload' => true));~~ ~~- /* @var $user_object UsersItems */~~ - ~~- $user_object->Load($passed_key, 'PwResetConfirm');~~ - ~~- if ( !$user_object->isLoaded() ) {~~ ~~- $user_current_object->SetError('PwResetConfirm', 'code_is_not_valid', $error_messages[$code_type]['code_is_not_valid']);~~ - ~~- return false;~~ ~~- }~~ ~~- else {~~ ~~- $expiration_timeout = isset($params['expiration_timeout']) ? $params['expiration_timeout'] : $expiration_timeouts[$code_type];~~ - ~~- if ( preg_match('/^config:(.*)$/', $expiration_timeout, $regs) ) {~~ ~~- $expiration_timeout = $this->Application->ConfigValue( $regs[1] );~~ ~~- }~~ - ~~- if ( $expiration_timeout ) {~~ ~~- if ( $user_object->GetDBField('PwRequestTime') < strtotime('-' . $expiration_timeout . ' minutes') ) {~~ ~~- $user_current_object->SetError('PwResetConfirm', 'code_expired', $error_messages[$code_type]['code_expired']);~~ - ~~- return false;~~ ~~- }~~ ~~- }~~ ~~- }~~ - ~~- return true;~~ + return $error_messages[$code_type][$error_code]; } /** @@ -303,17 +287,14 @@ */ function ActivationLink($params) { ~~- $code = $this->getCachedCode();~~ - ~~- $fields_hash = Array (~~ ~~- 'PwResetConfirm' => $code,~~ ~~- 'PwRequestTime' => adodb_mktime(),~~ ~~- );~~ - $object =& $this->getObject($params); /* @var $object kDBItem */ ~~- $this->Conn->doUpdate($fields_hash, $object->TableName, $object->IDField . ' = ' . $object->GetID());~~ + $code = $this->getCachedCode(); + $object->SetDBField('PwResetConfirm', $code); + $object->SetDBField('PwRequestTime_date', adodb_mktime()); + $object->SetDBField('PwRequestTime_time', adodb_mktime()); + $object->Update(); $params['user_key'] = $code; @@ -339,7 +320,8 @@ $user->SetDBField('Status', STATUS_ACTIVE); $user->SetDBField('PwResetConfirm', ''); ~~- $user->SetDBField('PwRequestTime', 0);~~ + $user->SetDBField('PwRequestTime_date', NULL); + $user->SetDBField('PwRequestTime_time', NULL); $user->Update(); $user_helper =& $this->Application->recallObject('UserHelper');

Index: platform/elements/forms.elm.tpl =================================================================== --- platform/elements/forms.elm.tpl (revision 14446) +++ platform/elements/forms.elm.tpl (working copy) @@ -170,7 +170,7 @@ <inp2:m_if check="{$prefix}_HasError" field="$field"> <span class="field-error"><inp2:{$prefix}_Error field="$field"/></span><br /> </inp2:m_if> - <input type="password" class="input-text" name="<inp2:{$prefix}_InputName field="$field"/>" id="<inp2:{$prefix}_InputName field="$field"/>" value="" tabindex="<inp2:m_get param="tab_index"/>" style="<inp2:m_param name="style"/>" /> + <input type="password" class="input-text" name="<inp2:{$prefix}_InputName field="$field"/>" id="<inp2:{$prefix}_InputName field="$field"/>" value="<inp2:{$prefix}_Field name='{$field}_plain'/>" tabindex="<inp2:m_get param="tab_index"/>" style="<inp2:m_param name="style"/>" /> <inp2:m_if check="m_Param" name="hint_label"><span class="small"><inp2:m_phrase label="$hint_label"/></span></inp2:m_if> </td> </tr> Index: platform/login/forgot_password_reset.tpl =================================================================== --- platform/login/forgot_password_reset.tpl (revision 14446) +++ platform/login/forgot_password_reset.tpl (working copy) @@ -48,12 +48,17 @@ <inp2:m_if check="u_TestCodeIsValid"> <form method="POST" action="<inp2:m_FormAction />"> ~~- <input type="submit" name="events[u][OnResetPasswordConfirmed]" value="<inp2:m_Phrase label="lu_btn_Yes" no_editing="1"/>" class="button" />~~ + <table class="form-data fullwidth"> + <inp2:m_RenderElement name="inp_edit_password" prefix="u.forgot" field="Password" title="lu_fld_Password" style="width:155px" /> + <inp2:m_RenderElement name="inp_edit_password" prefix="u.forgot" field="VerifyPassword" title="lu_fld_VerifyPassword" style="width:155px" is_last="1"/> ~~- <input type="button" value="<inp2:m_Phrase label="lu_btn_No" no_editing="1"/>" class="button" onclick="redirect('<inp2:m_Link template="index"/>');" />~~ + <inp2:m_RenderElement design="inp_edit_buttons"> + <input class="button" type="submit" name="events[u.forgot][OnResetLostPassword]" value="<inp2:m_Phrase label='lu_btn_Update' no_editing='1'/>"/> + <input type="hidden" name="next_template" value="platform/login/forgot_password_reset_confirm"/> + </inp2:m_RenderElement> + </table> ~~- <input type="hidden" name="user_key" value="<inp2:m_Get name="user_key"/>"/>~~ ~~- <input type="hidden" name="template_success" value="platform/login/forgot_password_reset_confirm" />~~ + <input type="hidden" name="user_key" value="<inp2:m_Get name='user_key'/>"/> </form> <inp2:m_else /> <span class="error"><inp2:u_Error field="PwResetConfirm"/></span>

Issue History
Date Modified	Username	Field	Change
2012-07-25 05:33	alex	Note Added: 0005076
2012-07-25 05:33	alex	Status	resolved => closed
2012-02-06 04:02	alex	Relationship added	related to 0001201
2011-10-22 05:41	alex	Estimate Points	=> 2
2011-08-10 05:03	alex	Relationship added	related to 0001095
2011-07-13 06:42	alex	Note Added: 0003631
2011-07-13 06:42	alex	Status	reviewed and tested => resolved
2011-07-13 06:42	alex	Fixed in Version	=> 5.2.0-B1
2011-07-13 06:42	alex	Resolution	open => fixed
2011-07-13 06:42	alex	Assigned To	!COMMUNITY => alex
2011-07-13 06:42	alex	Changeset attached	5.2.x r14472
2011-07-13 06:41	alex	Changeset attached	1.2.x r14471
2011-07-13 06:41	alex	Note Added: 0003630
2011-07-13 06:41	alex	Status	needs testing => reviewed and tested
2011-07-13 06:40	alex	Assigned To	=> !COMMUNITY
2011-07-13 06:40	alex	Developer	=> alex
2011-07-13 06:40	alex	Status	active => needs testing
2011-07-13 06:40	alex	File Added: forgot_password_imporvements_themes.patch
2011-07-13 06:40	alex	File Added: forgot_password_imporvements_core.patch
2011-07-13 06:39	alex	Note Added: 0003629
2011-07-12 08:06	alex	Relationship added	parent of 0001044
2011-07-08 10:57	alex	Target Version	Icebox => 5.2.0
2010-12-13 12:45	alex	Description Updated	View Revisions
2010-12-13 12:42	alex	Description Updated	View Revisions
2010-12-13 10:32	Dmitry	New Issue
2010-12-13 10:32	Dmitry	Reference	=> https://groups.google.com/d/topic/in-portal-dev/lfqeAuXWWko/discussion
2010-12-13 10:32	Dmitry	Change Log Message	=> Improved "Forgot Password" logic

Notes
(0003629) alex (manager) 2011-07-13 06:39	Not obvious things in the patch: 1. password field now keeps password, when there is an error on a form (before you needed to re-enter password after each error) - now works, like in admin console 2. u:OnResetPasswordConfirmed and u:OnResetPassword events were removed 3. fields PassResetTime and MinPwResetDelay were removed from PortalUser table, since they weren't used anywhere 4. email events USER.PSWD (user and admin) were removed, since there is no longer needed to send newly generated password to a user 5. field PwResetConfirm in PortalUser table made NOT NULL to comply with rules 6. changed translation of LU_TEXT_FORGOTPASSHASBEENRESET phrase to match new forgot password logic 7. u_TestCodeIsValid tag logic moved to UserHelper, so now it can be used where needed 8. session is no longer used in forgot password reset process (email event content isn't changed) 9. tags u_ActivationLink and u_ActivationUser changed, since they used fields from forgot password reset system

(0003630) alex (manager) 2011-07-13 06:41	Will test later, but commit right now to ease merge process from 5.1.x branch.

(0003631) alex (manager) 2011-07-13 06:42	Fix committed to 5.2.x branch. Commit Message: Fixes 0000948: Change in "Forgot Password" logic

(0005076) alex (manager) 2012-07-25 05:33	Since 5.2.0 version was released.

Related Changesets
In-Portal CMS: 5.2.x r14472 Timestamp: 2011-07-13 06:42:22 Author: alex [ Details ] [ Diff ]	Fixes 0000948: Change in "Forgot Password" logic
	mod - /in-portal/branches/5.2.x/admin/system_presets/simple/users_u.php	[ Diff ] [ File ]
	mod - /in-portal/branches/5.2.x/core/install/english.lang	[ Diff ] [ File ]
	mod - /in-portal/branches/5.2.x/core/install/install_data.sql	[ Diff ] [ File ]
	mod - /in-portal/branches/5.2.x/core/install/install_schema.sql	[ Diff ] [ File ]
	mod - /in-portal/branches/5.2.x/core/install/upgrades.sql	[ Diff ] [ File ]
	mod - /in-portal/branches/5.2.x/core/units/helpers/user_helper.php	[ Diff ] [ File ]
	mod - /in-portal/branches/5.2.x/core/units/users/users_config.php	[ Diff ] [ File ]
	mod - /in-portal/branches/5.2.x/core/units/users/users_event_handler.php	[ Diff ] [ File ]
	mod - /in-portal/branches/5.2.x/core/units/users/users_tag_processor.php	[ Diff ] [ File ]

Themes :: Advanced: 1.2.x r14471 Timestamp: 2011-07-13 06:41:56 Author: alex [ Details ] [ Diff ]	Bug 0000948: Change in "Forgot Password" logic
	mod - /themes/advanced/branches/1.2.x/platform/elements/forms.elm.tpl	[ Diff ] [ File ]
	mod - /themes/advanced/branches/1.2.x/platform/login/forgot_password_reset.tpl	[ Diff ] [ File ]

In-Portal Issue Tracker