nextcloud/core/lostpassword/index.php

<?php
/**
 * Copyright (c) 2012 Frank Karlitschek frank@owncloud.org
 * This file is licensed under the Affero General Public License version 3 or
 * later.
 * See the COPYING-README file.
*/

$RUNTIME_NOAPPS = TRUE; //no apps
require_once('../../lib/base.php');


// Someone lost their password:
if (isset($_POST['user'])) {
	if (OC_User::userExists($_POST['user'])) {
		$token = sha1($_POST['user'].md5(uniqid(rand(), true)));
		OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);
		$email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
		if (!empty($email) and isset($_POST['sectoken']) and isset($_SESSION['sectoken']) and ($_POST['sectoken']==$_SESSION['sectoken']) ) {
			$link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php').'?user='.urlencode($_POST['user']).'&token='.$token;
			$tmpl = new OC_Template('core/lostpassword', 'email');
			$tmpl->assign('link', $link, false);
			$msg = $tmpl->fetchPage();
			$l = OC_L10N::get('core');
			$from = 'lostpassword-noreply@' . OCP\Util::getServerHost();
			OC_MAIL::send($email,$_POST['user'],$l->t('ownCloud password reset'),$msg,$from,'ownCloud');
			echo('sent');

		}
		$sectoken=rand(1000000,9999999);
		$_SESSION['sectoken']=$sectoken;
		OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => false, 'requested' => true, 'sectoken' => $sectoken));
	} else {
		$sectoken=rand(1000000,9999999);
		$_SESSION['sectoken']=$sectoken;
		OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => true, 'requested' => false, 'sectoken' => $sectoken));
	}
} else {
	$sectoken=rand(1000000,9999999);
	$_SESSION['sectoken']=$sectoken;
	OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => false, 'requested' => false, 'sectoken' => $sectoken));
}
Move lostpassword code to own app 2011-09-26 01:33:22 +04:00			`<?php`
			`/**`
update copyright 2012-05-26 21:14:24 +04:00			`* Copyright (c) 2012 Frank Karlitschek frank@owncloud.org`
Move lostpassword code to own app 2011-09-26 01:33:22 +04:00			`* This file is licensed under the Affero General Public License version 3 or`
			`* later.`
			`* See the COPYING-README file.`
			`*/`

			`$RUNTIME_NOAPPS = TRUE; //no apps`
Move lostpassword to core dir 2011-10-03 22:41:52 +04:00			`require_once('../../lib/base.php');`
Move lostpassword code to own app 2011-09-26 01:33:22 +04:00
csrf protection 2012-04-26 21:35:33 +04:00
Move lostpassword code to own app 2011-09-26 01:33:22 +04:00			`// Someone lost their password:`
			`if (isset($_POST['user'])) {`
			`if (OC_User::userExists($_POST['user'])) {`
Make the token really random 2012-04-04 17:17:03 +04:00			`$token = sha1($_POST['user'].md5(uniqid(rand(), true)));`
Move lostpassword code to own app 2011-09-26 01:33:22 +04:00			`OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);`
Use correct appid for lostpassword email preference 2011-12-19 02:08:00 +04:00			`$email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');`
csrf protection 2012-04-26 21:35:33 +04:00			`if (!empty($email) and isset($_POST['sectoken']) and isset($_SESSION['sectoken']) and ($_POST['sectoken']==$_SESSION['sectoken']) ) {`
urlencode link fort password reset (bug #970) 2012-06-13 19:22:28 +04:00			`$link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php').'?user='.urlencode($_POST['user']).'&token='.$token;`
Move lostpassword to core dir 2011-10-03 22:41:52 +04:00			`$tmpl = new OC_Template('core/lostpassword', 'email');`
fix for bug #1295, don't escape password reset link 2012-07-27 17:35:36 +04:00			`$tmpl->assign('link', $link, false);`
Implement mailing of password reset link 2011-09-26 23:11:50 +04:00			`$msg = $tmpl->fetchPage();`
reuse OC_L10N objects 2012-04-14 18:44:15 +04:00			`$l = OC_L10N::get('core');`
use our own serverHost call so that ownCloud works with reverse proxy servers 2012-05-31 22:26:09 +04:00			`$from = 'lostpassword-noreply@' . OCP\Util::getServerHost();`
csrf protection 2012-04-26 21:35:33 +04:00			`OC_MAIL::send($email,$_POST['user'],$l->t('ownCloud password reset'),$msg,$from,'ownCloud');`
			`echo('sent');`
new OC_Mail class to handle all mail sending. The benefit is that is way mor flexible than the standard mail command. can be configured to use a remote smtp relay for example. also port the lostpassword code 2012-04-20 22:49:35 +04:00
Implement mailing of password reset link 2011-09-26 23:11:50 +04:00			`}`
csrf protection 2012-04-26 21:35:33 +04:00			`$sectoken=rand(1000000,9999999);`
			`$_SESSION['sectoken']=$sectoken;`
			`OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => false, 'requested' => true, 'sectoken' => $sectoken));`
Move lostpassword code to own app 2011-09-26 01:33:22 +04:00			`} else {`
csrf protection 2012-04-26 21:35:33 +04:00			`$sectoken=rand(1000000,9999999);`
			`$_SESSION['sectoken']=$sectoken;`
			`OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => true, 'requested' => false, 'sectoken' => $sectoken));`
Move lostpassword code to own app 2011-09-26 01:33:22 +04:00			`}`
			`} else {`
csrf protection 2012-04-26 21:35:33 +04:00			`$sectoken=rand(1000000,9999999);`
			`$_SESSION['sectoken']=$sectoken;`
			`OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => false, 'requested' => false, 'sectoken' => $sectoken));`
Move lostpassword code to own app 2011-09-26 01:33:22 +04:00			`}`