diff --git a/wbce/admin/login/forgot/index.php b/wbce/admin/login/forgot/index.php
index e1ca95f46..4a4a9281b 100644
--- a/wbce/admin/login/forgot/index.php
+++ b/wbce/admin/login/forgot/index.php
@@ -17,99 +17,117 @@
// Include the database class file and initiate an object
require WB_PATH . '/framework/class.admin.php';
$admin = new admin('Start', 'start', false, false);
+require_once(WB_PATH.'/include/captcha/captcha.php');
$oMsgBox = new MessageBox();
$oMsgBox->closeBtn = '';
// Check if the user has already submitted the form, otherwise show it
-if (isset($_POST['email']) and $_POST['email'] != "") {
+if (isset($_POST['email']) && $_POST['email'] != "" ) {
$email = strip_tags($wb->get_post('email'));
- if ($admin->validate_email($email) == false) {
- $oMsgBox->error($MESSAGE['USERS_INVALID_EMAIL']);
+ if(isset($_POST['captcha']) AND $_POST['captcha'] != ''){
+ $ccheck = time(); $ccheck1 = time();
+ if(isset($_SESSION['captchaloginforgot'])) $ccheck1 = $_SESSION['captchaloginforgot'];
+ if(isset($_SESSION['captcha'])) $ccheck = $_SESSION['captcha'];
+ if($_POST['captcha'] != $ccheck && $_POST['captcha'] != $ccheck1) {
+ $oMsgBox->error($MESSAGE['MOD_FORM_INCORRECT_CAPTCHA']);
+ $email = '';
+ }
+ } else {
+ $oMsgBox->error($MESSAGE['MOD_FORM_INCORRECT_CAPTCHA']);
$email = '';
}
-
- // Check if the email exists in the database
- $sSql = "SELECT * FROM `{TP}users` WHERE `email` = '" . $email . "'";
- $rRow = $database->query($sSql);
- if ($rRow->numRows() > 0) {
-
- // Get the id, username, email, and last_reset from the above db query
- $aUser = $rRow->fetchRow();
- if (strlen($aUser['signup_confirmcode']) > 25) {
- header("Location: " . WB_URL . "/account/signup_continue_page.php?switch=wrong_inputs");
- exit(0); // break up the script here
- }
-
-
- // Check if the password has been reset in the last 2 hours
- if ((time() - intval($aUser['last_reset'])) < (2 * 3600)) {
- // Tell the user that their password cannot be reset more than once per hour
- $oMsgBox->error($MESSAGE['FORGOT_PASS_ALREADY_RESET']);
- } else {
- $sCurrentPw = $aUser['password'];
-
- // Generate a random password then update the database with it
- $sNewPw = '';
- $salt = "abchefghjkmnpqrstuvwxyz0123456789";
- srand((double)microtime() * 1000000);
- $i = 0;
- while ($i <= 7) {
- $num = rand() % 33;
- $tmp = substr($salt, $num, 1);
- $sNewPw = $sNewPw . $tmp;
- $i++;
+
+
+
+ if ($email != '') {
+
+ if ($admin->validate_email($email) == false) {
+ $oMsgBox->error($MESSAGE['USERS_INVALID_EMAIL']);
+ }
+
+ // Check if the email exists in the database
+ $sSql = "SELECT * FROM `{TP}users` WHERE `email`='".$database->escapeString($email)."'";
+ $rRow = $database->query($sSql);
+ if ($rRow->numRows() > 0) {
+
+ // Get the id, username, email, and last_reset from the above db query
+ $aUser = $rRow->fetchRow();
+ if (strlen($aUser['signup_confirmcode']) > 25) {
+ header("Location: " . WB_URL . "/account/signup_continue_page.php?switch=wrong_inputs");
+ exit(0); // break up the script here
}
- // update the new password in the database
- $aUpdateUser = array(
- 'user_id' => $aUser['user_id'],
- 'password' => $wb->doPasswordEncode($sNewPw),
- 'last_reset' => time(),
- );
- $database->updateRow('{TP}users', 'user_id', $aUpdateUser);
-
- if ($database->is_error()) {
- // Error updating database
- $oMsgBox->error($database->get_error());
- } else {
- // Setup email to send
- $mail_to = $email;
- $mail_subject = $MESSAGE['SIGNUP2_SUBJECT_LOGIN_INFO'];
-
- // Replace placeholders from language variable with values
- $search = array('{LOGIN_DISPLAY_NAME}', '{LOGIN_WEBSITE_TITLE}', '{LOGIN_NAME}', '{LOGIN_PASSWORD}');
- $replace = array($aUser['display_name'], WEBSITE_TITLE, $aUser['username'], $sNewPw);
-
- $aTokenReplace = array(
- '{LOGIN_DISPLAY_NAME}' => $aUser['display_name'],
- '{LOGIN_NAME}' => $aUser['username'],
- '{LOGIN_WEBSITE_TITLE}' => WEBSITE_TITLE,
- '{LOGIN_PASSWORD}' => $sNewPw
- );
+ // Check if the password has been reset in the last 2 hours
+ if ((time() - intval($aUser['last_reset'])) < (2 * 3600)) {
+ // Tell the user that their password cannot be reset more than once per hour
+ $oMsgBox->error($MESSAGE['FORGOT_PASS_ALREADY_RESET']);
+ } else {
+ $sCurrentPw = $aUser['password'];
+
+ // Generate a random password then update the database with it
+ $sNewPw = '';
+ $salt = "abchefghjkmnpqrstuvwxyz0123456789";
+ srand((double)microtime() * 1000000);
+ $i = 0;
+ while ($i <= 7) {
+ $num = rand() % 33;
+ $tmp = substr($salt, $num, 1);
+ $sNewPw = $sNewPw . $tmp;
+ $i++;
+ }
- $mail_message = strtr($MESSAGE['SIGNUP2_BODY_LOGIN_FORGOT'], $aTokenReplace);
+ // update the new password in the database
+ $aUpdateUser = array(
+ 'user_id' => $aUser['user_id'],
+ 'password' => $wb->doPasswordEncode($sNewPw),
+ 'last_reset' => time(),
+ );
+ $database->updateRow('{TP}users', 'user_id', $aUpdateUser);
- // Try sending the email
- if ($admin->mail(SERVER_EMAIL, $mail_to, $mail_subject, $mail_message)) {
- $oMsgBox->error($MESSAGE['FORGOT_PASS_PASSWORD_RESET']);
- $display_form = false;
+ if ($database->is_error()) {
+ // Error updating database
+ $oMsgBox->error($database->get_error());
} else {
- $aUpdateUser = array(
- 'user_id' => $aUser['user_id'],
- 'password' => $sCurrentPw
+ // Setup email to send
+ $mail_to = $email;
+ $mail_subject = $MESSAGE['SIGNUP2_SUBJECT_LOGIN_INFO'];
+
+ // Replace placeholders from language variable with values
+ $search = array('{LOGIN_DISPLAY_NAME}', '{LOGIN_WEBSITE_TITLE}', '{LOGIN_NAME}', '{LOGIN_PASSWORD}');
+ $replace = array($aUser['display_name'], WEBSITE_TITLE, $aUser['username'], $sNewPw);
+
+ $aTokenReplace = array(
+ '{LOGIN_DISPLAY_NAME}' => $aUser['display_name'],
+ '{LOGIN_NAME}' => $aUser['username'],
+ '{LOGIN_WEBSITE_TITLE}' => WEBSITE_TITLE,
+ '{LOGIN_PASSWORD}' => $sNewPw
);
- $database->updateRow('{TP}users', 'user_id', $aUpdateUser);
- $oMsgBox->error($MESSAGE['FORGOT_PASS_CANNOT_EMAIL']);
+
+
+ $mail_message = strtr($MESSAGE['SIGNUP2_BODY_LOGIN_FORGOT'], $aTokenReplace);
+
+ // Try sending the email
+ if ($admin->mail(SERVER_EMAIL, $mail_to, $mail_subject, $mail_message)) {
+ $oMsgBox->error($MESSAGE['FORGOT_PASS_PASSWORD_RESET']);
+ $display_form = false;
+ } else {
+ $aUpdateUser = array(
+ 'user_id' => $aUser['user_id'],
+ 'password' => $sCurrentPw
+ );
+ $database->updateRow('{TP}users', 'user_id', $aUpdateUser);
+ $oMsgBox->error($MESSAGE['FORGOT_PASS_CANNOT_EMAIL']);
+ }
}
}
+ } else {
+ // Email doesn't exist, so tell the user
+ $oMsgBox->error($MESSAGE['FORGOT_PASS_EMAIL_NOT_FOUND']);
+ // and delete the wrong Email
+ $email = '';
}
- } else {
- // Email doesn't exist, so tell the user
- $oMsgBox->error($MESSAGE['FORGOT_PASS_EMAIL_NOT_FOUND']);
- // and delete the wrong Email
- $email = '';
}
} else {
$email = '';
@@ -124,6 +142,13 @@
$template->set_file('page', 'login_forgot.htt');
$template->set_block('page', 'main_block', 'main');
+ob_start();
+call_captcha("all","",'loginforgot');
+$captcha = ob_get_contents();
+ob_end_clean();
+
+
+
$aTemplateVars = array(
'SECTION_FORGOT' => $MENU['FORGOT'],
'MESSAGE_COLOR' => '', //$message_color,
@@ -143,6 +168,7 @@
'INTERFACE_URL' => ADMIN_URL . '/interface',
'DEFAULT_CHARSET' => defined('DEFAULT_CHARSET') ? DEFAULT_CHARSET : 'utf-8',
'CHARSET' => isset($charset) ? $charset : 'utf-8',
+ 'CAPTCHA' => $captcha
);
$template->set_var($aTemplateVars);
diff --git a/wbce/modules/tool_account_settings/account/form_forgot.php b/wbce/modules/tool_account_settings/account/form_forgot.php
index d821ec915..37c630fed 100644
--- a/wbce/modules/tool_account_settings/account/form_forgot.php
+++ b/wbce/modules/tool_account_settings/account/form_forgot.php
@@ -11,6 +11,7 @@
*/
defined('WB_PATH') or die("Cannot access this file directly");
+require_once(WB_PATH.'/include/captcha/captcha.php');
$oAccounts = new Accounts();
$oMsgBox = new MessageBox();
@@ -20,87 +21,104 @@
if(isset($_POST['email']) && $_POST['email'] != "" ) {
$sEmail = strip_tags($oAccounts->get_post('email'));
- if($admin->validate_email($sEmail) == false) {
- $oMsgBox->error($MESSAGE['USERS_INVALID_EMAIL']);
- $sEmail = '';
+
+ if(isset($_POST['captcha']) AND $_POST['captcha'] != ''){
+ $ccheck = time(); $ccheck1 = time();
+ if(isset($_SESSION['captchaaccountforgot'])) $ccheck1 = $_SESSION['captchaaccountforgot'];
+ if(isset($_SESSION['captcha'])) $ccheck = $_SESSION['captcha'];
+ if($_POST['captcha'] != $ccheck && $_POST['captcha'] != $ccheck1) {
+ $oMsgBox->error($MESSAGE['MOD_FORM_INCORRECT_CAPTCHA']);
+ $sEmail = '';
+ }
} else {
- // Check if the email exists in the database
- $sSql = "SELECT * FROM `{TP}users` WHERE `email`='".$sEmail."'";
+ $oMsgBox->error($MESSAGE['MOD_FORM_INCORRECT_CAPTCHA']);
+ $sEmail = '';
+ }
+
+ if ($sEmail != '') {
+
+ if($admin->validate_email($sEmail) == false) {
+ $oMsgBox->error($MESSAGE['USERS_INVALID_EMAIL']);
+ $sEmail = '';
+ } else {
+ // Check if the email exists in the database
+ $sSql = "SELECT * FROM `{TP}users` WHERE `email`='".$database->escapeString($sEmail)."'";
- if(($rRow = $database->query($sSql))){
- if($aUser = $rRow->fetchRow(MYSQLI_ASSOC)) {
- if(strlen($aUser['signup_confirmcode']) > 25){
- header("Location: ".ACCOUNT_URL."/signup_continue_page.php?switch=wrong_inputs");
- exit(0); // break up the script here
- }
- $iUserID = (int) $aUser['user_id'];
- // Get the id, username, email, and last_reset from the above db query
+ if(($rRow = $database->query($sSql))){
+ if($aUser = $rRow->fetchRow(MYSQLI_ASSOC)) {
+ if(strlen($aUser['signup_confirmcode']) > 25){
+ header("Location: ".ACCOUNT_URL."/signup_continue_page.php?switch=wrong_inputs");
+ exit(0); // break up the script here
+ }
+ $iUserID = (int) $aUser['user_id'];
+ // Get the id, username, email, and last_reset from the above db query
- // Check if the password has been reset in the last 2 hours
- if( ( time() - intval($aUser['last_reset']) ) < (2 * 3600) ) {
- // Tell the user that their password cannot be reset more than once per hour
- $oMsgBox->error($MESSAGE['FORGOT_PASS_ALREADY_RESET']);
- } else {
- // current password
- $sCurrentPw = $aUser['password'];
+ // Check if the password has been reset in the last 2 hours
+ if( ( time() - intval($aUser['last_reset']) ) < (2 * 3600) ) {
+ // Tell the user that their password cannot be reset more than once per hour
+ $oMsgBox->error($MESSAGE['FORGOT_PASS_ALREADY_RESET']);
+ } else {
+ // current password
+ $sCurrentPw = $aUser['password'];
- // generate new password
- $sNewPasswordRaw = $oAccounts->GenerateRandomPassword();
- $sNewPasswordEnc = $oAccounts->doPasswordEncode($sNewPasswordRaw);
+ // generate new password
+ $sNewPasswordRaw = $oAccounts->GenerateRandomPassword();
+ $sNewPasswordEnc = $oAccounts->doPasswordEncode($sNewPasswordRaw);
- // prepare E-Mail with login details to send to the user via email
- $aTokenReplace = array(
- 'LOGIN_DISPLAY_NAME' => $aUser['display_name'],
- 'LOGIN_NAME' => $aUser['username'],
- 'LOGIN_WEBSITE_TITLE' => WEBSITE_TITLE,
- 'LOGIN_PASSWORD' => $sNewPasswordRaw,
- 'LOGIN_URL' => ACCOUNT_URL . '/login.php'
- );
+ // prepare E-Mail with login details to send to the user via email
+ $aTokenReplace = array(
+ 'LOGIN_DISPLAY_NAME' => $aUser['display_name'],
+ 'LOGIN_NAME' => $aUser['username'],
+ 'LOGIN_WEBSITE_TITLE' => WEBSITE_TITLE,
+ 'LOGIN_PASSWORD' => $sNewPasswordRaw,
+ 'LOGIN_URL' => ACCOUNT_URL . '/login.php'
+ );
- $sOnScreenSwitch = 'forgot_login_details_sent';
- $sEmailTemplateName = 'password_recovery_mail';
- $sEmailSubject = '';
- $sMailTo = $sEmail;
+ $sOnScreenSwitch = 'forgot_login_details_sent';
+ $sEmailTemplateName = 'password_recovery_mail';
+ $sEmailSubject = '';
+ $sMailTo = $sEmail;
- $checkSend = $oAccounts->sendEmail($sMailTo, $aTokenReplace, $sEmailTemplateName, $sEmailSubject);
- if ($checkSend === true) {
- // update the new password in the database
- $aUpdateUser = array(
- 'user_id' => $iUserID,
- 'password' => $sNewPasswordEnc,
- 'last_reset' => time(),
- );
+ $checkSend = $oAccounts->sendEmail($sMailTo, $aTokenReplace, $sEmailTemplateName, $sEmailSubject);
+ if ($checkSend === true) {
+ // update the new password in the database
+ $aUpdateUser = array(
+ 'user_id' => $iUserID,
+ 'password' => $sNewPasswordEnc,
+ 'last_reset' => time(),
+ );
- if($database->updateRow('{TP}users', 'user_id', $aUpdateUser)){
- header("Location: ".ACCOUNT_URL."/signup_continue_page.php?lc=".$sLC."&switch=".$sOnScreenSwitch."&email=".$sMailTo);
- exit(0);
- } else {
- // Error updating database
- $oMsgBox->error($MESSAGE['RECORD_MODIFIED_FAILED']);
- if(WB_DEBUG) {
- $oMsgBox->error($database->get_error().'
'.$sSql);
+ if($database->updateRow('{TP}users', 'user_id', $aUpdateUser)){
+ header("Location: ".ACCOUNT_URL."/signup_continue_page.php?lc=".$sLC."&switch=".$sOnScreenSwitch."&email=".$sMailTo);
+ exit(0);
+ } else {
+ // Error updating database
+ $oMsgBox->error($MESSAGE['RECORD_MODIFIED_FAILED']);
+ if(WB_DEBUG) {
+ $oMsgBox->error($database->get_error().'
'.$sSql);
+ }
}
- }
- } else {
- // tell user: WRONG INPUTS
- $aUpdateUser = array(
- 'user_id' => $aUser['user_id'],
- 'password' => $sCurrentPw
- );
- $database->updateRow('{TP}users', 'user_id', $aUpdateUser);
- header("Location: ".ACCOUNT_URL."/signup_continue_page.php?lc=".$sLC."&switch=wrong_inputs&from=resend_forgot_pass&mail_err=".$checkSend);
- exit(0);
+ } else {
+ // tell user: WRONG INPUTS
+ $aUpdateUser = array(
+ 'user_id' => $aUser['user_id'],
+ 'password' => $sCurrentPw
+ );
+ $database->updateRow('{TP}users', 'user_id', $aUpdateUser);
+ header("Location: ".ACCOUNT_URL."/signup_continue_page.php?lc=".$sLC."&switch=wrong_inputs&from=resend_forgot_pass&mail_err=".$checkSend);
+ exit(0);
+ }
}
+ } else { // no record found - Email doesn't exist, so tell the user
+ $oMsgBox->error($MESSAGE['FORGOT_PASS_EMAIL_NOT_FOUND']);
+ }
+ } else {
+ // Query failed
+ if(WB_DEBUG) {
+ $oMsgBox->error('SystemError:: Database query failed!');
+ $oMsgBox->error($database->get_error().'
'.$sSql);
}
- } else { // no record found - Email doesn't exist, so tell the user
- $oMsgBox->error($MESSAGE['FORGOT_PASS_EMAIL_NOT_FOUND']);
- }
- } else {
- // Query failed
- if(WB_DEBUG) {
- $oMsgBox->error('SystemError:: Database query failed!');
- $oMsgBox->error($database->get_error().'
'.$sSql);
}
}
}
@@ -110,10 +128,15 @@
}
$email = $sEmail;
$sHttpReferer = isset($_SESSION['HTTP_REFERER']) ? $_SESSION['HTTP_REFERER'] : $_SERVER['SCRIPT_NAME'];
+ob_start();
+call_captcha("all","","accountforgot");
+$captcha = ob_get_contents();
+ob_end_clean();
// Get the template file for forgot_login_details
$aToTwig = array(
'EMAIL' => $email,
+ 'CAPTCHA' => $captcha,
'MESSAGE_BOX' => $oMsgBox->fetchDisplay(),
);
$oAccounts->useTwigTemplate('form_forgot.twig', $aToTwig);
diff --git a/wbce/modules/tool_account_settings/templates/form_forgot.twig b/wbce/modules/tool_account_settings/templates/form_forgot.twig
index e064ef98c..170c8c045 100644
--- a/wbce/modules/tool_account_settings/templates/form_forgot.twig
+++ b/wbce/modules/tool_account_settings/templates/form_forgot.twig
@@ -1,7 +1,7 @@
{{ insertCssFile( CURRENT_DIR ~ '/forms.css') }}
+
+
{{ L_('MENU:FORGOT') }}
{{ MESSAGE_BOX }} -