diff --git a/wbce/admin/login/forgot/index.php b/wbce/admin/login/forgot/index.php index e1ca95f46..4a4a9281b 100644 --- a/wbce/admin/login/forgot/index.php +++ b/wbce/admin/login/forgot/index.php @@ -17,99 +17,117 @@ // Include the database class file and initiate an object require WB_PATH . '/framework/class.admin.php'; $admin = new admin('Start', 'start', false, false); +require_once(WB_PATH.'/include/captcha/captcha.php'); $oMsgBox = new MessageBox(); $oMsgBox->closeBtn = ''; // Check if the user has already submitted the form, otherwise show it -if (isset($_POST['email']) and $_POST['email'] != "") { +if (isset($_POST['email']) && $_POST['email'] != "" ) { $email = strip_tags($wb->get_post('email')); - if ($admin->validate_email($email) == false) { - $oMsgBox->error($MESSAGE['USERS_INVALID_EMAIL']); + if(isset($_POST['captcha']) AND $_POST['captcha'] != ''){ + $ccheck = time(); $ccheck1 = time(); + if(isset($_SESSION['captchaloginforgot'])) $ccheck1 = $_SESSION['captchaloginforgot']; + if(isset($_SESSION['captcha'])) $ccheck = $_SESSION['captcha']; + if($_POST['captcha'] != $ccheck && $_POST['captcha'] != $ccheck1) { + $oMsgBox->error($MESSAGE['MOD_FORM_INCORRECT_CAPTCHA']); + $email = ''; + } + } else { + $oMsgBox->error($MESSAGE['MOD_FORM_INCORRECT_CAPTCHA']); $email = ''; } - - // Check if the email exists in the database - $sSql = "SELECT * FROM `{TP}users` WHERE `email` = '" . $email . "'"; - $rRow = $database->query($sSql); - if ($rRow->numRows() > 0) { - - // Get the id, username, email, and last_reset from the above db query - $aUser = $rRow->fetchRow(); - if (strlen($aUser['signup_confirmcode']) > 25) { - header("Location: " . WB_URL . "/account/signup_continue_page.php?switch=wrong_inputs"); - exit(0); // break up the script here - } - - - // Check if the password has been reset in the last 2 hours - if ((time() - intval($aUser['last_reset'])) < (2 * 3600)) { - // Tell the user that their password cannot be reset more than once per hour - $oMsgBox->error($MESSAGE['FORGOT_PASS_ALREADY_RESET']); - } else { - $sCurrentPw = $aUser['password']; - - // Generate a random password then update the database with it - $sNewPw = ''; - $salt = "abchefghjkmnpqrstuvwxyz0123456789"; - srand((double)microtime() * 1000000); - $i = 0; - while ($i <= 7) { - $num = rand() % 33; - $tmp = substr($salt, $num, 1); - $sNewPw = $sNewPw . $tmp; - $i++; + + + + if ($email != '') { + + if ($admin->validate_email($email) == false) { + $oMsgBox->error($MESSAGE['USERS_INVALID_EMAIL']); + } + + // Check if the email exists in the database + $sSql = "SELECT * FROM `{TP}users` WHERE `email`='".$database->escapeString($email)."'"; + $rRow = $database->query($sSql); + if ($rRow->numRows() > 0) { + + // Get the id, username, email, and last_reset from the above db query + $aUser = $rRow->fetchRow(); + if (strlen($aUser['signup_confirmcode']) > 25) { + header("Location: " . WB_URL . "/account/signup_continue_page.php?switch=wrong_inputs"); + exit(0); // break up the script here } - // update the new password in the database - $aUpdateUser = array( - 'user_id' => $aUser['user_id'], - 'password' => $wb->doPasswordEncode($sNewPw), - 'last_reset' => time(), - ); - $database->updateRow('{TP}users', 'user_id', $aUpdateUser); - - if ($database->is_error()) { - // Error updating database - $oMsgBox->error($database->get_error()); - } else { - // Setup email to send - $mail_to = $email; - $mail_subject = $MESSAGE['SIGNUP2_SUBJECT_LOGIN_INFO']; - - // Replace placeholders from language variable with values - $search = array('{LOGIN_DISPLAY_NAME}', '{LOGIN_WEBSITE_TITLE}', '{LOGIN_NAME}', '{LOGIN_PASSWORD}'); - $replace = array($aUser['display_name'], WEBSITE_TITLE, $aUser['username'], $sNewPw); - - $aTokenReplace = array( - '{LOGIN_DISPLAY_NAME}' => $aUser['display_name'], - '{LOGIN_NAME}' => $aUser['username'], - '{LOGIN_WEBSITE_TITLE}' => WEBSITE_TITLE, - '{LOGIN_PASSWORD}' => $sNewPw - ); + // Check if the password has been reset in the last 2 hours + if ((time() - intval($aUser['last_reset'])) < (2 * 3600)) { + // Tell the user that their password cannot be reset more than once per hour + $oMsgBox->error($MESSAGE['FORGOT_PASS_ALREADY_RESET']); + } else { + $sCurrentPw = $aUser['password']; + + // Generate a random password then update the database with it + $sNewPw = ''; + $salt = "abchefghjkmnpqrstuvwxyz0123456789"; + srand((double)microtime() * 1000000); + $i = 0; + while ($i <= 7) { + $num = rand() % 33; + $tmp = substr($salt, $num, 1); + $sNewPw = $sNewPw . $tmp; + $i++; + } - $mail_message = strtr($MESSAGE['SIGNUP2_BODY_LOGIN_FORGOT'], $aTokenReplace); + // update the new password in the database + $aUpdateUser = array( + 'user_id' => $aUser['user_id'], + 'password' => $wb->doPasswordEncode($sNewPw), + 'last_reset' => time(), + ); + $database->updateRow('{TP}users', 'user_id', $aUpdateUser); - // Try sending the email - if ($admin->mail(SERVER_EMAIL, $mail_to, $mail_subject, $mail_message)) { - $oMsgBox->error($MESSAGE['FORGOT_PASS_PASSWORD_RESET']); - $display_form = false; + if ($database->is_error()) { + // Error updating database + $oMsgBox->error($database->get_error()); } else { - $aUpdateUser = array( - 'user_id' => $aUser['user_id'], - 'password' => $sCurrentPw + // Setup email to send + $mail_to = $email; + $mail_subject = $MESSAGE['SIGNUP2_SUBJECT_LOGIN_INFO']; + + // Replace placeholders from language variable with values + $search = array('{LOGIN_DISPLAY_NAME}', '{LOGIN_WEBSITE_TITLE}', '{LOGIN_NAME}', '{LOGIN_PASSWORD}'); + $replace = array($aUser['display_name'], WEBSITE_TITLE, $aUser['username'], $sNewPw); + + $aTokenReplace = array( + '{LOGIN_DISPLAY_NAME}' => $aUser['display_name'], + '{LOGIN_NAME}' => $aUser['username'], + '{LOGIN_WEBSITE_TITLE}' => WEBSITE_TITLE, + '{LOGIN_PASSWORD}' => $sNewPw ); - $database->updateRow('{TP}users', 'user_id', $aUpdateUser); - $oMsgBox->error($MESSAGE['FORGOT_PASS_CANNOT_EMAIL']); + + + $mail_message = strtr($MESSAGE['SIGNUP2_BODY_LOGIN_FORGOT'], $aTokenReplace); + + // Try sending the email + if ($admin->mail(SERVER_EMAIL, $mail_to, $mail_subject, $mail_message)) { + $oMsgBox->error($MESSAGE['FORGOT_PASS_PASSWORD_RESET']); + $display_form = false; + } else { + $aUpdateUser = array( + 'user_id' => $aUser['user_id'], + 'password' => $sCurrentPw + ); + $database->updateRow('{TP}users', 'user_id', $aUpdateUser); + $oMsgBox->error($MESSAGE['FORGOT_PASS_CANNOT_EMAIL']); + } } } + } else { + // Email doesn't exist, so tell the user + $oMsgBox->error($MESSAGE['FORGOT_PASS_EMAIL_NOT_FOUND']); + // and delete the wrong Email + $email = ''; } - } else { - // Email doesn't exist, so tell the user - $oMsgBox->error($MESSAGE['FORGOT_PASS_EMAIL_NOT_FOUND']); - // and delete the wrong Email - $email = ''; } } else { $email = ''; @@ -124,6 +142,13 @@ $template->set_file('page', 'login_forgot.htt'); $template->set_block('page', 'main_block', 'main'); +ob_start(); +call_captcha("all","",'loginforgot'); +$captcha = ob_get_contents(); +ob_end_clean(); + + + $aTemplateVars = array( 'SECTION_FORGOT' => $MENU['FORGOT'], 'MESSAGE_COLOR' => '', //$message_color, @@ -143,6 +168,7 @@ 'INTERFACE_URL' => ADMIN_URL . '/interface', 'DEFAULT_CHARSET' => defined('DEFAULT_CHARSET') ? DEFAULT_CHARSET : 'utf-8', 'CHARSET' => isset($charset) ? $charset : 'utf-8', + 'CAPTCHA' => $captcha ); $template->set_var($aTemplateVars); diff --git a/wbce/modules/tool_account_settings/account/form_forgot.php b/wbce/modules/tool_account_settings/account/form_forgot.php index d821ec915..37c630fed 100644 --- a/wbce/modules/tool_account_settings/account/form_forgot.php +++ b/wbce/modules/tool_account_settings/account/form_forgot.php @@ -11,6 +11,7 @@ */ defined('WB_PATH') or die("Cannot access this file directly"); +require_once(WB_PATH.'/include/captcha/captcha.php'); $oAccounts = new Accounts(); $oMsgBox = new MessageBox(); @@ -20,87 +21,104 @@ if(isset($_POST['email']) && $_POST['email'] != "" ) { $sEmail = strip_tags($oAccounts->get_post('email')); - if($admin->validate_email($sEmail) == false) { - $oMsgBox->error($MESSAGE['USERS_INVALID_EMAIL']); - $sEmail = ''; + + if(isset($_POST['captcha']) AND $_POST['captcha'] != ''){ + $ccheck = time(); $ccheck1 = time(); + if(isset($_SESSION['captchaaccountforgot'])) $ccheck1 = $_SESSION['captchaaccountforgot']; + if(isset($_SESSION['captcha'])) $ccheck = $_SESSION['captcha']; + if($_POST['captcha'] != $ccheck && $_POST['captcha'] != $ccheck1) { + $oMsgBox->error($MESSAGE['MOD_FORM_INCORRECT_CAPTCHA']); + $sEmail = ''; + } } else { - // Check if the email exists in the database - $sSql = "SELECT * FROM `{TP}users` WHERE `email`='".$sEmail."'"; + $oMsgBox->error($MESSAGE['MOD_FORM_INCORRECT_CAPTCHA']); + $sEmail = ''; + } + + if ($sEmail != '') { + + if($admin->validate_email($sEmail) == false) { + $oMsgBox->error($MESSAGE['USERS_INVALID_EMAIL']); + $sEmail = ''; + } else { + // Check if the email exists in the database + $sSql = "SELECT * FROM `{TP}users` WHERE `email`='".$database->escapeString($sEmail)."'"; - if(($rRow = $database->query($sSql))){ - if($aUser = $rRow->fetchRow(MYSQLI_ASSOC)) { - if(strlen($aUser['signup_confirmcode']) > 25){ - header("Location: ".ACCOUNT_URL."/signup_continue_page.php?switch=wrong_inputs"); - exit(0); // break up the script here - } - $iUserID = (int) $aUser['user_id']; - // Get the id, username, email, and last_reset from the above db query + if(($rRow = $database->query($sSql))){ + if($aUser = $rRow->fetchRow(MYSQLI_ASSOC)) { + if(strlen($aUser['signup_confirmcode']) > 25){ + header("Location: ".ACCOUNT_URL."/signup_continue_page.php?switch=wrong_inputs"); + exit(0); // break up the script here + } + $iUserID = (int) $aUser['user_id']; + // Get the id, username, email, and last_reset from the above db query - // Check if the password has been reset in the last 2 hours - if( ( time() - intval($aUser['last_reset']) ) < (2 * 3600) ) { - // Tell the user that their password cannot be reset more than once per hour - $oMsgBox->error($MESSAGE['FORGOT_PASS_ALREADY_RESET']); - } else { - // current password - $sCurrentPw = $aUser['password']; + // Check if the password has been reset in the last 2 hours + if( ( time() - intval($aUser['last_reset']) ) < (2 * 3600) ) { + // Tell the user that their password cannot be reset more than once per hour + $oMsgBox->error($MESSAGE['FORGOT_PASS_ALREADY_RESET']); + } else { + // current password + $sCurrentPw = $aUser['password']; - // generate new password - $sNewPasswordRaw = $oAccounts->GenerateRandomPassword(); - $sNewPasswordEnc = $oAccounts->doPasswordEncode($sNewPasswordRaw); + // generate new password + $sNewPasswordRaw = $oAccounts->GenerateRandomPassword(); + $sNewPasswordEnc = $oAccounts->doPasswordEncode($sNewPasswordRaw); - // prepare E-Mail with login details to send to the user via email - $aTokenReplace = array( - 'LOGIN_DISPLAY_NAME' => $aUser['display_name'], - 'LOGIN_NAME' => $aUser['username'], - 'LOGIN_WEBSITE_TITLE' => WEBSITE_TITLE, - 'LOGIN_PASSWORD' => $sNewPasswordRaw, - 'LOGIN_URL' => ACCOUNT_URL . '/login.php' - ); + // prepare E-Mail with login details to send to the user via email + $aTokenReplace = array( + 'LOGIN_DISPLAY_NAME' => $aUser['display_name'], + 'LOGIN_NAME' => $aUser['username'], + 'LOGIN_WEBSITE_TITLE' => WEBSITE_TITLE, + 'LOGIN_PASSWORD' => $sNewPasswordRaw, + 'LOGIN_URL' => ACCOUNT_URL . '/login.php' + ); - $sOnScreenSwitch = 'forgot_login_details_sent'; - $sEmailTemplateName = 'password_recovery_mail'; - $sEmailSubject = ''; - $sMailTo = $sEmail; + $sOnScreenSwitch = 'forgot_login_details_sent'; + $sEmailTemplateName = 'password_recovery_mail'; + $sEmailSubject = ''; + $sMailTo = $sEmail; - $checkSend = $oAccounts->sendEmail($sMailTo, $aTokenReplace, $sEmailTemplateName, $sEmailSubject); - if ($checkSend === true) { - // update the new password in the database - $aUpdateUser = array( - 'user_id' => $iUserID, - 'password' => $sNewPasswordEnc, - 'last_reset' => time(), - ); + $checkSend = $oAccounts->sendEmail($sMailTo, $aTokenReplace, $sEmailTemplateName, $sEmailSubject); + if ($checkSend === true) { + // update the new password in the database + $aUpdateUser = array( + 'user_id' => $iUserID, + 'password' => $sNewPasswordEnc, + 'last_reset' => time(), + ); - if($database->updateRow('{TP}users', 'user_id', $aUpdateUser)){ - header("Location: ".ACCOUNT_URL."/signup_continue_page.php?lc=".$sLC."&switch=".$sOnScreenSwitch."&email=".$sMailTo); - exit(0); - } else { - // Error updating database - $oMsgBox->error($MESSAGE['RECORD_MODIFIED_FAILED']); - if(WB_DEBUG) { - $oMsgBox->error($database->get_error().'
'.$sSql); + if($database->updateRow('{TP}users', 'user_id', $aUpdateUser)){ + header("Location: ".ACCOUNT_URL."/signup_continue_page.php?lc=".$sLC."&switch=".$sOnScreenSwitch."&email=".$sMailTo); + exit(0); + } else { + // Error updating database + $oMsgBox->error($MESSAGE['RECORD_MODIFIED_FAILED']); + if(WB_DEBUG) { + $oMsgBox->error($database->get_error().'
'.$sSql); + } } - } - } else { - // tell user: WRONG INPUTS - $aUpdateUser = array( - 'user_id' => $aUser['user_id'], - 'password' => $sCurrentPw - ); - $database->updateRow('{TP}users', 'user_id', $aUpdateUser); - header("Location: ".ACCOUNT_URL."/signup_continue_page.php?lc=".$sLC."&switch=wrong_inputs&from=resend_forgot_pass&mail_err=".$checkSend); - exit(0); + } else { + // tell user: WRONG INPUTS + $aUpdateUser = array( + 'user_id' => $aUser['user_id'], + 'password' => $sCurrentPw + ); + $database->updateRow('{TP}users', 'user_id', $aUpdateUser); + header("Location: ".ACCOUNT_URL."/signup_continue_page.php?lc=".$sLC."&switch=wrong_inputs&from=resend_forgot_pass&mail_err=".$checkSend); + exit(0); + } } + } else { // no record found - Email doesn't exist, so tell the user + $oMsgBox->error($MESSAGE['FORGOT_PASS_EMAIL_NOT_FOUND']); + } + } else { + // Query failed + if(WB_DEBUG) { + $oMsgBox->error('SystemError:: Database query failed!'); + $oMsgBox->error($database->get_error().'
'.$sSql); } - } else { // no record found - Email doesn't exist, so tell the user - $oMsgBox->error($MESSAGE['FORGOT_PASS_EMAIL_NOT_FOUND']); - } - } else { - // Query failed - if(WB_DEBUG) { - $oMsgBox->error('SystemError:: Database query failed!'); - $oMsgBox->error($database->get_error().'
'.$sSql); } } } @@ -110,10 +128,15 @@ } $email = $sEmail; $sHttpReferer = isset($_SESSION['HTTP_REFERER']) ? $_SESSION['HTTP_REFERER'] : $_SERVER['SCRIPT_NAME']; +ob_start(); +call_captcha("all","","accountforgot"); +$captcha = ob_get_contents(); +ob_end_clean(); // Get the template file for forgot_login_details $aToTwig = array( 'EMAIL' => $email, + 'CAPTCHA' => $captcha, 'MESSAGE_BOX' => $oMsgBox->fetchDisplay(), ); $oAccounts->useTwigTemplate('form_forgot.twig', $aToTwig); diff --git a/wbce/modules/tool_account_settings/templates/form_forgot.twig b/wbce/modules/tool_account_settings/templates/form_forgot.twig index e064ef98c..170c8c045 100644 --- a/wbce/modules/tool_account_settings/templates/form_forgot.twig +++ b/wbce/modules/tool_account_settings/templates/form_forgot.twig @@ -1,7 +1,7 @@ {{ insertCssFile( CURRENT_DIR ~ '/forms.css') }} + +

{{ L_('MENU:FORGOT') }}

{{ MESSAGE_BOX }} -

{{ L_('MENU:FORGOT') }}

-
@@ -11,7 +11,9 @@
- +
+ {{CAPTCHA}} +
diff --git a/wbce/templates/argos_theme_reloaded/css/login.css b/wbce/templates/argos_theme_reloaded/css/login.css index 7f6c082c5..1411fd964 100644 --- a/wbce/templates/argos_theme_reloaded/css/login.css +++ b/wbce/templates/argos_theme_reloaded/css/login.css @@ -121,6 +121,15 @@ a:hover { text-align: center; } +.captcha_table { + display:inline-block; + margin:auto; +} + +.error { + color:firebrick; +} + @media screen and (max-width: 36.5em) { .label { text-align: left; diff --git a/wbce/templates/argos_theme_reloaded/info.php b/wbce/templates/argos_theme_reloaded/info.php index eea08c731..659efa2b5 100644 --- a/wbce/templates/argos_theme_reloaded/info.php +++ b/wbce/templates/argos_theme_reloaded/info.php @@ -14,8 +14,8 @@ $template_directory = 'argos_theme_reloaded'; $template_name = 'Argos Theme Reloaded'; $template_function = 'theme'; -$template_version = '2.1.3'; -$template_platform = '1.4.0'; +$template_version = '2.1.4'; +$template_platform = '1.5.0'; $template_author = 'Bernd Michna (BerndJM / WWnW) based on the work by Jurgen Nijhuis (Argos Media) & Ruud Eisinga'; $template_license = 'WTFPL'; $template_license_terms = '-'; diff --git a/wbce/templates/argos_theme_reloaded/templates/login_forgot.htt b/wbce/templates/argos_theme_reloaded/templates/login_forgot.htt index b9563271f..165c6126d 100644 --- a/wbce/templates/argos_theme_reloaded/templates/login_forgot.htt +++ b/wbce/templates/argos_theme_reloaded/templates/login_forgot.htt @@ -11,7 +11,7 @@ - +
@@ -27,7 +27,7 @@
-

{MESSAGE}:

+
{MESSAGE}
@@ -37,6 +37,10 @@
+
+ {CAPTCHA} +
+
diff --git a/wbce/templates/wbce_flat_theme/css/login.css b/wbce/templates/wbce_flat_theme/css/login.css index 448ee59f1..b8746cd4c 100644 --- a/wbce/templates/wbce_flat_theme/css/login.css +++ b/wbce/templates/wbce_flat_theme/css/login.css @@ -87,13 +87,19 @@ a:hover { } .page_login_link { - font-size: 13px; + display: block; + margin: 50px 0; } .login_license { font-size: 11px; } +.captcha_table { + display: inline-block; + margin: auto; +} + @media (max-width: 550px) { .page_login_logo { background: none; diff --git a/wbce/templates/wbce_flat_theme/info.php b/wbce/templates/wbce_flat_theme/info.php index c739ba369..f2e774e68 100644 --- a/wbce/templates/wbce_flat_theme/info.php +++ b/wbce/templates/wbce_flat_theme/info.php @@ -14,8 +14,8 @@ $template_directory = 'wbce_flat_theme'; $template_name = 'WBCE Flat Theme'; $template_function = 'theme'; -$template_version = '1.7.5'; -$template_platform = '1.4'; +$template_version = '1.7.6'; +$template_platform = '1.5.0'; $template_author = 'Colinax based on the work by Yetiie, BerndJM and rjgamer'; $template_license = 'GNU General Public License'; $template_license_terms = '-'; diff --git a/wbce/templates/wbce_flat_theme/templates/login_forgot.htt b/wbce/templates/wbce_flat_theme/templates/login_forgot.htt index 0cbaaa6b8..db7c4dcc4 100644 --- a/wbce/templates/wbce_flat_theme/templates/login_forgot.htt +++ b/wbce/templates/wbce_flat_theme/templates/login_forgot.htt @@ -28,6 +28,7 @@

+ {CAPTCHA}