Set a limit on the password reset request.

Set new messages on password reset request. This change includes new field in database!
khodakhah · Oct 2, 2021 · 858590a · 858590a
1 parent af53ec7
commit 858590a
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 3 deletions.
diff --git a/nodcms-core/Config/Settings.php b/nodcms-core/Config/Settings.php
@@ -223,5 +223,6 @@ class Settings extends \CodeIgniter\Config\BaseConfig
         'homepage_redirect'=>"",
         'homepage_display_file'=>"",
         'homepage_display_page'=>"",
+        'reset_password_tries_limit'=>5,
     );
 }
diff --git a/nodcms-core/Models/Users.php b/nodcms-core/Models/Users.php
@@ -45,6 +45,7 @@ function init()
             'active'=>"int(1) unsigned NOT NULL DEFAULT '0'",
             'active_code'=>"varchar(255) DEFAULT NULL",
             'active_code_expired'=>"int(10) DEFAULT NULL",
+            'reset_password_tries'=>"int(10) unsigned DEFAULT '0'",
             'user_unique_key'=>"varchar(255) DEFAULT NULL",
             'avatar'=>"varchar(255) DEFAULT NULL",
             'mobile'=>"varchar(20) DEFAULT NULL",

diff --git a/nodcms-users/Controllers/Users.php b/nodcms-users/Controllers/Users.php
@@ -196,10 +196,25 @@ function returnPassword()
                 return $this->errorMessage("User not found!", base_url("{$this->lang}/return-password"));
             }
 
+            $tries = 0;
+            $active_code_expired = strtotime("+24h");
+            if($user['active_code_expired'] > strtotime("now")) {
+                $active_code_expired = $user['active_code_expired'];
+                $tries = $user['reset_password_tries'];
+                if($tries >= Services::settings()->get()['reset_password_tries_limit']) {
+                    return $this->errorMessage("For security reason you are not able to request the a new password any more. " .
+                        "Please try after 24 hours again.", base_url("{$this->lang}/return-password"));
+                }
+                $tries++;
+            }
+
             $rand_str = md5(rand(1000,9999) + time() + rand(1000, 9999) );
 
-            $active_code_expired = strtotime("tomorrow");
-            $update_data = array('active_code'=>$rand_str, 'active_code_expired'=>$active_code_expired);
+            $update_data = [
+                'active_code'=>$rand_str,
+                'active_code_expired'=>$active_code_expired,
+                'reset_password_tries'=>$tries
+            ];
             Services::model()->users()->edit($user['user_id'], $update_data);
 
             $data = array_merge($user, array(
@@ -213,7 +228,7 @@ function returnPassword()
                 'reference_url'=>base_url("/{$this->lang}/set-new-password/$user[user_unique_key]/$active_code_expired"),
             ));
             send_notification_email('reset_password', $email, $data, $this->language['language_id']);
-            return $this->successMessage("Your account has been activated successfully. Now you can sign in with your account.", "/{$this->lang}/login");
+            return $this->successMessage("We sent you an email. Please check your inbox and span box.", "/{$this->lang}/login");
         }
 
         $this->data['the_form'] = $myform->fetch('login_form', array('data-reset'=>1,'data-message'=>1, 'data-redirect'=>1));