1: <?php
2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14:
15:
16: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
17:
18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29:
30: class cPasswordRequest {
31:
32: 33: 34: 35: 36:
37: protected $_db;
38:
39: 40: 41: 42: 43:
44: protected $_cfg;
45:
46: 47: 48: 49: 50:
51: protected $_tpl;
52:
53: 54: 55: 56: 57:
58: protected $_username;
59:
60: 61: 62: 63: 64:
65: protected $_email;
66:
67: 68: 69: 70: 71:
72: protected $_reloadTime;
73:
74: 75: 76: 77: 78:
79: protected $_passLength;
80:
81: 82: 83: 84: 85: 86:
87: protected $_isEnabled;
88:
89: 90: 91: 92: 93:
94: protected $_sendermail;
95:
96: 97: 98: 99: 100:
101: protected $_sendername;
102:
103: 104: 105: 106: 107:
108: protected $_mailhost;
109:
110: 111: 112: 113: 114: 115:
116: public function __construct($db, $cfg) {
117:
118: if (!is_object($db)) {
119: $this->_db = cRegistry::getDb();
120: } else {
121: $this->_db = $db;
122: }
123:
124:
125: $this->_cfg = $cfg;
126: $this->_tpl = new cTemplate();
127: $this->_username = '';
128: $this->_email = '';
129:
130:
131: $this->_reloadTime = 30;
132:
133:
134: $this->_passLength = 14;
135:
136:
137:
138: $sEnable = getSystemProperty('pw_request', 'enable');
139: if ($sEnable == 'false') {
140: $this->_isEnabled = false;
141: } else {
142: $this->_isEnabled = true;
143: }
144:
145:
146:
147: $sendermail = getSystemProperty('system', 'mail_sender');
148: if (preg_match("/^.+@.+\.([A-Za-z0-9\-_]{1,20})$/", $sendermail)) {
149: $this->_sendermail = $sendermail;
150: } else {
151: $this->_sendermail = 'info@contenido.org';
152: }
153:
154:
155: $sendername = getSystemProperty('system', 'mail_sender_name');
156: if ($sendername != '') {
157: $this->_sendername = $sendername;
158: } else {
159: $this->_sendername = 'CONTENIDO Backend';
160: }
161:
162:
163:
164: $mailhost = getSystemProperty('system', 'mail_host');
165: if ($mailhost != '') {
166: $this->_mailhost = $mailhost;
167: } else {
168: $this->_mailhost = 'localhost';
169: }
170: }
171:
172: 173: 174: 175: 176: 177: 178: 179:
180: public function renderForm($return = 0) {
181:
182: if (!$this->_isEnabled) {
183: return '';
184: }
185:
186: $message = '';
187:
188:
189:
190: if (isset($_POST['action']) && $_POST['action'] == 'request_pw') {
191:
192:
193: $this->_username = $_POST['request_username'];
194:
195: $message = $this->_handleNewPassword();
196:
197: $this->_tpl->set('s', 'JS_CALL', 'showRequestLayer();');
198: } else {
199:
200: $this->_tpl->set('s', 'JS_CALL', '');
201: }
202:
203:
204: $form = new cHTMLForm('request_pw', 'index.php', 'post');
205:
206:
207: $inputUsername = new cHTMLTextbox('request_username', stripslashes($_POST['request_username']), '', '', 'request_username');
208: $inputUsername->setStyle('width:215px;');
209:
210:
211: $form->setVar('action', 'request_pw');
212: $form->setVar('belang', $GLOBALS['belang']);
213:
214:
215: $form->setContent('<input class="password_request_input" type="image" src="images/submit.gif" alt="' . i18n('Submit') . '" title="' . i18n('Submit') . '">' . $inputUsername->render());
216: $this->_tpl->set('s', 'FORM', $form->render());
217: $this->_tpl->set('s', 'MESSAGE', $message);
218: $this->_tpl->set('s', 'LABEL', i18n('Please enter your login') . ':');
219:
220:
221: if ($return) {
222: return $this->_tpl->generate($this->_cfg['path']['contenido'] . $this->_cfg['path']['templates'] . $this->_cfg['templates']['request_password'], 1);
223: } else {
224: return $this->_tpl->generate($this->_cfg['path']['contenido'] . $this->_cfg['path']['templates'] . $this->_cfg['templates']['request_password']);
225: }
226: }
227:
228: 229: 230: 231: 232: 233:
234: protected function _handleNewPassword() {
235:
236: $message = '';
237: $this->_username = stripslashes($this->_username);
238:
239:
240:
241: $sql = "SELECT username, last_pw_request, email FROM " . $this->_cfg['tab']['user'] . "
242: WHERE username = '" . $this->_db->escape($this->_username) . "'
243: AND (valid_from <= NOW() OR valid_from = '0000-00-00 00:00:00' OR valid_from IS NULL)
244: AND (valid_to >= NOW() OR valid_to = '0000-00-00 00:00:00' OR valid_to IS NULL)";
245:
246: $this->_db->query($sql);
247: if ($this->_db->nextRecord() && md5($this->_username) == md5($this->_db->f('username'))) {
248:
249: $isAllowed = true;
250: $lastPwRequest = $this->_db->f('last_pw_request');
251:
252: $this->_email = $this->_db->f('email');
253:
254:
255: if (preg_match('/^(\d{4})-(\d{2})-(\d{2}) (\d{2}):(\d{2}):(\d{2})$/', $lastPwRequest, $aMatches)) {
256: $lastRequest = mktime($aMatches[4], $aMatches[5], $aMatches[6], $aMatches[2], $aMatches[3], $aMatches[1]);
257:
258:
259: if ((time() - $lastRequest) < (60 * $this->_reloadTime)) {
260:
261:
262: $isAllowed = false;
263: $message = sprintf(i18n('Password requests are allowed every %s minutes.'), $this->_reloadTime);
264: }
265: }
266:
267:
268:
269:
270: if ((!preg_match("/^.+@.+\.([A-Za-z0-9\-_]{1,20})$/", $this->_email) || $this->_email == 'sysadmin@IhreSite.de' || $this->_email == 'admin_kunde@IhreSite.de') && $isAllowed) {
271: $isAllowed = false;
272:
273:
274:
275: $message = i18n('No matching data found. Please contact your systemadministrator.');
276: }
277:
278:
279:
280: if ($isAllowed) {
281: $this->_setNewPassword();
282: $message = i18n('New password was submitted to your e-mail address.');
283: } else {
284: sleep(5);
285: }
286: } else {
287:
288:
289: $message = i18n('No matching data found. Please contact your systemadministrator.');
290: sleep(5);
291: }
292: return $message;
293: }
294:
295: 296: 297:
298: protected function _setNewPassword() {
299:
300: $password = $this->_generatePassword();
301:
302:
303: $sql = "SELECT salt FROM " . $this->_cfg['tab']['user'] . " WHERE username = '" . $this->_username . "'";
304: $this->_db->query($sql);
305: $this->_db->nextRecord();
306:
307:
308: $password_hash = hash("sha256", md5($password) . $this->_db->f("salt"));
309:
310:
311: $sql = "UPDATE " . $this->_cfg['tab']['user'] . "
312: SET last_pw_request = '" . date('Y-m-d H:i:s') . "',
313: tmp_pw_request = '" . $password_hash . "',
314: password = '" . $password_hash . "'
315: WHERE username = '" . $this->_username . "'";
316: $this->_db->query($sql);
317:
318:
319: $this->_submitMail($password);
320: }
321:
322: 323: 324: 325: 326:
327: protected function _submitMail($password) {
328: $cfg = cRegistry::getConfig();
329:
330: $password = (string) $password;
331:
332:
333: $mailBody = sprintf(i18n("Dear CONTENIDO-User %s,\n\nYour password to log in Content Management System CONTENIDO is: %s\n\nBest regards\n\nYour CONTENIDO sysadmin"), $this->_username, $password);
334:
335: $mailer = new cMailer();
336: $from = array(
337: $this->_sendermail => $this->_sendername
338: );
339:
340:
341: if ($cfg['php_settings']['default_charset'] != 'UTF-8') {
342: $subject = utf8_encode(conHtmlEntityDecode(stripslashes(i18n('Your new password for CONTENIDO Backend')), '', $cfg['php_settings']['default_charset']));
343: $body = utf8_encode(conHtmlEntityDecode($mailBody, '', $cfg['php_settings']['default_charset']));
344: } else {
345: $subject = conHtmlEntityDecode(stripslashes(i18n('Your new password for CONTENIDO Backend')));
346: $body = conHtmlEntityDecode($mailBody);
347: }
348:
349: $mailer->sendMail($from, $this->_email, $subject, $body);
350: }
351:
352: 353: 354: 355: 356:
357: protected function _generatePassword() {
358:
359: $chars = "ABCDEFGHJKLMNOPQRSTUVWXYZabcdefghjkmnopqrstuvwxyz123456789";
360:
361: $password = "";
362:
363:
364: for ($i = 0; $i < $this->_passLength; $i++) {
365: $password .= $chars[rand(0, strlen($chars))];
366: }
367:
368: return $password;
369: }
370: }
371: