From: Arun Persaud Date: Sat, 23 Jun 2007 13:53:30 +0000 (+0200) Subject: NEW FEATURE: password recovery is now working X-Git-Url: https://git.nubati.net/cgi-bin/gitweb.cgi?p=e-DoKo.git;a=commitdiff_plain;h=7405ce4fabf64e905e7b7371764d74dbc4b1b198 NEW FEATURE: password recovery is now working Added a simple form of password recovery. The user gets send an email with the new password, which is valid for 24h. The user can request a maximum of 5 passwords within 24h to prevent filling up the database with garbage. --- diff --git a/create_database.sql b/create_database.sql index 9acb4f0..4be13de 100644 --- a/create_database.sql +++ b/create_database.sql @@ -310,10 +310,38 @@ CREATE TABLE `User_Prefs` ( -- -/*!40000 ALTER TABLE `User_Prefs` DISABLE KEYS */; -LOCK TABLES `User_Prefs` WRITE; + + +/*!40000 ALTER TABLE `Recovery` DISABLE KEYS */; +LOCK TABLES `Recovery` WRITE; +UNLOCK TABLES; +/*!40000 ALTER TABLE `Recovery` ENABLE KEYS */; + + +DROP TABLE IF EXISTS `Recovery`; +CREATE TABLE `Recovery` ( + `id` int(11) NOT NULL auto_increment, + `user_id` int(11) NOT NULL default '0', + `password` varchar(32) default NULL, + `create_date` timestamp NOT NULL default '0000-00-00 00:00:00', + UNIQUE KEY `id` (`id`) +) ENGINE=MyISAM DEFAULT CHARSET=utf8; + +-- +-- Dumping data for table `Recovery` +-- + + + + +/*!40000 ALTER TABLE `Recovery` DISABLE KEYS */; +LOCK TABLES `Recovery` WRITE; UNLOCK TABLES; -/*!40000 ALTER TABLE `User_Prefs` ENABLE KEYS */; +/*!40000 ALTER TABLE `Recovery` ENABLE KEYS */; + + + + /*!40101 SET SQL_MODE=@OLD_SQL_MODE */; /*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; diff --git a/db.php b/db.php index dee6529..86f3d0e 100644 --- a/db.php +++ b/db.php @@ -134,6 +134,17 @@ function DB_get_userid_by_email_and_password($email,$password) $result = mysql_query("SELECT id FROM User WHERE email=".DB_quote_smart($email)." AND password=".DB_quote_smart($password)); $r = mysql_fetch_array($result,MYSQL_NUM); + /* test if a recovery password has been set */ + if(!$r) + { + $result = mysql_query("SELECT User.id FROM User". + " LEFT JOIN Recovery ON User.id=Recovery.user_id". + " WHERE email=".DB_quote_smart($email). + " AND Recovery.password=".DB_quote_smart($password). + " AND DATE_SUB(CURDATE(),INTERVAL 1 DAY) <= Recovery.create_date"); + $r = mysql_fetch_array($result,MYSQL_NUM); + } + if($r) return $r[0]; else @@ -771,4 +782,25 @@ function DB_get_unused_randomnumbers($userstr) return ""; } +function DB_get_number_of_passwords_recovery($user) +{ + $queryresult = mysql_query("SELECT COUNT(*) FROM Recovery ". + " WHERE user_id=$user ". + " AND DATE_SUB(CURDATE(),INTERVAL 1 DAY) <= create_date". + " GROUP BY user_id " ); + + $r = mysql_fetch_array($queryresult,MYSQL_NUM); + if($r) + return $r[0]; + else + return 0; +} + +function DB_set_recovery_password($user,$newpw) +{ + mysql_query("INSERT INTO Recovery VALUES(NULL,".DB_quote_smart($user). + ",".DB_quote_smart($newpw).",NULL)"); + + return; +} ?> \ No newline at end of file diff --git a/index.php b/index.php index 0b9cfb4..83ada9a 100644 --- a/index.php +++ b/index.php @@ -1643,16 +1643,49 @@ else if(myisset("me")) if($ok) { - echo "Hmm, you forgot your passwort...nothing I can do at the moment:( "; - echo " you need to email Arun for now... in the future it will be all automated and an "; - echo "email with a new password will go to $email."; + /* check how many entries in recovery table */ + $number = DB_get_number_of_passwords_recovery($uid); + + /* if less than N recent ones, add a new one and send out email */ + if( $number < 5 ) + { + echo "Ok, I send you a new password.
"; + if($number >1) + echo "N.B. You tried this already $number times during the last day and it will only work ". + " 5 times during a day.
"; + echo "The new password will be valid for one day, make sure you reset it to something else.
"; + echo "Back to the main page."; + + $TIME = (string) time(); /* to avoid collisions */ + $hash = md5("Anewpassword".$email.$TIME); + $newpw = substr($hash,1,8); + + $message = "Someone (hopefully you) requested a new password. \n". + "You can use this email and the following password: \n". + " $newpw \n". + "to log into the server. The new password is valid for 24h, so make\n". + "sure you reset your password to something new. Your old password will\n". + " also still be valid until you set a new one\n"; + mymail($email,$EmailName."recovery ",$message); + + DB_set_recovery_password($uid,md5($newpw)); + } + else + { + echo "Sorry you already tried 5 times during the last 24h.
". + "You need to use one of those passwords or wait to get a new one.
"; + echo "Back to the main page."; + } } else { if($email=="") - echo "you need to give me an email address!"; + echo "You need to give me an email address!
". + "Please try again."; else - echo "couldn't find a player with this email, please contact Arun, if you think this is a mistake"; + echo "Couldn't find a player with this email!
". + "Please contact Arun, if you think this is a mistake
". + "or else try again."; } } else @@ -1683,11 +1716,48 @@ else if(myisset("me")) $result = mysql_query("UPDATE User_Prefs SET value=".DB_quote_smart($setpref). " WHERE user_id='$uid' AND pref_key='cardset'" ); else - $result = mysql_query("INSERT INTO User_Prefs VALUES(NULL,'$uid','cardset',".DB_quote_smart($setpref).")"); + $result = mysql_query("INSERT INTO User_Prefs VALUES(NULL,'$uid','cardset',". + DB_quote_smart($setpref).")"); echo "Ok, changed you preferences for the cards.\n"; break; } } + else if(myisset("passwd")) + { + if( $_REQUEST["passwd"]=="ask" ) + { + /* reset password form*/ + output_password_recovery($email,$password); + } + else if($_REQUEST["passwd"]=="set") + { + /* reset password */ + $ok = 1; + + /* check if old password matches */ + if($password != md5($_REQUEST["password0"])) + $ok = -1; + /* check if new passwords are types the same twice */ + if($_REQUEST["password1"] != $_REQUEST["password2"] ) + $ok = -2; + + switch($ok) + { + case '-2': + echo "The new passwords don't match.
"; + break; + case '-1': + echo "The old password is not correct.
"; + break; + case '1': + echo "Changed the password.
"; + mysql_query("UPDATE User SET password='".md5($_REQUEST["password1"]). + "' WHERE id=".DB_quote_smart($uid)); + break; + } + /* set password */ + } + } else /* output default user page */ { $time = DB_get_user_timestamp($uid); diff --git a/output.php b/output.php index 922b439..fe4a971 100644 --- a/output.php +++ b/output.php @@ -34,7 +34,8 @@ function output_user_settings($email,$password) echo "
\n"; echo " \n"; echo " \n"; - echo "
\n"; + echo " \n"; + echo "
\n"; echo "
\n"; echo "
\n"; echo " \n"; @@ -404,4 +405,36 @@ function output_footer() return; } + +function output_password_recovery($email,$password) +{ +?> + +\n"; + echo " \n"; + echo " \n"; +?> +
+ Password recovery + + + + + + + + + + + + + + +
+
+
+ + \ No newline at end of file