Add option to send reset key for a given user name

Message ID 20200130162944.51132-1-lfleischer@archlinux.org
State New
Headers show
Series
  • Add option to send reset key for a given user name
Related show

Commit Message

Lukas Fleischer Jan. 30, 2020, 4:29 p.m. UTC
In addition to supporting email addresses in the reset key form, also
support user names. The reset key is then sent to the email address in
the user's profile.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
---
 web/html/passreset.php    | 25 ++++++++++++-------------
 web/lib/acctfuncs.inc.php | 13 +++++++------
 2 files changed, 19 insertions(+), 19 deletions(-)

Patch

diff --git a/web/html/passreset.php b/web/html/passreset.php
index 9e7cee8..b3c8bd2 100644
--- a/web/html/passreset.php
+++ b/web/html/passreset.php
@@ -11,14 +11,14 @@  if (isset($_COOKIE["AURSID"])) {
 
 $error = '';
 
-if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confirm'])) {
+if (isset($_GET['resetkey'], $_POST['user'], $_POST['password'], $_POST['confirm'])) {
 	$resetkey = $_GET['resetkey'];
-	$email = $_POST['email'];
+	$user = $_POST['user'];
 	$password = $_POST['password'];
 	$confirm = $_POST['confirm'];
-	$uid = uid_from_email($email);
+	$uid = uid_from_loginname($user);
 
-	if (empty($email) || empty($password)) {
+	if (empty($user) || empty($password)) {
 		$error = __('Missing a required field.');
 	} elseif ($password != $confirm) {
 		$error = __('Password fields do not match.');
@@ -31,16 +31,15 @@  if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir
 	}
 
 	if (empty($error)) {
-		$error = password_reset($password, $resetkey, $email);
+		$error = password_reset($password, $resetkey, $user);
 	}
-} elseif (isset($_POST['email'])) {
-	$email = $_POST['email'];
-	$username = username_from_id(uid_from_email($email));
+} elseif (isset($_POST['user'])) {
+	$user = $_POST['user'];
 
-	if (empty($email)) {
+	if (empty($user)) {
 		$error = __('Missing a required field.');
 	} else {
-		send_resetkey($email);
+		send_resetkey($user);
 		header('Location: ' . get_uri('/passreset/') . '?step=confirm');
 		exit();
 	}
@@ -67,7 +66,7 @@  html_header(__("Password Reset"));
 		<table>
 			<tr>
 				<td><?= __("Confirm your e-mail address:"); ?></td>
-				<td><input type="text" name="email" size="30" maxlength="64" /></td>
+				<td><input type="text" name="user" size="30" maxlength="64" /></td>
 			</tr>
 			<tr>
 				<td><?= __("Enter your new password:"); ?></td>
@@ -89,8 +88,8 @@  html_header(__("Password Reset"));
 	<ul class="errorlist"><li><?= $error ?></li></ul>
 	<?php endif; ?>
 	<form action="" method="post">
-		<p><?= __("Enter your e-mail address:"); ?>
-		<input type="text" name="email" size="30" maxlength="64" /></p>
+		<p><?= __("Enter your user name or your e-mail address:"); ?>
+		<input type="text" name="user" size="30" maxlength="64" /></p>
 		<input type="submit" class="button" value="<?= __('Continue') ?>" />
 	</form>
 	<?php endif; ?>
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 345d27a..f6cda69 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -755,13 +755,13 @@  function create_resetkey($resetkey, $uid) {
 /**
  * Send a reset key to a specific e-mail address
  *
- * @param string $email E-mail address of the user resetting their password
+ * @param string $user User name or email address of the user
  * @param bool $welcome Whether to use the welcome message
  *
  * @return void
  */
-function send_resetkey($email, $welcome=false) {
-	$uid = uid_from_email($email);
+function send_resetkey($user, $welcome=false) {
+	$uid = uid_from_loginname($user);
 	if ($uid == null) {
 		return;
 	}
@@ -779,11 +779,11 @@  function send_resetkey($email, $welcome=false) {
  *
  * @param string $password The new password
  * @param string $resetkey Code e-mailed to a user to reset a password
- * @param string $email E-mail address of the user resetting their password
+ * @param string $user User name or email address of the user
  *
  * @return string|void Redirect page if successful, otherwise return error message
  */
-function password_reset($password, $resetkey, $email) {
+function password_reset($password, $resetkey, $user) {
 	$hash = password_hash($password, PASSWORD_DEFAULT);
 
 	$dbh = DB::connect();
@@ -792,7 +792,8 @@  function password_reset($password, $resetkey, $email) {
 	$q.= "ResetKey = '' ";
 	$q.= "WHERE ResetKey != '' ";
 	$q.= "AND ResetKey = " . $dbh->quote($resetkey) . " ";
-	$q.= "AND Email = " . $dbh->quote($email);
+	$q.= "AND (Email = " . $dbh->quote($user) . " OR ";
+	$q.= "UserName = " . $dbh->quote($user) . ")";
 	$result = $dbh->exec($q);
 
 	if (!$result) {