srchub-old

srchub-old Mercurial Source Tree


Root/indefero/src/IDF/Form/PasswordInputKey.php

<?php
/* -*- tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/*
# ***** BEGIN LICENSE BLOCK *****
# This file is part of InDefero, an open source project management application.
# Copyright (C) 2008-2011 CĂ©ondo Ltd and contributors.
#
# InDefero is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# InDefero is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#
# ***** END LICENSE BLOCK ***** */

Pluf::loadFunction('Pluf_HTTP_URL_urlForView');

/**
 * Check the validity of a confirmation key to reset a password.
 *
 */
class IDF_Form_PasswordInputKey extends Pluf_Form
{
    public function initFields($extra=array())
    {
        $this->fields['key'] = new Pluf_Form_Field_Varchar(
                                      array('required' => true,
                                            'label' => __('Your verification key'),
                                            'initial' => '',
                                            'widget_attrs' => array(
                                                       'size' => 50,
                                                                    ),
                                            ));
    }

    /**
     * Validate the key.
     */
    public function clean_key()
    {
        $this->cleaned_data['key'] = trim($this->cleaned_data['key']);
        $error = __('We are sorry but this validation key is not valid. Maybe you should directly copy/paste it from your validation email.');
        if (false === ($cres=self::checkKeyHash($this->cleaned_data['key']))) {
            throw new Pluf_Form_Invalid($error);
        }
        $guser = new Pluf_User();
        $sql = new Pluf_SQL('email=%s AND id=%s', 
                            array($cres[0], $cres[1]));
        if ($guser->getCount(array('filter' => $sql->gen())) != 1) {
            throw new Pluf_Form_Invalid($error);
        }
        if ((time() - $cres[2]) > 86400) {
            throw new Pluf_Form_Invalid(__('Sorry, but this verification key has expired, please restart the password recovery sequence. For security reasons, the verification key is only valid 24h.'));
        }
        return $this->cleaned_data['key'];
    }

    /**
     * Save the model in the database.
     *
     * @param bool Commit in the database or not. If not, the object
     *             is returned but not saved in the database.
     * @return string Url to redirect to the form.
     */
    function save($commit=true)
    {
        if (!$this->isValid()) {
            throw new Exception(__('Cannot save an invalid form.'));
        }
        return Pluf_HTTP_URL_urlForView('IDF_Views::passwordRecovery',
                                        array($this->cleaned_data['key']));
    }

    /**
     * Return false or an array with the email, id and timestamp.
     *
     * This is a static function to be reused by other forms.
     *
     * @param string Confirmation key
     * @return mixed Either false or array(email, id, timestamp)
     */
    public static function checkKeyHash($key)
    {
        $hash = substr($key, 0, 2);
        $encrypted = substr($key, 2);
        if ($hash != substr(md5(Pluf::f('secret_key').$encrypted), 0, 2)) {
            return false;
        }
        $cr = new Pluf_Crypt(md5(Pluf::f('secret_key')));
        $f = explode(':', $cr->decrypt($encrypted), 3);
        if (count($f) != 3) {
            return false;
        }
        return $f;
    }
}
Source at commit 55305a934bac created 10 years 4 months ago.
By Nathan Adams, Fixing bug where password would not be hashed in database if user updated password

Archive Download this file

Branches

Tags

Page rendered in 0.69534s using 11 queries.