1<?php 2/********************************************************************* 3 pwreset.php 4 5 Handles step 2, 3 and 5 of password resetting 6 1. Fail to login (2+ fail login attempts) 7 2. Visit password reset form and enter username or email 8 3. Receive an email with a link and follow it 9 4. Visit password reset form again, with the link 10 5. Enter the username or email address again and login 11 6. Password change is now required, user changes password and 12 continues on with the session 13 14 Peter Rotich <peter@osticket.com> 15 Jared Hancock <jared@osticket.com> 16 Copyright (c) 2006-2013 osTicket 17 http://www.osticket.com 18 19 Released under the GNU General Public License WITHOUT ANY WARRANTY. 20 See LICENSE.TXT for details. 21 22 vim: expandtab sw=4 ts=4 sts=4: 23**********************************************************************/ 24require_once('../main.inc.php'); 25if(!defined('INCLUDE_DIR')) die('Fatal Error. Kwaheri!'); 26 27// Bootstrap gettext translations. Since no one is yet logged in, use the 28// system or browser default 29TextDomain::configureForUser(); 30 31require_once(INCLUDE_DIR.'class.staff.php'); 32require_once(INCLUDE_DIR.'class.csrf.php'); 33 34$tpl = 'pwreset.php'; 35if($_POST) { 36 if (!$ost->checkCSRFToken()) { 37 Http::response(400, __('Valid CSRF Token Required')); 38 exit; 39 } 40 switch ($_POST['do']) { 41 case 'sendmail': 42 $userid = (string) $_POST['userid']; 43 if (Validator::is_userid($userid) 44 && ($staff=Staff::lookup($userid))) { 45 if (!$staff->hasPassword()) { 46 if ($staff->sendResetEmail('registration-staff', false) !== false) 47 $msg = __('Registration email sent successfully.'); 48 else 49 $msg = __('Unable to reset password. Contact your administrator'); 50 } 51 elseif (!$staff->sendResetEmail()) { 52 $tpl = 'pwreset.sent.php'; 53 } 54 } 55 else 56 $tpl = 'pwreset.sent.php'; 57 break; 58 case 'newpasswd': 59 // TODO: Compare passwords 60 $tpl = 'pwreset.login.php'; 61 $errors = array(); 62 if ($staff = StaffAuthenticationBackend::processSignOn($errors)) { 63 $info = array('page' => 'index.php'); 64 Http::redirect($info['page']); 65 } 66 elseif (isset($errors['msg'])) { 67 $msg = $errors['msg']; 68 } 69 break; 70 } 71} 72elseif ($_GET['token']) { 73 $msg = __('Please enter your username or email'); 74 $_config = new Config('pwreset'); 75 if (($id = $_config->get($_GET['token'])) 76 && is_numeric($id) 77 && ($staff = Staff::lookup( (int) $id))) 78 // TODO: Detect staff confirmation (for welcome email) 79 $tpl = 'pwreset.login.php'; 80 else 81 header('Location: index.php'); 82} 83elseif ($cfg->allowPasswordReset()) { 84 $msg = __('Enter your username or email address below'); 85} 86else { 87 $_SESSION['_staff']['auth']['msg']=__('Password resets are disabled'); 88 return header('Location: index.php'); 89} 90define("OSTSCPINC",TRUE); //Make includes happy! 91include_once(INCLUDE_DIR.'staff/'. $tpl); 92