1<?php
2/*********************************************************************
3    pwreset.php
4
5    Handles step 2, 3 and 5 of password resetting
6        1. Fail to login (2+ fail login attempts)
7        2. Visit password reset form and enter username or email
8        3. Receive an email with a link and follow it
9        4. Visit password reset form again, with the link
10        5. Enter the username or email address again and login
11        6. Password change is now required, user changes password and
12           continues on with the session
13
14    Peter Rotich <peter@osticket.com>
15    Jared Hancock <jared@osticket.com>
16    Copyright (c)  2006-2013 osTicket
17    http://www.osticket.com
18
19    Released under the GNU General Public License WITHOUT ANY WARRANTY.
20    See LICENSE.TXT for details.
21
22    vim: expandtab sw=4 ts=4 sts=4:
23**********************************************************************/
24require_once('../main.inc.php');
25if(!defined('INCLUDE_DIR')) die('Fatal Error. Kwaheri!');
26
27// Bootstrap gettext translations. Since no one is yet logged in, use the
28// system or browser default
29TextDomain::configureForUser();
30
31require_once(INCLUDE_DIR.'class.staff.php');
32require_once(INCLUDE_DIR.'class.csrf.php');
33
34$tpl = 'pwreset.php';
35if($_POST) {
36    if (!$ost->checkCSRFToken()) {
37        Http::response(400, __('Valid CSRF Token Required'));
38        exit;
39    }
40    switch ($_POST['do']) {
41        case 'sendmail':
42            $userid = (string) $_POST['userid'];
43            if (Validator::is_userid($userid)
44                    && ($staff=Staff::lookup($userid))) {
45                if (!$staff->hasPassword()) {
46                    if ($staff->sendResetEmail('registration-staff', false) !== false)
47                        $msg = __('Registration email sent successfully.');
48                    else
49                        $msg = __('Unable to reset password. Contact your administrator');
50                }
51                elseif (!$staff->sendResetEmail()) {
52                    $tpl = 'pwreset.sent.php';
53                }
54            }
55            else
56                $tpl = 'pwreset.sent.php';
57            break;
58        case 'newpasswd':
59            // TODO: Compare passwords
60            $tpl = 'pwreset.login.php';
61            $errors = array();
62            if ($staff = StaffAuthenticationBackend::processSignOn($errors)) {
63                $info = array('page' => 'index.php');
64                Http::redirect($info['page']);
65            }
66            elseif (isset($errors['msg'])) {
67                $msg = $errors['msg'];
68            }
69            break;
70    }
71}
72elseif ($_GET['token']) {
73    $msg = __('Please enter your username or email');
74    $_config = new Config('pwreset');
75    if (($id = $_config->get($_GET['token']))
76            && is_numeric($id)
77            && ($staff = Staff::lookup( (int) $id)))
78        // TODO: Detect staff confirmation (for welcome email)
79        $tpl = 'pwreset.login.php';
80    else
81        header('Location: index.php');
82}
83elseif ($cfg->allowPasswordReset()) {
84    $msg = __('Enter your username or email address below');
85}
86else {
87    $_SESSION['_staff']['auth']['msg']=__('Password resets are disabled');
88    return header('Location: index.php');
89}
90define("OSTSCPINC",TRUE); //Make includes happy!
91include_once(INCLUDE_DIR.'staff/'. $tpl);
92