<?php
/*
SVN Access Manager - a subversion access rights management tool
Copyright (C) 2008 Thomas Krieger <hide@address.com>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/*
File: securityquestion.php
$LastChangedDate: 2010-07-15 19:49:46 +0200 (Thu, 15 Jul 2010) $
$LastChangedBy: kriegeth $
$Id: securityquestion.php 470 2010-07-15 17:49:46Z kriegeth $
*/
if ( file_exists ( realpath ( "./config/config.inc.php" ) ) ) {
require( "./config/config.inc.php" );
} elseif( file_exists ( realpath ( "../config/config.inc.php" ) ) ) {
require( "../config/config.inc.php" );
} elseif( file_exists( "/etc/svn-access-manager/config.inc.php" ) ) {
require( "/etc/svn-access-manager/config.inc.php" );
} else {
die( "can't load config.inc.php. Check your installation!\n'" );
}
$installBase = isset( $CONF['install_base'] ) ? $CONF['install_base'] : "";
require ("$installBase/include/variables.inc.php");
#require ("./config/config.inc.php");
require ("$installBase/include/db-functions-adodb.inc.php");
require ("$installBase/include/functions.inc.php");
initialize_i18n();
$SESSID_USERNAME = check_session_lpw();
$dbh = db_connect();
$_SESSION['svn_lpw']['helptopic'] = "securityquestion";
$schema = db_determine_schema();
if ($_SERVER['REQUEST_METHOD'] == "GET") {
if (!ereg ("lostpassword.php", $_SERVER['HTTP_REFERER'])) {
header("Location: lostpassword.php");
exit;
}
$tAnswer = "";
$query = "SELECT * " .
" FROM ".$schema."svnusers " .
" WHERE userid = '$SESSID_USERNAME'";
$result = db_query( $query, $dbh );
if( $result['rows'] == 1 ) {
$row = db_assoc( $result['result'] );
$tQuestion = $row['securityquestion'];
if( $tQuestion == "" ) {
$_SESSION['svn_lpw']['error'] = _("Password reset not available for this user! Please contact the administrator!");
db_disconnect ($dbh);
header("Location: lostpassword.php");
exit;
}
} else {
db_disconnect ($dbh);
header("Location: lostpassword.php");
exit;
}
include ("$installBase/templates/securityquestion.tpl");
}
if ($_SERVER['REQUEST_METHOD'] == "POST") {
$error = 0;
$tAnswer = db_escape_string ($_POST['fAnswer']);
$tUsername = $SESSID_USERNAME;
$result = db_query( "SELECT * " .
" FROM ".$schema."svnusers " .
" WHERE userid = '$tUsername'", $dbh );
if ($result['rows'] == 1) {
$row = db_assoc( $result['result'] );
$tQuestion = $row['securityquestion'];
$tEmailaddress = $row['emailaddress'];
$givenname = $row['givenname'];
$name = $row['name'];
if( $tAnswer != $row['securityanswer'] ) {
$error = 1;
$tMessage = _("Wrong answer!");
} else {
$protocol = empty($_SERVER['HTTPS']) ? "http" : "https";
$path = dirname( $_SERVER['PHP_SELF'] );
$idstr = create_verify_string();
$token = create_verify_string();
$link = $protocol."://".$_SERVER['SERVER_NAME'].$path."/resetpassword.php?id=$idstr";
$sender = isset( $CONF['lostPwSender'] ) ? $CONF['lostPwSender'] : "noreply";
$days = isset( $CONF['lostPwLinkValid']) ? $CONF['lostPwLinkValid'] : 2;
$query = "INSERT INTO ".$schema."svnpasswordreset (unixtime, username, token, idstr) " .
" VALUES (".time().", '$tUsername', '$token', '$idstr')";
db_ta( "BEGIN", $dbh );
$result = db_query( $query, $dbh );
if( $result['rows'] > 0 ) {
db_ta( "COMMIT", $dbh );
$$header = "From:$sender\nReply-To:$sender\nX-Mailer: PHP/" . phpversion();
$text = sprintf(_("Hello %s %s"), $givenname, $name)."\n\n";
$text .= wordwrap(_("you requested to reset your lost password for your subversion account."))."\n\n";
$text .= wordwrap(_("Please follow the link below and enter the security token you got after answering the security question."))."\n\n";
$text .= $link."\n\n";
$text .= wordwrap(sprintf( _("The link is only valid for %s day(s)!"), $days))."\n\n";
$text .= _("Regards")."\n\n";
$text .= _("Administration")."\n";
$subject = encode_subject( _("Lost password reset"), "iso-8859-1" );
if( mail($tEmailaddress, $subject, $text, $header) ) {
$error = 0;
$tMessage = sprintf( _("You received an email to reset your password! Please remember the following token: %s"), $token );
db_disconnect ($dbh);
include ("$installBase/templates/securityquestionresult.tpl");
session_unset ();
session_destroy ();
} else {
$error = 1;
$tMessage = _("Sorry, mail could not be sent to you. Try again later please!");
}
} else {
db_ta( "ROLLBACK", $dbh );
$error = 1;
$tMessage = _("Sorry password reset does not work at the moment. Please come back later!");
}
}
} else {
$error = 1;
$tMessage = _('Unknown user, anyone tampered arround with the form data? Sorry, can\'t continue');
}
include ("$installBase/templates/securityquestion.tpl");
}
db_disconnect ($dbh);
?>