bd2999526e
fixed change pw templates; added csrf token added csrf protection for password reset fixed reset and change pass templates; were missing csrf token (form only tpl)
33 lines
1.3 KiB
PHP
33 lines
1.3 KiB
PHP
<?php
|
|
|
|
// Make sure we are called from index.php
|
|
if (!defined('SECURITY')) die('Hacking attempt');
|
|
|
|
// csrf stuff
|
|
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
|
|
if ($csrfenabled) {
|
|
// we have to use editaccount token because this can be called from 2 separate places
|
|
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
|
|
}
|
|
|
|
// Process password reset request
|
|
if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
|
if ($user->initResetPassword($_POST['username'], $smarty)) {
|
|
$_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mail account to finish your password reset', 'TYPE' => 'success');
|
|
} else {
|
|
$_SESSION['POPUP'][] = array('CONTENT' => htmlentities($user->getError(), ENT_QUOTES), 'TYPE' => 'errormsg');
|
|
}
|
|
} else {
|
|
$img = $csrftoken->getDescriptionImageHTML();
|
|
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
|
|
}
|
|
|
|
// csrf token
|
|
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
|
|
$token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH');
|
|
$smarty->assign('CTOKEN', $token);
|
|
}
|
|
// Tempalte specifics, user default template by parent page
|
|
$smarty->assign("CONTENT", "../default.tpl");
|
|
?>
|