pub/main.php

<?php
/*
 * Gallery - a web based photo album viewer and editor
 * Copyright (C) 2000-2008 Bharat Mediratta
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or (at
 * your option) any later version.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
 */

GalleryCoreApi::requireOnce('modules/core/classes/helpers/UserRecoverPasswordHelper_simple.class');

/**
 * This controller will handle the recovery of passwords that have been lost or forgotten
 * by the user.
 * @package GalleryCore
 * @subpackage UserInterface
 * @author Jay Rossiter <cryptographite@users.sf.net>
 * @version $Revision$
 */
class UserRecoverPasswordController extends GalleryController {
    /**
     * ValidationPlugin instances to use when handling this request.  Only used by test code.
     *
     * @var array (pluginId => ValidationPlugin) $_pluginInstances
     * @access private
     */
    var $_pluginInstances;

    /**
     * Tests can use this method to hardwire a specific set of plugin instances to use.
     * This avoids situations where some of the option instances will do unpredictable
     * things and derail the tests.
     *
     * @param array $pluginInstances of GalleryValidationPlugin
     */
    function setPluginInstances($pluginInstances) {
        $this->_pluginInstances = $pluginInstances;
    }

    /**
     * @see GalleryController::handleRequest
     */
    function handleRequest($form) {
        global $gallery;

        $status = $error = $results = array();

        $phpVm = $gallery->getPhpVm();
        if (isset($form['action']['recover'])) {
            $form['userName'] = is_string($form['userName']) ? $form['userName'] : null;
            if (empty($form['userName'])) {
                $error[] = 'form[error][userName][missing]';
            }

            /* If no errors have been detected, let the validation plugins do their work */
            if (empty($error)) {
                if (isset($this->_pluginInstances)) {
                    $pluginInstances = $this->_pluginInstances;
                } else {
                    /* Get all the validation plugins */
                    list ($ret, $pluginInstances) =
                        GalleryCoreApi::getAllFactoryImplementationIds('GalleryValidationPlugin');
                    if ($ret) {
                        return array($ret, null);
                    }

                    foreach (array_keys($pluginInstances) as $pluginId) {
                        list ($ret, $pluginInstances[$pluginId]) =
                            GalleryCoreApi::newFactoryInstanceById('GalleryValidationPlugin',
                                                                   $pluginId);
                        if ($ret) {
                            return array($ret, null);
                        }
                    }
                }

                /* Let each plugin do its verification */
                foreach ($pluginInstances as $plugin) {
                    list ($ret, $pluginErrors, $continue) = $plugin->performValidation($form);
                    if ($ret) {
                        return array($ret, null);
                    }

                    $error = array_merge($error, $pluginErrors);
                    if (!$continue) {
                        break;
                    }
                }
            }

            /*
             * Still no errors?  Check the DB for a previous request and then
             * update, reject or add based on the results.
             */
            $shouldSendEmail = false;
            if (empty($error)) {
                list ($ret, $user) = GalleryCoreApi::fetchUserByUsername($form['userName']);
                if ($ret && !($ret->getErrorCode() & ERROR_MISSING_OBJECT)) {
                    return array($ret, null);
                }

                if (isset($user) && $user->getEmail() != '') {
                    /* Generate a unique auth string based on userName, time of request and IP */
                    $authString = $this->_generateAuthString();

                    /* Generate the request expiration: Now + 7 Days */
                    $requestExpires = mktime(date('G'), date('i'), date('s'),
                                             date('m'), date('d')+7, date('Y'));

                    /*
                     * Check the database to see if a previous request.
                     * If a request exists, check the timestamp to see if a new
                     * request can be generated, or if they will be denied
                     * because the window is too small.
                     */
                    list ($ret, $lastRequest) = UserRecoverPasswordHelper_simple::getRequestExpires(
                        $user->getUserName(), null);
                    if ($ret) {
                        return array($ret, null);
                    }

                    /*
                     * This request was made less than 20 minutes ago.  Don't update the auth
                     * string.  We'll silently succeed to thwart phishing attempts.
                     */
                    if (!empty($lastRequest)) {
                        if (($lastRequest - (7 * 24 * 60 * 60) + (20 * 60)) < time()) {
                            $ret = GalleryCoreApi::updateMapEntry(
                                'GalleryRecoverPasswordMap',
                                array('userName' => $user->getUserName()),
                                array('authString' => $authString,
                                      'requestExpires' => $requestExpires));
                            $shouldSendEmail = true;
                        }
                    } else {
                        /*
                         * Add the map entry before sending email to the user -
                         * We don't want to send them mail if the data never gets into the DB
                         */
                        $ret = GalleryCoreApi::addMapEntry(
                            'GalleryRecoverPasswordMap',
                            array('userName' => $form['userName'],
                                  'authString' => $authString,
                                  'requestExpires' => $requestExpires));
                        if ($ret) {
                            return array($ret, null);
                        }
                        $shouldSendEmail = true;
                    }

                    if (empty($error) && $shouldSendEmail) {
                        /* Generate baseUrl and recoverUrl for the email template */
                        $generator =& $gallery->getUrlGenerator();
                        $baseUrl = $generator->generateUrl(array(),
                                        array('forceFullUrl' => true, 'htmlEntities' => false,
                                              'forceSessionId' => false));
                        $recoverUrl = $generator->generateUrl(
                                        array('view' => 'core.UserAdmin',
                                              'subView' => 'core.UserRecoverPasswordConfirm',
                                              'userName' => $user->getUserName(),
                                              'authString' => $authString),
                                        array('forceFullUrl' => true, 'htmlEntities' => false,
                                              'forceSessionId' => false));

                        /* email template data */
                        $tplData = array('name' => $user->getfullName(),
                                         'baseUrl' => $baseUrl,
                                         'ip' => GalleryUtilities::getRemoteHostAddress(),
                                         'date' => date('r'),
                                         'userName' => $user->getUserName(),
                                         'recoverUrl' => $recoverUrl,
                                         );

                        /* Load core for translation */
                        list ($ret, $module) = GalleryCoreApi::loadPlugin('module', 'core');
                        if ($ret) {
                            return array($ret, null);
                        }

                        /* Send the user email based on our confirmation template */
                        $ret = GalleryCoreApi::sendTemplatedEmail(
                            'modules/core/templates/UserRecoverPasswordEmail.tpl',
                            $tplData, '', $user->getEmail(),
                            $module->translate('Password Recovery'));
                        if ($ret) {
                            return array($ret, null);
                        }
                    }

                    /* Set the recovered info flag */
                    $status['requestSent'] = 1;
                } else {
                    /* Silently succeed; we don't reward phishing attempts */
                    /* Set the recovered info flag */
                    $status['requestSent'] = 1;
                }
            }
        } else if (isset($form['action']['cancel'])) {
            $results['return'] = 1;
        }

        if (empty($subView)) {
            $subView = 'core.UserRecoverPassword';
        }

        if (empty($error)) {
            $results['redirect']['view'] = 'core.UserAdmin';
            $results['redirect']['subView'] = $subView;
        } else {
            $results['delegate']['view'] = 'core.UserAdmin';
            $results['delegate']['subView'] = $subView;
        }

        $results['status'] = $status;
        $results['error'] = $error;

        return array(null, $results);
    }

    /**
     * Generate the authorization string used for login.txt
     * @access private
     */
    function _generateAuthString() {
        GalleryCoreApi::requireOnce('lib/joomla/crypt.php');
        $j = new JCrypt();
        return md5($j->genRandomBytes(32));
    }
}

/**
 * This view shows information about password recovery
 */
class UserRecoverPasswordView extends GalleryView {

    /**
     * @see GalleryView::loadTemplate
     */
    function loadTemplate(&$template, &$form) {
        global $gallery;

        if ($form['formName'] == 'UserRecoverPassword') {
            if (empty($form['userName'])) {
                $form['error']['userName']['missing'] = 1;
            }
        } else {
            $form['userName'] = '';
            $form['formName'] = 'UserRecoverPassword';
        }

        $UserRecoverPassword = array();

        /* Get all the login plugins */
        list ($ret, $allPluginIds) =
            GalleryCoreApi::getAllFactoryImplementationIds('GalleryValidationPlugin');
        if ($ret) {
            return array($ret, null);
        }

        /* Let each plugin load its template data */
        $UserRecoverPassword['plugins'] = array();
        foreach (array_keys($allPluginIds) as $pluginId) {
            list ($ret, $plugin) =
                GalleryCoreApi::newFactoryInstanceById('GalleryValidationPlugin', $pluginId);
            if ($ret) {
                return array($ret, null);
            }

            list ($ret, $data['file'], $data['l10Domain']) = $plugin->loadTemplate($form);
            if ($ret) {
                return array($ret, null);
            }

            if (isset($data['file'])) {
                $UserRecoverPassword['plugins'][] = $data;
            }
        }

        $template->setVariable('UserRecoverPassword', $UserRecoverPassword);
        $template->setVariable('controller', 'core.UserRecoverPassword');
        return array(null, array('body' => 'modules/core/templates/UserRecoverPassword.tpl'));
    }
}
?>
1	<?php
2	/*
3	* Gallery - a web based photo album viewer and editor
4	* Copyright (C) 2000-2008 Bharat Mediratta
5	*
6	* This program is free software; you can redistribute it and/or modify
7	* it under the terms of the GNU General Public License as published by
8	* the Free Software Foundation; either version 2 of the License, or (at
9	* your option) any later version.
10	*
11	* This program is distributed in the hope that it will be useful, but
12	* WITHOUT ANY WARRANTY; without even the implied warranty of
13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14	* General Public License for more details.
15	*
16	* You should have received a copy of the GNU General Public License
17	* along with this program; if not, write to the Free Software
18	* Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
19	*/
20
21	GalleryCoreApi::requireOnce('modules/core/classes/helpers/UserRecoverPasswordHelper_simple.class');
22
23	/**
24	* This controller will handle the recovery of passwords that have been lost or forgotten
25	* by the user.
26	* @package GalleryCore
27	* @subpackage UserInterface
28	* @author Jay Rossiter <cryptographite@users.sf.net>
29	* @version $Revision$
30	*/
31	class UserRecoverPasswordController extends GalleryController {
32	/**
33	* ValidationPlugin instances to use when handling this request. Only used by test code.
34	*
35	* @var array (pluginId => ValidationPlugin) $_pluginInstances
36	* @access private
37	*/
38	var $_pluginInstances;
39
40	/**
41	* Tests can use this method to hardwire a specific set of plugin instances to use.
42	* This avoids situations where some of the option instances will do unpredictable
43	* things and derail the tests.
44	*
45	* @param array $pluginInstances of GalleryValidationPlugin
46	*/
47	function setPluginInstances($pluginInstances) {
48	$this->_pluginInstances = $pluginInstances;
49	}
50
51	/**
52	* @see GalleryController::handleRequest
53	*/
54	function handleRequest($form) {
55	global $gallery;
56
57	$status = $error = $results = array();
58
59	$phpVm = $gallery->getPhpVm();
60	if (isset($form['action']['recover'])) {
61	$form['userName'] = is_string($form['userName']) ? $form['userName'] : null;
62	if (empty($form['userName'])) {
63	$error[] = 'form[error][userName][missing]';
64	}
65
66	/* If no errors have been detected, let the validation plugins do their work */
67	if (empty($error)) {
68	if (isset($this->_pluginInstances)) {
69	$pluginInstances = $this->_pluginInstances;
70	} else {
71	/* Get all the validation plugins */
72	list ($ret, $pluginInstances) =
73	GalleryCoreApi::getAllFactoryImplementationIds('GalleryValidationPlugin');
74	if ($ret) {
75	return array($ret, null);
76	}
77
78	foreach (array_keys($pluginInstances) as $pluginId) {
79	list ($ret, $pluginInstances[$pluginId]) =
80	GalleryCoreApi::newFactoryInstanceById('GalleryValidationPlugin',
81	$pluginId);
82	if ($ret) {
83	return array($ret, null);
84	}
85	}
86	}
87
88	/* Let each plugin do its verification */
89	foreach ($pluginInstances as $plugin) {
90	list ($ret, $pluginErrors, $continue) = $plugin->performValidation($form);
91	if ($ret) {
92	return array($ret, null);
93	}
94
95	$error = array_merge($error, $pluginErrors);
96	if (!$continue) {
97	break;
98	}
99	}
100	}
101
102	/*
103	* Still no errors? Check the DB for a previous request and then
104	* update, reject or add based on the results.
105	*/
106	$shouldSendEmail = false;
107	if (empty($error)) {
108	list ($ret, $user) = GalleryCoreApi::fetchUserByUsername($form['userName']);
109	if ($ret && !($ret->getErrorCode() & ERROR_MISSING_OBJECT)) {
110	return array($ret, null);
111	}
112
113	if (isset($user) && $user->getEmail() != '') {
114	/* Generate a unique auth string based on userName, time of request and IP */
115	$authString = $this->_generateAuthString();
116
117	/* Generate the request expiration: Now + 7 Days */
118	$requestExpires = mktime(date('G'), date('i'), date('s'),
119	date('m'), date('d')+7, date('Y'));
120
121	/*
122	* Check the database to see if a previous request.
123	* If a request exists, check the timestamp to see if a new
124	* request can be generated, or if they will be denied
125	* because the window is too small.
126	*/
127	list ($ret, $lastRequest) = UserRecoverPasswordHelper_simple::getRequestExpires(
128	$user->getUserName(), null);
129	if ($ret) {
130	return array($ret, null);
131	}
132
133	/*
134	* This request was made less than 20 minutes ago. Don't update the auth
135	* string. We'll silently succeed to thwart phishing attempts.
136	*/
137	if (!empty($lastRequest)) {
138	if (($lastRequest - (7 * 24 * 60 * 60) + (20 * 60)) < time()) {
139	$ret = GalleryCoreApi::updateMapEntry(
140	'GalleryRecoverPasswordMap',
141	array('userName' => $user->getUserName()),
142	array('authString' => $authString,
143	'requestExpires' => $requestExpires));
144	$shouldSendEmail = true;
145	}
146	} else {
147	/*
148	* Add the map entry before sending email to the user -
149	* We don't want to send them mail if the data never gets into the DB
150	*/
151	$ret = GalleryCoreApi::addMapEntry(
152	'GalleryRecoverPasswordMap',
153	array('userName' => $form['userName'],
154	'authString' => $authString,
155	'requestExpires' => $requestExpires));
156	if ($ret) {
157	return array($ret, null);
158	}
159	$shouldSendEmail = true;
160	}
161
162	if (empty($error) && $shouldSendEmail) {
163	/* Generate baseUrl and recoverUrl for the email template */
164	$generator =& $gallery->getUrlGenerator();
165	$baseUrl = $generator->generateUrl(array(),
166	array('forceFullUrl' => true, 'htmlEntities' => false,
167	'forceSessionId' => false));
168	$recoverUrl = $generator->generateUrl(
169	array('view' => 'core.UserAdmin',
170	'subView' => 'core.UserRecoverPasswordConfirm',
171	'userName' => $user->getUserName(),
172	'authString' => $authString),
173	array('forceFullUrl' => true, 'htmlEntities' => false,
174	'forceSessionId' => false));
175
176	/* email template data */
177	$tplData = array('name' => $user->getfullName(),
178	'baseUrl' => $baseUrl,
179	'ip' => GalleryUtilities::getRemoteHostAddress(),
180	'date' => date('r'),
181	'userName' => $user->getUserName(),
182	'recoverUrl' => $recoverUrl,
183	);
184
185	/* Load core for translation */
186	list ($ret, $module) = GalleryCoreApi::loadPlugin('module', 'core');
187	if ($ret) {
188	return array($ret, null);
189	}
190
191	/* Send the user email based on our confirmation template */
192	$ret = GalleryCoreApi::sendTemplatedEmail(
193	'modules/core/templates/UserRecoverPasswordEmail.tpl',
194	$tplData, '', $user->getEmail(),
195	$module->translate('Password Recovery'));
196	if ($ret) {
197	return array($ret, null);
198	}
199	}
200
201	/* Set the recovered info flag */
202	$status['requestSent'] = 1;
203	} else {
204	/* Silently succeed; we don't reward phishing attempts */
205	/* Set the recovered info flag */
206	$status['requestSent'] = 1;
207	}
208	}
209	} else if (isset($form['action']['cancel'])) {
210	$results['return'] = 1;
211	}
212
213	if (empty($subView)) {
214	$subView = 'core.UserRecoverPassword';
215	}
216
217	if (empty($error)) {
218	$results['redirect']['view'] = 'core.UserAdmin';
219	$results['redirect']['subView'] = $subView;
220	} else {
221	$results['delegate']['view'] = 'core.UserAdmin';
222	$results['delegate']['subView'] = $subView;
223	}
224
225	$results['status'] = $status;
226	$results['error'] = $error;
227
228	return array(null, $results);
229	}
230
231	/**
232	* Generate the authorization string used for login.txt
233	* @access private
234	*/
235	function _generateAuthString() {
236	GalleryCoreApi::requireOnce('lib/joomla/crypt.php');
237	$j = new JCrypt();
238	return md5($j->genRandomBytes(32));
239	}
240	}
241
242	/**
243	* This view shows information about password recovery
244	*/
245	class UserRecoverPasswordView extends GalleryView {
246
247	/**
248	* @see GalleryView::loadTemplate
249	*/
250	function loadTemplate(&$template, &$form) {
251	global $gallery;
252
253	if ($form['formName'] == 'UserRecoverPassword') {
254	if (empty($form['userName'])) {
255	$form['error']['userName']['missing'] = 1;
256	}
257	} else {
258	$form['userName'] = '';
259	$form['formName'] = 'UserRecoverPassword';
260	}
261
262	$UserRecoverPassword = array();
263
264	/* Get all the login plugins */
265	list ($ret, $allPluginIds) =
266	GalleryCoreApi::getAllFactoryImplementationIds('GalleryValidationPlugin');
267	if ($ret) {
268	return array($ret, null);
269	}
270
271	/* Let each plugin load its template data */
272	$UserRecoverPassword['plugins'] = array();
273	foreach (array_keys($allPluginIds) as $pluginId) {
274	list ($ret, $plugin) =
275	GalleryCoreApi::newFactoryInstanceById('GalleryValidationPlugin', $pluginId);
276	if ($ret) {
277	return array($ret, null);
278	}
279
280	list ($ret, $data['file'], $data['l10Domain']) = $plugin->loadTemplate($form);
281	if ($ret) {
282	return array($ret, null);
283	}
284
285	if (isset($data['file'])) {
286	$UserRecoverPassword['plugins'][] = $data;
287	}
288	}
289
290	$template->setVariable('UserRecoverPassword', $UserRecoverPassword);
291	$template->setVariable('controller', 'core.UserRecoverPassword');
292	return array(null, array('body' => 'modules/core/templates/UserRecoverPassword.tpl'));
293	}
294	}
295	?>