liquid_feedback_frontend

view app/main/index/_action/reset_password.lua @ 224:bf735d8095aa

find changesets by author, revision, files, or words in the commit message
Fixed security related bug, security tokens were exposed through trace output.
author bsw
date Tue May 17 03:23:16 2011 +0200 (2011-05-17)
parents 8d91bccab0bf
children 75ce92899049
line source
1 trace.disable()
2
3 local secret = param.get("secret")
4
5 if not secret then
6
7 local member = Member:new_selector()
8 :add_where{ "login = ?", param.get("login") }
9 :add_where("password_reset_secret ISNULL OR password_reset_secret_expiry < now()")
10 :optional_object_mode()
11 :exec()
12
13 if member then
14 if not member.notify_email then
15 slot.put_into("error", _"Sorry, but there is not confirmed email address for your account. Please contact the administrator or support.")
16 return false
17 end
18 member.password_reset_secret = multirand.string( 24, "23456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz" )
19 local expiry = db:query("SELECT now() + '1 days'::interval as expiry", "object").expiry
20 member.password_reset_secret_expiry = expiry
21 member:save()
22 local content = slot.use_temporary(function()
23 slot.put(_"Hello " .. member.name .. ",\n\n")
24 slot.put(_"to reset your password please click on the following link:\n\n")
25 slot.put(config.absolute_base_url .. "index/reset_password.html?secret=" .. member.password_reset_secret .. "\n\n")
26 slot.put(_"If this link is not working, please open following url in your web browser:\n\n")
27 slot.put(config.absolute_base_url .. "index/reset_password.html\n\n")
28 slot.put(_"On that page please enter the reset code:\n\n")
29 slot.put(member.password_reset_secret .. "\n\n")
30 end)
31 local success = net.send_mail{
32 envelope_from = config.mail_envelope_from,
33 from = config.mail_from,
34 reply_to = config.mail_reply_to,
35 to = member.notify_email,
36 subject = config.mail_subject_prefix .. _"Password reset request",
37 content_type = "text/plain; charset=UTF-8",
38 content = content
39 }
40 end
41
42 slot.put_into("notice", _"Reset link has been send for this member")
43
44 else
45 local member = Member:new_selector()
46 :add_where{ "password_reset_secret = ?", secret }
47 :add_where{ "password_reset_secret_expiry > now()" }
48 :optional_object_mode()
49 :exec()
50
51 if not member then
52 slot.put_into("error", _"Reset code is invalid!")
53 return false
54 end
55
56 local password1 = param.get("password1")
57 local password2 = param.get("password2")
58
59 if password1 ~= password2 then
60 slot.put_into("error", _"Passwords don't match!")
61 return false
62 end
63
64 if #password1 < 8 then
65 slot.put_into("error", _"Passwords must consist of at least 8 characters!")
66 return false
67 end
68
69 member:set_password(password1)
70 member.password_reset_secret = nil
71 member.password_reset_secret_expiry = nil
72 member:save()
73
74 slot.put_into("notice", _"Password has been reset successfully")
75
76 end

Impressum / About Us