Manager/pages/password.php

<?php
    if($_SERVER['REQUEST_METHOD'] == 'POST') {
        if(!isset($_SESSION['LOGIN']) || !isset($_SESSION['UUID'])) {
            header('Location: index.php');
            die();
        }

        include 'app/FormValidator.php';
        $validator = new FormValidator(array(
            'oldPassword' => array('required' => true, 'regex' => '/.{1,1000}/'),
            'newPassword' => array('required' => true, 'regex' => '/.{1,1000}/'),
            'newPasswordRepeat' => array('required' => true, 'regex' => '/.{1,1000}/')
        ));

        if($validator->isValid($_POST)) {
            if($_POST['newPasswordRepeat'] == $_POST['newPassword']) {
                if(password_verify($_POST['oldPassword'], $_SESSION['PASSWORD'])) {
                    $hash = password_hash($NewPassword, PASSWORD_ARGON2ID);
                    $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID'); 
                    $statement->execute(['PasswordHash' => $hash, 'PrincipalID' => $_SESSION['UUID']]);
                    $_SESSION['PASSWORD'] = $hash;
                    $_SESSION['pw_info'] = 'Neues Passwort gespeichert.';
                }
                else {
                    $_SESION['pw_info'] = 'Das alte Passwort ist nicht richtig!';
                }
            }
            else {
                $_SESSION['pw_info'] = 'Die neuen Passwörter stimmen nicht überein!';
            }
        }
        else {
            $_SESSION['pw_info'] = 'Bitte fülle das Formular vollständig aus.';
        }

        header('Location: index.php?page=password');
        die();
    }

    $HTML->setHTMLTitle("Passwort ändern");
    $HTML->importSeitenInhalt("profile.html");

    include 'app/OpenSim.php';
    $opensim = new OpenSim();

    $PartnerName = "";
    $PartnerUUID = $opensim->getPartner($_SESSION['UUID']);
    if($PartnerUUID != null)$PartnerName = $opensim->getUserName($PartnerUUID);

    $HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' '); 
    $HTML->ReplaceSeitenInhalt("%%firstname%%", htmlspecialchars($_SESSION['FIRSTNAME'])); 
    $HTML->ReplaceSeitenInhalt("%%lastname%%", htmlspecialchars($_SESSION['LASTNAME'])); 
    $HTML->ReplaceSeitenInhalt("%%partner%%", htmlspecialchars($PartnerName)); 
    $HTML->ReplaceSeitenInhalt("%%email%%", htmlspecialchars($opensim->getUserMail($_SESSION['UUID']))); 
    $HTML->ReplaceSeitenInhalt("%%listAllResidentsAsJSArray%%", "");

    $pwInfo = '';
    if(isset($_SESSION['pw_info'])) {
        $pwInfo = $_SESSION['pw_info'];
        unset($_SESSION['pw_info']);
    }
    $HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", $pwInfo);
    
    $HTML->build();
    echo $HTML->ausgabe();
?>
add password change 2020-08-02 02:44:32 +00:00			`<?php`
Fix POST request handling in dashboard forms 2023-08-23 16:16:35 +00:00			`if($_SERVER['REQUEST_METHOD'] == 'POST') {`
Use POST for password changes, validate input 2023-08-23 16:16:35 +00:00			`if(!isset($_SESSION['LOGIN']) \|\| !isset($_SESSION['UUID'])) {`
			`header('Location: index.php');`
			`die();`
			`}`
add password change 2020-08-02 02:44:32 +00:00
Fix POST request handling in dashboard forms 2023-08-23 16:16:35 +00:00			`include 'app/FormValidator.php';`
Use POST for password changes, validate input 2023-08-23 16:16:35 +00:00			`$validator = new FormValidator(array(`
Fix password form regexes 2023-08-23 16:16:35 +00:00			`'oldPassword' => array('required' => true, 'regex' => '/.{1,1000}/'),`
			`'newPassword' => array('required' => true, 'regex' => '/.{1,1000}/'),`
			`'newPasswordRepeat' => array('required' => true, 'regex' => '/.{1,1000}/')`
Use POST for password changes, validate input 2023-08-23 16:16:35 +00:00			`));`
Always redirect after making changes 2023-08-23 16:16:34 +00:00
Use POST for password changes, validate input 2023-08-23 16:16:35 +00:00			`if($validator->isValid($_POST)) {`
			`if($_POST['newPasswordRepeat'] == $_POST['newPassword']) {`
			`if(password_verify($_POST['oldPassword'], $_SESSION['PASSWORD'])) {`
			`$hash = password_hash($NewPassword, PASSWORD_ARGON2ID);`
			`$statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID');`
			`$statement->execute(['PasswordHash' => $hash, 'PrincipalID' => $_SESSION['UUID']]);`
			`$_SESSION['PASSWORD'] = $hash;`
			`$_SESSION['pw_info'] = 'Neues Passwort gespeichert.';`
			`}`
			`else {`
			`$_SESION['pw_info'] = 'Das alte Passwort ist nicht richtig!';`
add password change 2020-08-02 02:44:32 +00:00			`}`
			`}`
Use POST for password changes, validate input 2023-08-23 16:16:35 +00:00			`else {`
			`$_SESSION['pw_info'] = 'Die neuen Passwörter stimmen nicht überein!';`
			`}`
			`}`
			`else {`
			`$_SESSION['pw_info'] = 'Bitte fülle das Formular vollständig aus.';`
add password change 2020-08-02 02:44:32 +00:00			`}`
Use POST for password changes, validate input 2023-08-23 16:16:35 +00:00
			`header('Location: index.php?page=password');`
			`die();`
add password change 2020-08-02 02:44:32 +00:00			`}`

Use POST for password changes, validate input 2023-08-23 16:16:35 +00:00			`$HTML->setHTMLTitle("Passwort ändern");`
			`$HTML->importSeitenInhalt("profile.html");`

Fix include/template paths 2023-08-23 16:16:35 +00:00			`include 'app/OpenSim.php';`
Only include and construct OpenSim when needed 2023-08-23 16:16:35 +00:00			`$opensim = new OpenSim();`

fix pw page 2020-08-04 10:08:41 +00:00			`$PartnerName = "";`
Only include and construct OpenSim when needed 2023-08-23 16:16:35 +00:00			`$PartnerUUID = $opensim->getPartner($_SESSION['UUID']);`
			`if($PartnerUUID != null)$PartnerName = $opensim->getUserName($PartnerUUID);`
fix pw page 2020-08-04 10:08:41 +00:00
			`$HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' ');`
Always encode user input before including in HTML 2023-08-23 16:16:34 +00:00			`$HTML->ReplaceSeitenInhalt("%%firstname%%", htmlspecialchars($_SESSION['FIRSTNAME']));`
			`$HTML->ReplaceSeitenInhalt("%%lastname%%", htmlspecialchars($_SESSION['LASTNAME']));`
			`$HTML->ReplaceSeitenInhalt("%%partner%%", htmlspecialchars($PartnerName));`
Only include and construct OpenSim when needed 2023-08-23 16:16:35 +00:00			`$HTML->ReplaceSeitenInhalt("%%email%%", htmlspecialchars($opensim->getUserMail($_SESSION['UUID'])));`
Always redirect after making changes 2023-08-23 16:16:34 +00:00			`$HTML->ReplaceSeitenInhalt("%%listAllResidentsAsJSArray%%", "");`

Use POST for password changes, validate input 2023-08-23 16:16:35 +00:00			`$pwInfo = '';`
			`if(isset($_SESSION['pw_info'])) {`
			`$pwInfo = $_SESSION['pw_info'];`
			`unset($_SESSION['pw_info']);`
Always redirect after making changes 2023-08-23 16:16:34 +00:00			`}`
Use POST for password changes, validate input 2023-08-23 16:16:35 +00:00			`$HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", $pwInfo);`
add password change 2020-08-02 02:44:32 +00:00
			`$HTML->build();`
			`echo $HTML->ausgabe();`
			`?>`