From f19e186cd39dd4ddad4030869f7b6cd251675d60 Mon Sep 17 00:00:00 2001 From: Anonymous Contributor Date: Wed, 23 Aug 2023 18:16:36 +0200 Subject: [PATCH] Let admins generate password reset links --- pages/users.php | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/pages/users.php b/pages/users.php index 1dc9d36..4b8603f 100644 --- a/pages/users.php +++ b/pages/users.php @@ -22,14 +22,13 @@ )); if($validator->isValid($_POST)) { - $NEWPW = substr(str_shuffle(str_repeat($x='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil(10/strlen($x)) )),1,10); // Generate random password (10 characters) - $salt = bin2hex(random_bytes(16)); - $hash = md5(md5($NEWPW).':'.$salt); - - $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash, passwordSalt = :PasswordSalt WHERE UUID = :PrincipalID'); - $statement->execute(['PasswordHash' => $hash, 'PasswordSalt' => $salt, 'PrincipalID' => $_REQUEST['userid']]); + require_once 'app/utils.php'; + $token = generateToken(32); + $setToken = $RUNTIME['PDO']->prepare('REPLACE INTO PasswordResetTokens(PrincipalID,Token,RequestTime) VALUES(?,?,?)'); + $setToken->execute([$_POST['userid'], $token, time()]); + $resetLink = "https://".$RUNTIME['DOMAIN'].'/index.php?page=reset-password&token='.$token; - $HTML->ReplaceSeitenInhalt("%%MESSAGE%%", ''); + $HTML->ReplaceSeitenInhalt("%%MESSAGE%%", ''); } } else if(isset($_POST['generateLink'])) { @@ -57,7 +56,7 @@ while($row = $statement->fetch()) { - $entry = ''.htmlspecialchars($row['FirstName']).''.htmlspecialchars($row['LastName']).''.htmlspecialchars($row['UserLevel']).'
%%CSRF%%
'; + $entry = ''.htmlspecialchars($row['FirstName']).''.htmlspecialchars($row['LastName']).''.htmlspecialchars($row['UserLevel']).'
%%CSRF%%
'; $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table); }