1
0
Fork 0

Let admins generate password reset links

master
Anonymous Contributor 2023-08-23 18:16:36 +02:00
parent 0991d5a487
commit f19e186cd3
1 changed files with 7 additions and 8 deletions

View File

@ -22,14 +22,13 @@
)); ));
if($validator->isValid($_POST)) { if($validator->isValid($_POST)) {
$NEWPW = substr(str_shuffle(str_repeat($x='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil(10/strlen($x)) )),1,10); // Generate random password (10 characters) require_once 'app/utils.php';
$salt = bin2hex(random_bytes(16)); $token = generateToken(32);
$hash = md5(md5($NEWPW).':'.$salt); $setToken = $RUNTIME['PDO']->prepare('REPLACE INTO PasswordResetTokens(PrincipalID,Token,RequestTime) VALUES(?,?,?)');
$setToken->execute([$_POST['userid'], $token, time()]);
$resetLink = "https://".$RUNTIME['DOMAIN'].'/index.php?page=reset-password&token='.$token;
$statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash, passwordSalt = :PasswordSalt WHERE UUID = :PrincipalID'); $HTML->ReplaceSeitenInhalt("%%MESSAGE%%", '<div class="alert alert-danger" role="alert">Das Passwort für '.htmlspecialchars($opensim->getUserName($_REQUEST['userid'])).' kann in den nächsten 24 Stunden über diesen Link zurückgesetzt werden: <b>'.$resetLink.'</b></div>');
$statement->execute(['PasswordHash' => $hash, 'PasswordSalt' => $salt, 'PrincipalID' => $_REQUEST['userid']]);
$HTML->ReplaceSeitenInhalt("%%MESSAGE%%", '<div class="alert alert-danger" role="alert">Das Passwort für '.htmlspecialchars($opensim->getUserName($_REQUEST['userid'])).' wurde geändert. Das neue Passwort ist <b>'.htmlspecialchars($NEWPW).'</b></div>');
} }
} }
else if(isset($_POST['generateLink'])) { else if(isset($_POST['generateLink'])) {
@ -57,7 +56,7 @@
while($row = $statement->fetch()) while($row = $statement->fetch())
{ {
$entry = '<tr><td>'.htmlspecialchars($row['FirstName']).'</td><td>'.htmlspecialchars($row['LastName']).'</td><td>'.htmlspecialchars($row['UserLevel']).'</td><td><form action="index.php?page=users" method="post">%%CSRF%%<input type="hidden" name="userid" value="'.htmlspecialchars($row['PrincipalID']).'"><button type="submit" name="genpw" class="btn btn-link btn-sm">PASSWORT ÄNDERN</button></form></td></tr>'; $entry = '<tr><td>'.htmlspecialchars($row['FirstName']).'</td><td>'.htmlspecialchars($row['LastName']).'</td><td>'.htmlspecialchars($row['UserLevel']).'</td><td><form action="index.php?page=users" method="post">%%CSRF%%<input type="hidden" name="userid" value="'.htmlspecialchars($row['PrincipalID']).'"><button type="submit" name="genpw" class="btn btn-link btn-sm">PASSWORT ZURÜCKSETZEN</button></form></td></tr>';
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table); $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
} }