223 lines
No EOL
9.6 KiB
PHP
223 lines
No EOL
9.6 KiB
PHP
<?php
|
|
if (!defined('SVRJS_MOD_DIRECTORY')) die;
|
|
|
|
$errorMessage = null;
|
|
$emailChanged = false;
|
|
$passwordChanged = false;
|
|
$emailRequestID = null;
|
|
|
|
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
|
|
if (!isset($_POST['_csrf']) || $_POST['_csrf'] != $_SESSION['csrf']) {
|
|
$errorMessage = "Potential CSRF attack detected.";
|
|
} elseif (!isset($_POST['action'])) {
|
|
$errorMessage = "No action specified.";
|
|
} elseif ($_POST['action'] == "changepassword") {
|
|
if (!isset($_POST['oldpassword'], $_POST['password'], $_POST['password2']) || !$_POST['oldpassword'] || !$_POST['password'] || !$_POST['password2']) {
|
|
$errorMessage = "You need to input passwords.";
|
|
} elseif (!password_verify($_POST['oldpassword'], $userData['password'])) {
|
|
$errorMessage = "The current password is wrong.";
|
|
} elseif ($_POST['password'] != $_POST['password2']) {
|
|
$errorMessage = "Passwords don't match.";
|
|
} else {
|
|
$statement = $connection->prepare("UPDATE users SET password = ? WHERE id = ?");
|
|
|
|
if (!$statement) {
|
|
$errorMessage = "An unexpected error occurred while changing the password.";
|
|
} else {
|
|
$hashedPassword = password_hash($_POST['password'], PASSWORD_DEFAULT);
|
|
$statement->bind_param('si', $hashedPassword, $userData['id']);
|
|
if (!$statement->execute()) {
|
|
$errorMessage = "An unexpected error occurred while changing the password.";
|
|
} else {
|
|
$passwordChanged = true;
|
|
}
|
|
$statement->close();
|
|
}
|
|
}
|
|
} elseif ($_POST['action'] == "changeemail") {
|
|
if (!isset($_POST['password'], $_POST['email']) || !$_POST['password'] || !$_POST['email']) {
|
|
$errorMessage = "You need to input fields.";
|
|
} elseif (!password_verify($_POST['password'], $userData['password'])) {
|
|
$errorMessage = "The password is wrong.";
|
|
} elseif (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
|
|
$errorMessage = "Invalid email address.";
|
|
} elseif ($_POST['email'] == $userData['email']) {
|
|
$errorMessage = "New email address is the same as the old one.";
|
|
} else {
|
|
$statement = $connection->prepare('SELECT email FROM users WHERE email = ?;');
|
|
if (!$statement) {
|
|
$errorMessage = "An unexpected error occurred while changing the email address.";
|
|
} else {
|
|
$statement->bind_param('s', $_POST['email']);
|
|
$statement->execute();
|
|
$result = $statement->get_result();
|
|
if (!$result) {
|
|
$errorMessage = "An unexpected error occurred while changing the email address.";
|
|
$statement->close();
|
|
} else {
|
|
$emailExists = boolval($result->fetch_assoc());
|
|
$statement->close();
|
|
if ($emailExists) {
|
|
$errorMessage = "Someone else already uses the email address.";
|
|
} else {
|
|
|
|
|
|
$emailRequestIDError = false;
|
|
|
|
while (!$emailRequestID) {
|
|
$tempEmailRequestID = "";
|
|
if (function_exists('random_bytes')) {
|
|
$tempEmailRequestID = bin2hex(random_bytes(32));
|
|
} else {
|
|
$tempEmailRequestID = '';
|
|
for ($i = 0; $i < 32; $i++) {
|
|
$tempEmailRequestID = $tempEmailRequestID . bin2hex(rand(0, 255));
|
|
}
|
|
}
|
|
|
|
$statement = $connection->prepare("SELECT id FROM requests_email WHERE id = ?");
|
|
if (!$statement) {
|
|
$emailRequestIDError = true;
|
|
$errorMessage = "An unexpected error occurred while changing the email address.";
|
|
break;
|
|
} else {
|
|
$statement->bind_param('s', $tempEmailRequestID);
|
|
$statement->execute();
|
|
$emailRequestIDExistsResult = $statement->get_result();
|
|
if (!$emailRequestIDExistsResult) {
|
|
$emailRequestIDError = true;
|
|
$errorMessage = "An unexpected error occurred while changing the email address.";
|
|
$statement->close();
|
|
break;
|
|
} else {
|
|
$emailRequestIDExists = boolval($emailRequestIDExistsResult->fetch_assoc());
|
|
$statement->close();
|
|
if (!$emailRequestIDExists) {
|
|
$emailRequestID = $tempEmailRequestID;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if (!$emailRequestIDError) {
|
|
$statement = $connection->prepare("REPLACE INTO requests_email (
|
|
id,
|
|
email,
|
|
user,
|
|
request_date
|
|
) VALUES (
|
|
?,
|
|
?,
|
|
?,
|
|
NOW()
|
|
)");
|
|
if (!$statement) {
|
|
$errorMessage = "An unexpected error occurred while changing the email address.";
|
|
} else {
|
|
$statement->bind_param('ssi', $emailRequestID, $_POST['email'], $userData['id']);
|
|
if (!$statement->execute()) {
|
|
$errorMessage = "An unexpected error occurred while changing the email address.";
|
|
} else {
|
|
$sent = sendEmail(
|
|
[[
|
|
"name" => $userData['username'],
|
|
"address" => $_POST['email']
|
|
]],
|
|
'Email address change request',
|
|
"You have requested the change of your email address on SVR.JS Mods directory. Copy and paste the link below to change the email address. The link will expire after one day.\n\n" . str_replace(["\r\n", "\n", "\r"], "", (isset($_SERVER['HTTPS']) ? 'https://' : 'http://') . (isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : (isset($_SERVER['SERVER_ADDR']) ? $_SERVER['SERVER_ADDR'] : 'localhost')) . (URL_REWRITTEN ? APP_ROOT : APP_ROOT . APP_FILENAME . '/') . 'confirm-email?id=' . urlencode($emailRequestID))
|
|
);
|
|
if (!$sent) {
|
|
$errorMessage = "An unexpected error occurred while changing the email address.";
|
|
} else {
|
|
$emailChanged = true;
|
|
}
|
|
}
|
|
$statement->close();
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
} else {
|
|
$errorMessage = "Unknown action specified.";
|
|
}
|
|
}
|
|
|
|
if ($emailChanged) {
|
|
$pageTitle = "Email address change request sent";
|
|
$pageDescription = "Check your inbox for the request.";
|
|
} elseif ($passwordChanged) {
|
|
$pageTitle = "Password changed";
|
|
$pageDescription = "Your password has been changed.";
|
|
} else {
|
|
$pageTitle = "Change user data";
|
|
$pageDescription = "Change your user data in SVR.JS Mods directory.";
|
|
}
|
|
include 'header.php';
|
|
?>
|
|
<main class="content">
|
|
<?php if ($emailChanged) { ?>
|
|
<h1>Email address change request sent</h1>
|
|
<p>Check your inbox for the request.</p>
|
|
<?php } elseif ($passwordChanged) { ?>
|
|
<h1>Password changed</h1>
|
|
<p>Your password has been changed.</p>
|
|
<p><a href="<?php echo htmlspecialchars((URL_REWRITTEN ? APP_ROOT : APP_ROOT . APP_FILENAME . '/') . 'user/' . $userData['username']); ?>" class="btn">View your profile</a></p>
|
|
<?php } else { ?>
|
|
<h1>Change user data</h1>
|
|
<?php if ($errorMessage) echo '<p class="form-error">' . htmlspecialchars($errorMessage) . '</p>'; ?>
|
|
<h2>Change password</h2>
|
|
<form action="<?php echo htmlspecialchars((URL_REWRITTEN ? APP_ROOT : APP_ROOT . APP_FILENAME . '/') . 'change-user-data') ?>" method="post" class="form" enctype="multipart/form-data">
|
|
<div class="form-block">
|
|
<label for="oldpassword">Current password:</label>
|
|
<input type="password" name="oldpassword" id="oldpassword" required>
|
|
</div>
|
|
<div class="form-block">
|
|
<label for="password">New password:</label>
|
|
<input type="password" name="password" id="password" required>
|
|
<p>Password strength: <span id="password-strength"></span></p>
|
|
</div>
|
|
<div class="form-block">
|
|
<label for="password2">Confirm password:</label>
|
|
<input type="password" name="password2" id="password2" required>
|
|
</div>
|
|
<div class="form-block">
|
|
<input type="submit" value="Change password">
|
|
</div>
|
|
<input type="hidden" name="_csrf" value="<?php echo htmlspecialchars($_SESSION['csrf']) ?>">
|
|
<input type="hidden" name="action" value="changepassword">
|
|
</form>
|
|
<h2>Change email address</h2>
|
|
<form action="<?php echo htmlspecialchars((URL_REWRITTEN ? APP_ROOT : APP_ROOT . APP_FILENAME . '/') . 'change-user-data') ?>" method="post" class="form" enctype="multipart/form-data">
|
|
<div class="form-block">
|
|
<label for="password3">Password:</label>
|
|
<input type="password" name="password" id="password3" required>
|
|
</div>
|
|
<div class="form-block">
|
|
<label for="email">New email address:</label>
|
|
<input type="email" name="email" id="email" maxlength="255" placeholder="<?php echo htmlspecialchars($userData['email']) ?>" required>
|
|
</div>
|
|
<div class="form-block">
|
|
<input type="submit" value="Change email address">
|
|
</div>
|
|
<input type="hidden" name="_csrf" value="<?php echo htmlspecialchars($_SESSION['csrf']) ?>">
|
|
<input type="hidden" name="action" value="changeemail">
|
|
</form>
|
|
<?php } ?>
|
|
</main>
|
|
<?php
|
|
$passwordStrengthMeter = !$emailChanged && !$passwordChanged;
|
|
include 'footer.php';
|
|
|
|
if ($passwordChanged) {
|
|
sendEmail(
|
|
[[
|
|
"name" => $userData['username'],
|
|
"address" => $userData['email']
|
|
]],
|
|
'Your password has been changed.',
|
|
"Your password has been changed. If you did it, you are safe - you can ignore the message. If not, contact the administrator of SVR.JS Mods directory immediately, as your account might be compromised."
|
|
);
|
|
}
|
|
?>
|