TomaHost/Chamilo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upgrade 1-11.38

Browse Source
This commit is contained in:
xesmyd
2026-03-30 14:10:30 +02:00
parent f2a7e6d1fc
commit ac648ef29d
24665 changed files with 69682 additions and 2205004 deletions
Download Patch File Download Diff File Expand all files Collapse all files
main/inc/lib/login.lib.php
+74 -11
View File
@@ -37,9 +37,9 @@ class Login
if ($reset) {
if ($by_username) {
$secret_word = self::get_secret_word($user['email']);
$token = self::generate_reset_token($user['uid']);
if ($reset) {
$reset_link = $portal_url."main/auth/lostPassword.php?reset=".$secret_word."&id=".$user['uid'];
$reset_link = $portal_url."main/auth/lostPassword.php?reset=".$token."&id=".$user['uid'];
$reset_link = Display::url($reset_link, $reset_link);
} else {
$reset_link = get_lang('Pass')." : $user[password]";
@@ -53,9 +53,9 @@ class Login
}
} else {
foreach ($user as $this_user) {
$secret_word = self::get_secret_word($this_user['email']);
$token = self::generate_reset_token($this_user['uid']);
if ($reset) {
$reset_link = $portal_url."main/auth/lostPassword.php?reset=".$secret_word."&id=".$this_user['uid'];
$reset_link = $portal_url."main/auth/lostPassword.php?reset=".$token."&id=".$this_user['uid'];
$reset_link = Display::url($reset_link, $reset_link);
} else {
$reset_link = get_lang('Pass')." : $this_user[password]";
@@ -248,9 +248,36 @@ class Login
*
* @author Olivier Cauberghe <olivier.cauberghe@UGent.be>, Ghent University
*/
/**
* Generate a cryptographically random reset token for the given user,
* store it (with a timestamp) in the database, and return it.
*
* @param int $userId
*
* @return string The hex token
*/
public static function generate_reset_token($userId)
{
$token = bin2hex(random_bytes(32));
$em = Database::getManager();
/** @var User $user */
$user = $em->find('ChamiloUserBundle:User', (int) $userId);
if ($user) {
$user->setConfirmationToken($token);
$user->setPasswordRequestedAt(new \DateTime());
$em->persist($user);
$em->flush();
}
return $token;
}
/**
* @deprecated Use generate_reset_token() instead.
*/
public static function get_secret_word($add)
{
return $secret_word = sha1($add);
return sha1($add);
}
/**
@@ -285,15 +312,51 @@ class Login
return get_lang('CouldNotResetPassword');
}
if (self::get_secret_word($user['email']) == $secret) {
// OK, secret word is good. Now change password and mail it.
$user['password'] = api_generate_password();
UserManager::updatePassword($id, $user['password']);
// Validate token against the stored confirmation_token.
$em = Database::getManager();
/** @var User $dbUser */
$dbUser = $em->find('ChamiloUserBundle:User', $id);
return self::send_password_to_user($user, $by_username);
if (!$dbUser) {
return get_lang('CouldNotResetPassword');
}
return get_lang('NotAllowed');
$storedToken = $dbUser->getConfirmationToken();
$requestedAt = $dbUser->getPasswordRequestedAt();
// Token must exist (a reset must have been requested first).
if (empty($storedToken) || empty($requestedAt)) {
return get_lang('NotAllowed');
}
// Token expires after 1 hour.
$expiresAt = clone $requestedAt;
$expiresAt->modify('+1 hour');
if (new \DateTime() > $expiresAt) {
// Clear expired token.
$dbUser->setConfirmationToken(null);
$dbUser->setPasswordRequestedAt(null);
$em->persist($dbUser);
$em->flush();
return get_lang('NotAllowed');
}
// Timing-safe comparison.
if (!hash_equals($storedToken, $secret)) {
return get_lang('NotAllowed');
}
// Token is valid — change the password and clear the token.
$user['password'] = api_generate_password();
UserManager::updatePassword($id, $user['password']);
$dbUser->setConfirmationToken(null);
$dbUser->setPasswordRequestedAt(null);
$em->persist($dbUser);
$em->flush();
return self::send_password_to_user($user, $by_username);
}
/**