fixes #2281 add two default conf for reset and activation link

When a password activation or reset link is generated, the link expiry time is now defined in two conf: $conf[’password_reset_duration‘] with a default time of one hour and $conf[’password_activation_duration‘] with a default time of 72 hours.
2025-04-26 11:19:55 +03:00 · 2024-11-20 17:09:26 +01:00 · 2024-11-20 17:09:26 +01:00 · 34296598d4
commit 34296598d4
parent 431cb4b7b4
10 changed files with 72 additions and 37 deletions
--- a/admin/themes/default/js/user_list.js
+++ b/admin/themes/default/js/user_list.js
@ -2215,8 +2215,9 @@ function send_new_user_password(user_id, mail) {
    $.ajax({
        url: "ws.php?format=json",
        dataType: "json",
        type: "POST",
        data:{
-            method: 'pwg.users.generateResetPasswordLink',
+            method: 'pwg.users.generatePasswordLink',
            user_id: user_id,
            send_by_mail: send_by_mail,
            pwg_token: pwg_token
@ -2228,12 +2229,14 @@ function send_new_user_password(user_id, mail) {
                $('#AddUserFieldContainer').hide();
                $('#AddUserSuccessContainer').fadeIn();
                $('#AddUserPasswordLink').val(response.result.generated_link).trigger('focus');
-                $('#AddUserTextField').html(send_by_mail ? sprintf(validLinkMail, `<b>${mail}</b>`) : validLinkWithoutMail);
+                $('#AddUserTextField').html(send_by_mail 
                    ? sprintf(validLinkMail, response.result.time_validation, `<b>${mail}</b>`) 
                    : sprintf(validLinkWithoutMail, response.result.time_validation));
                if(send_by_mail && !response.result.send_by_mail) {
                    $('#AddUserUpdated').removeClass('icon-green border-green icon-ok').addClass('icon-red-error icon-cancel');
                    $('#AddUserUpdatedText').html(errorMailSent);
-                    $('#AddUserTextField').html(errorMailSentMsg);
+                    $('#AddUserTextField').html(sprintf(errorMailSentMsg, response.result.time_validation));
                } else if (send_by_mail && response.result.send_by_mail) {
                    password_container.hide();
                }
@ -2316,8 +2319,9 @@ function send_link_password(email, username, user_id, send_by_mail) {
    $.ajax({
        url: "ws.php?format=json",
        dataType: "json",
        type: "POST",
        data: {
-            method: 'pwg.users.generateResetPasswordLink',
+            method: 'pwg.users.generatePasswordLink',
            user_id: user_id,
            send_by_mail: send_by_mail,
            pwg_token: pwg_token
--- a/admin/themes/default/template/user_list.tpl
+++ b/admin/themes/default/template/user_list.tpl
@ -45,9 +45,9 @@ const mainUserUpgradeWebmaster = "{'This user must first be defined as the webma
 const errorStr = "{'an error happened'|@translate|escape:javascript}";
 const copyLinkStr = "{'Copied link'|@translate|escape:javascript}";
 const cantCopy = "{'You cannot copy the password if the connection to this site is not secure.'|@translate|escape:javascript}";
-const validLinkMail = "{'An activation link valid for 1 hour has been sent to "%s". If the user doesn\'t receive the link, you can generate and copy a new one by editing the user and managing her password.'|@translate|escape:javascript}";
+const validLinkMail = "{'An activation link valid for %s has been sent to "%s". If the user doesn\'t receive the link, you can generate and copy a new one by editing the user and managing her password.'|@translate|escape:javascript}";
 const validLinkWithoutMail = "{'Copy the link below and send it to the user so the password can be set.'|@translate|escape:javascript}";
-const errorMailSentMsg = "{'An activation link valid for 1 hour was created but could not be sent. You can now copy the link below and send it to the user.'|@translate|escape:javascript}";
+const errorMailSentMsg = "{'An activation link valid for %s was created but could not be sent. You can now copy the link below and send it to the user.'|@translate|escape:javascript}";
 const registered_str = '{"Registered"|@translate|escape:javascript}';
 const last_visit_str = '{"Last visit"|@translate|escape:javascript}';
--- a/include/config_default.inc.php
+++ b/include/config_default.inc.php
@ -599,6 +599,14 @@ $conf['browser_language'] = true;
 // If false it'll be redirected from index.php to identification.php
 $conf['guest_access'] = true;
 // password_reset_duration : defines the validity duration (in seconds) of a 
 // password reset link. Default value is one hour (3600 seconds).
 $conf['password_reset_duration'] = 60*60;
 // password_activation_duration : defines the validity duration (in seconds) 
 // of an password activation link. Default value is 72 hours (259200 seconds).
 $conf['password_activation_duration'] = 3*24*60*60;
 // +-----------------------------------------------------------------------+
 // |                               history                                 |
 // +-----------------------------------------------------------------------+
--- a/include/functions_mail.inc.php
+++ b/include/functions_mail.inc.php
@ -1010,11 +1010,12 @@ function pwg_send_mail_test($success, $mail, $args)
 * Return the content mail to send
 * @since 15
 * @param string $username
- * @param string $reset_password_link
+ * @param string $password_link
 * @param string $gallery_title
- * @return string mail content
+ * @param string $remaining_time
 * @return array mail content
 */
-function pwg_generate_reset_password_mail($username, $reset_password_link, $gallery_title)
+function pwg_generate_reset_password_mail($username, $password_link, $gallery_title, $remaining_time)
 {
  set_make_full_url();
@ -1026,7 +1027,8 @@ function pwg_generate_reset_password_mail($username, $reset_password_link, $gall
    );
  $message.= "\r\n\r\n";
  $message.= l10n('To reset your password, visit the following address:') . "\r\n";
-  $message.= $reset_password_link;
+  $message.= $password_link . "\r\n";
  $message.= l10n('This link is valid for %s. After this time, you will need to request a new link.', $remaining_time);
  $message.= "\r\n\r\n";
  $message.= l10n('If this was a mistake, just ignore this email and nothing will happen.')."\r\n";
@ -1047,11 +1049,12 @@ function pwg_generate_reset_password_mail($username, $reset_password_link, $gall
 * Return the content mail to send
 * @since 15
 * @param string $username
- * @param string $reset_password_link
+ * @param string $password_link
 * @param string $gallery_title
- * @return string mail content
+ * @param string $remaining_time
 * @return array mail content
 */
-function pwg_generate_set_password_mail($username, $set_password_link, $gallery_title)
+function pwg_generate_set_password_mail($username, $set_password_link, $gallery_title, $remaining_time)
 {
  set_make_full_url();
@ -1063,7 +1066,8 @@ function pwg_generate_set_password_mail($username, $set_password_link, $gallery_
    );
  $message.= "\r\n\r\n";
  $message.= l10n('To set your password, visit the following address:') . "\r\n";
-  $message.= $set_password_link;
+  $message.= $set_password_link . "\r\n";
  $message.= l10n('This link is valid for %s. After this time, you will need to request a new link.', $remaining_time);
  $message.= "\r\n\r\n";
  $message.= l10n('If this was a mistake, just ignore this email and nothing will happen.')."\r\n";
--- a/include/functions_user.inc.php
+++ b/include/functions_user.inc.php
@ -1740,14 +1740,19 @@ function deactivate_password_reset_key($user_id)
 *
 * @since 15
 * @param int $user_id
- * @param string $user_email
+ * @param boolean $first_login
- * @return array activation_key and reset password link 
+ * @return array time_validation and password link 
 */
-function generate_reset_password_link($user_id)
+function generate_password_link($user_id, $first_login=false)
 {
  global $conf;
  $activation_key = generate_key(20);
-  list($expire) = pwg_db_fetch_row(pwg_query('SELECT ADDDATE(NOW(), INTERVAL 1 HOUR)'));
+  $duration = $first_login
  ? $conf['password_activation_duration'] 
  : $conf['password_reset_duration'];
  list($expire) = pwg_db_fetch_row(pwg_query('SELECT ADDDATE(NOW(), INTERVAL '. $duration .' SECOND)'));
  single_update(
    USER_INFOS_TABLE,
@ -1760,13 +1765,20 @@ function generate_reset_password_link($user_id)
    set_make_full_url();
-    $reset_password_link = get_root_url().'password.php?key='.$activation_key;
+    $password_link = get_root_url().'password.php?key='.$activation_key;
    unset_make_full_url();
    $time_validation = time_since(
      strtotime('now -'.$duration.' second'),
      'second',
      null,
      false
    );
    return array(
-      'activation_key' => $activation_key,
+      'time_validation' => $time_validation,
-      'reset_password_link' => $reset_password_link,
+      'password_link' => $password_link,
    );
 }
--- a/include/ws_functions/pwg.users.php
+++ b/include/ws_functions/pwg.users.php
@ -989,7 +989,7 @@ SELECT
 *    @option string pwg_token
 *    @option boolean send_by_mail
 */
-function ws_users_generate_reset_password_link($params, &$service)
+function ws_users_generate_password_link($params, &$service)
 {
  global $user, $conf;
  include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
@ -1020,19 +1020,19 @@ function ws_users_generate_reset_password_link($params, &$service)
    return new PwgError(403, 'You cannot perform this action');
  }
-  $generate_link = generate_reset_password_link($params['user_id']);
+  $first_login = first_connexion($params['user_id']);
  $generate_link = generate_password_link($params['user_id'], $first_login);
  $send_by_mail_response = null;
  if ($params['send_by_mail'] and !empty($user_lost['email']))
  {
    $first_login = first_connexion($params['user_id']);
    if ($first_login)
    {
-      $email_params = pwg_generate_set_password_mail($user_lost['username'], $generate_link['reset_password_link'], $conf['gallery_title']);
+      $email_params = pwg_generate_set_password_mail($user_lost['username'], $generate_link['password_link'], $conf['gallery_title'], $generate_link['time_validation']);
    }
    else
    {
-      $email_params = pwg_generate_reset_password_mail($user_lost['username'], $generate_link['reset_password_link'], $conf['gallery_title']);
+      $email_params = pwg_generate_reset_password_mail($user_lost['username'], $generate_link['password_link'], $conf['gallery_title'], $generate_link['time_validation']);
    }
    // Here we remove the display of errors because they prevent the response from being parsed
    if (@pwg_mail($user_lost['email'], $email_params))
@ -1046,8 +1046,9 @@ function ws_users_generate_reset_password_link($params, &$service)
  }
  return array(
-    'generated_link' => $generate_link['reset_password_link'],
+    'generated_link' => $generate_link['password_link'],
    'send_by_mail' => $send_by_mail_response,
    'time_validation' => $generate_link['time_validation'],
  );
 }
--- a/language/en_UK/admin.lang.php
+++ b/language/en_UK/admin.lang.php
@ -1392,9 +1392,9 @@ $lang['Set as main user'] = 'Set as main user';
 $lang['This user must first be defined as the webmaster before it can be upgraded to the main user'] = 'This user must first be defined as the webmaster before it can be upgraded to the main user';
 $lang['Copied link'] = 'Copied link';
 $lang['You cannot copy the password if the connection to this site is not secure.'] = 'You cannot copy the password if the connection to this site is not secure.';
-$lang['An activation link valid for 1 hour has been sent to "%s". If the user doesn\'t receive the link, you can generate and copy a new one by editing the user and managing her password.'] = 'An activation link valid for 1 hour has been sent to "%s". If the user doesn\'t receive the link, you can generate and copy a new one by editing the user and managing her password.';
+$lang['An activation link valid for %s has been sent to "%s". If the user doesn\'t receive the link, you can generate and copy a new one by editing the user and managing her password.'] = 'An activation link valid for %s has been sent to "%s". If the user doesn\'t receive the link, you can generate and copy a new one by editing the user and managing her password.';
 $lang['Copy the link below and send it to the user so the password can be set.'] = 'Copy the link below and send it to the user so the password can be set.';
-$lang['An activation link valid for 1 hour was created but could not be sent. You can now copy the link below and send it to the user.'] = 'An activation link valid for 1 hour was created but could not be sent. You can now copy the link below and send it to the user.';
+$lang['An activation link valid for %s was created but could not be sent. You can now copy the link below and send it to the user.'] = 'An activation link valid for %s was created but could not be sent. You can now copy the link below and send it to the user.';
 $lang['Copy the password link'] = 'Copy the password link';
 $lang['Resend password link'] = 'Resend password link';
 $lang['Username successfully modified'] = 'Username successfully modified';
@ -1403,4 +1403,7 @@ $lang['Yes, let\'s proceed'] = 'Yes, let\'s proceed';
 $lang['What\'s new in version %s'] = 'What\'s new in version %s?';
 $lang['Read the release note'] = 'Read the release note';
 $lang['Ok, got it!'] = 'Ok, got it!';
 $lang['This link is valid for %s. After this time, you will need to request a new link.'] = 'This link is valid for %s. After this time, you will need to request a new link.';
 $lang['To set your password, visit the following address:'] = 'To set your password, visit the following address:';
 $lang['Someone requested that the password be set for the following user account:'] = 'Someone requested that the password be set for the following user account:';
 // Leave this line empty
--- a/language/fr_FR/admin.lang.php
+++ b/language/fr_FR/admin.lang.php
@ -1394,9 +1394,9 @@ $lang['Set as main user'] = 'Définir comme utilisateur principal';
 $lang['This user must first be defined as the webmaster before it can be upgraded to the main user'] = 'Cet utilisateur doit d\'abord être défini en tant que webmaster avant de pouvoir devenir l\'utilisateur principal';
 $lang['Copied link'] = 'Lien copié';
 $lang['You cannot copy the password if the connection to this site is not secure.'] = 'Vous ne pouvez pas copier le mot de passe si la connexion à ce site n\'est pas sécurisée.';
-$lang['An activation link valid for 1 hour has been sent to "%s". If the user doesn\'t receive the link, you can generate and copy a new one by editing the user and managing her password.'] = 'Un lien d\'activation valable 1 heure a été envoyé à « %s ». Si l\'utilisateur ne reçoit pas le lien, vous pouvez en générer et en copier un nouveau en éditant l\'utilisateur et en gérant son mot de passe.';
+$lang['An activation link valid for %s has been sent to "%s". If the user doesn\'t receive the link, you can generate and copy a new one by editing the user and managing her password.'] = 'Un lien d\'activation valable %s a été envoyé à « %s ». Si l\'utilisateur ne reçoit pas le lien, vous pouvez en générer et en copier un nouveau en éditant l\'utilisateur et en gérant son mot de passe.';
 $lang['Copy the link below and send it to the user so the password can be set.'] = 'Copiez le lien ci-dessous et envoyez-le à l\'utilisateur pour qu\'il définisse son mot de passe.';
-$lang['An activation link valid for 1 hour was created but could not be sent. You can now copy the link below and send it to the user.'] = 'Un lien d\'activation valable 1 heure a été créé mais n\'a pas pu être envoyé. Vous pouvez maintenant copier le lien ci-dessous et l\'envoyer à l\'utilisateur.';
+$lang['An activation link valid for %s was created but could not be sent. You can now copy the link below and send it to the user.'] = 'Un lien d\'activation valable %s a été créé mais n\'a pas pu être envoyé. Vous pouvez maintenant copier le lien ci-dessous et l\'envoyer à l\'utilisateur.';
 $lang['Copy the password link'] = 'Copier le lien du mot de passe';
 $lang['Resend password link'] = 'Renvoyer le lien du mot de passe';
 $lang['Username successfully modified'] = 'Nom d\'utilisateur modifié avec succès';
@ -1405,4 +1405,7 @@ $lang['Yes, let\'s proceed'] = 'Oui, continuons';
 $lang['What\'s new in version %s'] = 'Quoi de neuf dans Piwigo %s ?';
 $lang['Read the release note'] = 'Lire la note de version';
 $lang['Ok, got it!'] = 'Ok, j\'ai compris!';
 $lang['This link is valid for %s. After this time, you will need to request a new link.'] = 'Ce lien est valide pendant %s. Passé ce délai, vous devrez demander un nouveau lien.';
 $lang['To set your password, visit the following address:'] = 'Pour définir votre mot de passe, rendez-vous à l\'adresse suivante:';
 $lang['Someone requested that the password be set for the following user account:'] = 'Quelqu\'un a demandé que le mot de passe soit défini pour l\'utilisateur suivant:';
 // Leave this line empty
--- a/password.php
+++ b/password.php
@ -76,11 +76,11 @@ function process_password_request()
    return false;
  }
-  $generate_link = generate_reset_password_link($user_id);
+  $generate_link = generate_password_link($user_id);
-  $userdata['activation_key'] = $generate_link['activation_key'];
+  // $userdata['activation_key'] = $generate_link['activation_key'];
-  $email_params = pwg_generate_reset_password_mail($userdata['username'], $generate_link['reset_password_link'], $conf['gallery_title']);
+  $email_params = pwg_generate_reset_password_mail($userdata['username'], $generate_link['password_link'], $conf['gallery_title'], $generate_link['time_validation']);
  if (pwg_mail($userdata['email'], $email_params))
  {
--- a/ws.php
+++ b/ws.php
@ -1506,8 +1506,8 @@ enabled_high, registration_date, registration_date_string, registration_date_sin
    );
    $service->addMethod(
-      'pwg.users.generateResetPasswordLink',
+      'pwg.users.generatePasswordLink',
-      'ws_users_generate_reset_password_link',
+      'ws_users_generate_password_link',
      array(
        'user_id' => array(
          'type'=>WS_TYPE_ID
@ -1522,7 +1522,7 @@ enabled_high, registration_date, registration_date_string, registration_date_sin
      'Return the reset password link <br />
       (Only webmaster can perform this action for another webmaster)',
      $ws_functions_root . 'pwg.users.php',
-      array('admin_only'=>true)
+      array('admin_only'=>true, 'post_only'=>true)
    );
    $service->addMethod(