FCLT#55065 AiAi bij wachtwoord reset door Zwier van Dijk

svn path=/Website/trunk/; revision=40693
2019-01-28 16:26:17 +00:00
parent a34b23c889
commit a5c6df4898
1 changed files with 7 additions and 10 deletions
--- a/APPL/PRS/pchange_reset.asp
+++ b/APPL/PRS/pchange_reset.asp
@@ -20,21 +20,20 @@ var ANONYMOUS_Allowed = 1; // nog heel even
 <!-- #include file="../Shared/iface.inc" -->
 <!-- #include file="../Shared/login.inc" -->
 <%
+if (!S("email_password"))
+    shared.simpel_page(L("lcl_no_auth"));
+protectQS.verify({ expire: 1 }); // tamper check. HMAC is *net* gezet door shorturl.asp dus 1 minuut is nog heel ruim
 var submitting = getQParamInt('submit', -1);
-var user_key = getQParamInt("user_key"); // is toch beschermd met HMAC
+var prs_key = getQParamInt("user_key"); // is toch beschermd met HMAC
 if (submitting == 1) {
-  if (!S("email_password"))
-      shared.simpel_page(L("lcl_no_auth"));
-
-      protectRequest.validateToken();

  // Je krijgt maar <20><>n kans
  var sql = "DELETE fac_bookmark"
          + " WHERE fac_bookmark_naam = 'PRS password reset'"
-          + "   AND prs_perslid_key = " + user_key;
+          + "   AND prs_perslid_key = " + prs_key;
  Oracle.Execute(sql);

-  doLogin(user_key);
+  doLogin(prs_key);

  if (!user.haspw() && S("email_password") == 1) // Welbeschouwd was de link toch al nooit gestuurd. Paranoia dus.
      shared.simpel_page(L("lcl_no_auth"));
@@ -45,7 +44,6 @@ if (submitting == 1) {
 }
 else
 {
-  protectQS.verify({ expire: 1 }); // tamper check. HMAC is *net* gezet door shorturl.asp dus 1 minuut is nog heel ruim
  %>
  <html>
    <head>
@@ -65,12 +63,11 @@ else
    </head>

    <body class="modal" id="mod_prs_pwdreset">
-        <form id="changereset" name="u2" action="pchange_reset.asp?submit=1&user_key=<%=user_key%>" method="post">
+        <form id="changereset" name="u2" action="<%=protectQS.create('../../appl/prs/pchange_reset.asp?submit=1&user_key='+prs_key)%>" method="post">
 <%
          BLOCK_START("prspwchange", L("lcl_password_title"));
 %>        <a href="#" onclick="doOK()"><%=L("lcl_click_here_pw_change")%></a> <%
          BLOCK_END();
-          IFACE.FORM_END();
 %>
      </form>
    </body>