(* COCANWIKI - a wiki written in Objective CAML.
 * Written by Richard W.M. Jones <rich@merjis.com>.
 * Copyright (C) 2004 Merjis Ltd.
 * $Id: forgot_password.ml,v 1.10 2006/03/27 19:10:29 rich Exp $
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; see the file COPYING.  If not, write to
 * the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
 * Boston, MA 02111-1307, USA.
 *)

open Apache
open Registry
open Cgi
open Printf

open Cocanwiki
open Cocanwiki_ok
open Cocanwiki_strings

let run r (q : cgi) dbh hostid { hostname = hostname } _ =
  let name = trim (q#param "name") in

  if name = "" then (
    error ~back_button:true ~title:"No username or email address"
      dbh hostid q "You didn't give a username or email address";
    return ()
  );

  (* Look it up in the database. *)
  let rows = PGSQL(dbh)
    "select email, name, password from users
      where hostid = $hostid
        and email is not null
        and (lower (name) = lower ($name) or lower (email) = lower ($name))" in

  try
    let email, name, password =
      match rows with
      | [ Some email, name, password ] ->
	  email, name, password
      | _ -> assert false in

    (* Get the IP address of the user, if available. *)
    let ip =
      try Connection.remote_ip (Request.connection r) with Not_found -> "" in

    let subject = "Password for " ^ hostname in

    let body =
      "Someone, possibly you, requested your password for " ^ hostname ^
      ".\n\n" ^
      "Username: " ^ name ^ "\n" ^
      "Password: " ^ password ^ "\n" ^
      "\n" ^
      "IP address of request: " ^ ip ^ "\n" in

    Sendmail.send_mail ~subject ~to_addr:[ email ] body;

    let buttons = [ ok_button "/_login" ] in
    ok ~buttons ~title:"Password sent by email"
      dbh hostid q
      ("Your password was sent by email.  If you don't receive the password " ^
       "within an hour, please notify the site's administrator.")
  with
      Not_found ->
	(* Artificially limit the rate at which people can search the database
	 * for usernames.
	 *)
	Unix.sleep 10;

	error ~back_button:true ~title:"Nothing known"
	  dbh hostid q
	  "Sorry, don't know anyone with that name or email address."

let () =
  register_script run