1 files changed, 65 insertions, 23 deletions

diff --git a/inc/auth.php b/inc/auth.php
index eff984b36..78d98a99e 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -523,18 +523,19 @@ function auth_aclcheck($id,$user,$groups){
         $groups[] = '@ALL';
         //add User
         if($user) $groups[] = $user;
-        //build regexp
-        $regexp   = join('|',$groups);
     }else{
-        $regexp = '@ALL';
+        $groups[] = '@ALL';
     }
 
     //check exact match first
-    $matches = preg_grep('/^'.preg_quote($id,'/').'\s+('.$regexp.')\s+/'.$ci,$AUTH_ACL);
+    $matches = preg_grep('/^'.preg_quote($id,'/').'\s+(\S+)\s+/'.$ci,$AUTH_ACL);
     if(count($matches)){
         foreach($matches as $match){
             $match = preg_replace('/#.*$/','',$match); //ignore comments
             $acl   = preg_split('/\s+/',$match);
+            if (!in_array($acl[1], $groups)) {
+                continue;
+            }
             if($acl[2] > AUTH_DELETE) $acl[2] = AUTH_DELETE; //no admins in the ACL!
             if($acl[2] > $perm){
                 $perm = $acl[2];
@@ -554,20 +555,24 @@ function auth_aclcheck($id,$user,$groups){
     }
 
     do{
-        $matches = preg_grep('/^'.preg_quote($path,'/').'\s+('.$regexp.')\s+/'.$ci,$AUTH_ACL);
+        $matches = preg_grep('/^'.preg_quote($path,'/').'\s+(\S+)\s+/'.$ci,$AUTH_ACL);
         if(count($matches)){
             foreach($matches as $match){
                 $match = preg_replace('/#.*$/','',$match); //ignore comments
                 $acl   = preg_split('/\s+/',$match);
+                if (!in_array($acl[1], $groups)) {
+                    continue;
+                }
                 if($acl[2] > AUTH_DELETE) $acl[2] = AUTH_DELETE; //no admins in the ACL!
                 if($acl[2] > $perm){
                     $perm = $acl[2];
                 }
             }
             //we had a match - return it
-            return $perm;
+            if ($perm != -1) {
+                return $perm;
+            }
         }
-
         //get next higher namespace
         $ns   = getNS($ns);
 
@@ -582,9 +587,6 @@ function auth_aclcheck($id,$user,$groups){
             return AUTH_NONE;
         }
     }while(1); //this should never loop endless
-
-    //still here? return no permissions
-    return AUTH_NONE;
 }
 
 /**
@@ -673,8 +675,14 @@ function auth_sendPassword($user,$password){
     $text = str_replace('@PASSWORD@',$password,$text);
     $text = str_replace('@TITLE@',$conf['title'],$text);
 
+    if(empty($conf['mailprefix'])) {
+        $subject = $lang['regpwmail'];
+    } else {  
+        $subject = '['.$conf['mailprefix'].'] '.$lang['regpwmail'];
+    }
+
     return mail_send($userinfo['name'].' <'.$userinfo['mail'].'>',
-            $lang['regpwmail'],
+            $subject,
             $text,
             $conf['mailfrom']);
 }
@@ -852,32 +860,60 @@ function act_resendpwd(){
     $token = preg_replace('/[^a-f0-9]+/','',$_REQUEST['pwauth']);
 
     if($token){
-        // we're in token phase
+        // we're in token phase - get user info from token
 
         $tfile = $conf['cachedir'].'/'.$token{0}.'/'.$token.'.pwauth';
         if(!@file_exists($tfile)){
             msg($lang['resendpwdbadauth'],-1);
+            unset($_REQUEST['pwauth']);
+            return false;
+        }
+        // token is only valid for 3 days
+        if( (time() - filemtime($tfile)) > (3*60*60*24) ){
+            msg($lang['resendpwdbadauth'],-1);
+            unset($_REQUEST['pwauth']);
+            @unlink($tfile);
             return false;
         }
+
         $user = io_readfile($tfile);
-        @unlink($tfile);
         $userinfo = $auth->getUserData($user);
         if(!$userinfo['mail']) {
             msg($lang['resendpwdnouser'], -1);
             return false;
         }
 
-        $pass = auth_pwgen();
-        if (!$auth->triggerUserMod('modify', array($user,array('pass' => $pass)))) {
-            msg('error modifying user data',-1);
-            return false;
-        }
 
-        if (auth_sendPassword($user,$pass)) {
-            msg($lang['resendpwdsuccess'],1);
-        } else {
-            msg($lang['regmailfail'],-1);
+        if(!$conf['autopasswd']){ // we let the user choose a password
+            // password given correctly?
+            if(!isset($_REQUEST['pass']) || $_REQUEST['pass'] == '') return false;
+            if($_REQUEST['pass'] != $_REQUEST['passchk']){
+                msg($lang['regbadpass'],-1);
+                return false;
+            }
+            $pass = $_REQUEST['pass'];
+
+            if (!$auth->triggerUserMod('modify', array($user,array('pass' => $pass)))) {
+                msg('error modifying user data',-1);
+                return false;
+            }
+
+        }else{ // autogenerate the password and send by mail
+
+            $pass = auth_pwgen();
+            if (!$auth->triggerUserMod('modify', array($user,array('pass' => $pass)))) {
+                msg('error modifying user data',-1);
+                return false;
+            }
+
+            if (auth_sendPassword($user,$pass)) {
+                msg($lang['resendpwdsuccess'],1);
+            } else {
+                msg($lang['regmailfail'],-1);
+            }
         }
+
+        @unlink($tfile);
         return true;
 
     } else {
@@ -912,8 +948,14 @@ function act_resendpwd(){
         $text = str_replace('@TITLE@',$conf['title'],$text);
         $text = str_replace('@CONFIRM@',$url,$text);
 
+        if(empty($conf['mailprefix'])) {
+            $subject = $lang['regpwmail'];
+        } else {  
+            $subject = '['.$conf['mailprefix'].'] '.$lang['regpwmail'];
+        }
+        
         if(mail_send($userinfo['name'].' <'.$userinfo['mail'].'>',
-                     $lang['regpwmail'],
+                     $subject,
                      $text,
                      $conf['mailfrom'])){
             msg($lang['resendpwdconfirm'],1);