Add more "check spam" notices

classes/autoenable.class.php

@@ -1,6 +1,7 @@
-<?
+<?php
 
-class AutoEnable {
+class AutoEnable
+{
 
     // Constants for database values
     const APPROVED = 1;
@@ -11,10 +12,10 @@ class AutoEnable {
     const CACHE_KEY_NAME = 'num_enable_requests';
 
     // The default request rejected message
-    const REJECTED_MESSAGE = "Your request to re-enable your account has been rejected.<br>This may be because a request is already pending for your username, or because a recent request was denied.<br><br>You are encouraged to discuss this with staff by visiting %s on %s";
+    const REJECTED_MESSAGE = "Your request to re-enable your account has been rejected.<br /><br />This may be because a request is already pending for your username, or because a recent request was denied.<br /><br />You are encouraged to discuss this with staff by visiting %s on %s";
 
     // The default request received message
-    const RECEIVED_MESSAGE = "Your request to re-enable your account has been received. Most requests are responded to within minutes. Remember to check your spam.<br>If you do not receive an email after 48 hours have passed, please visit us on IRC for assistance.";
+    const RECEIVED_MESSAGE = "Your request to re-enable your account has been received. Most requests are responded to within minutes. Remember to check your spam.<br /><br />If you do not receive an email after 48 hours have passed, please visit us on IRC for assistance.";
 
     /**
      * Handle a new enable request
@@ -23,7 +24,8 @@ class AutoEnable {
      * @param string $Email The user's email address
      * @return string The output
      */
-    public static function new_request($Username, $Email) {
+    public static function new_request($Username, $Email)
+    {
         if (empty($Username)) {
             header("Location: login.php");
             die();
@@ -69,11 +71,16 @@ class AutoEnable {
             // New disable activation request
             $UserAgent = db_string($_SERVER['HTTP_USER_AGENT']);
 
-            G::$DB->query("
+            G::$DB->query(
+                "
                 INSERT INTO users_enable_requests
                 (UserID, Email, IP, UserAgent, Timestamp)
                 VALUES (?, ?, ?, ?, NOW())",
-                $UserID, Crypto::encrypt($Email), Crypto::encrypt($IP), $UserAgent);
+                $UserID,
+                Crypto::encrypt($Email),
+                Crypto::encrypt($IP),
+                $UserAgent
+            );
             $RequestID = G::$DB->inserted_id();
 
             // Cache the number of requests for the modbar
@@ -82,7 +89,7 @@ class AutoEnable {
             $Output = self::RECEIVED_MESSAGE;
             Tools::update_user_notes($UserID, sqltime() . " - Enable request " . G::$DB->inserted_id() . " received from $IP\n\n");
             if ($BanReason == 3) {
-              //self::handle_requests([$RequestID], self::APPROVED, "Automatically approved (inactivity)");
+                //self::handle_requests([$RequestID], self::APPROVED, "Automatically approved (inactivity)");
             }
         }
 
@@ -96,7 +103,8 @@ class AutoEnable {
      * @param int $Status The status to mark the requests as
      * @param string $Comment The staff member comment
      */
-    public static function handle_requests($IDs, $Status, $Comment) {
+    public static function handle_requests($IDs, $Status, $Comment)
+    {
         if ($Status != self::APPROVED && $Status != self::DENIED && $Status != self::DISCARDED) {
             error(404);
         }
@@ -123,7 +131,7 @@ class AutoEnable {
         if ($Status != self::DISCARDED) {
             // Prepare email
             require_once(SERVER_ROOT . '/classes/templates.class.php');
-            $TPL = NEW TEMPLATE;
+            $TPL = new TEMPLATE;
             if ($Status == self::APPROVED) {
                 $TPL->open(SERVER_ROOT . '/templates/enable_request_accepted.tpl');
                 $TPL->set('SITE_DOMAIN', SITE_DOMAIN);
@@ -168,10 +176,10 @@ class AutoEnable {
             FROM users_main
             WHERE ID = ?", $StaffID);
         if (G::$DB->has_results()) {
-          list($StaffUser) = G::$DB->next_record();
+            list($StaffUser) = G::$DB->next_record();
         } else {
-          $StaffUser = "System";
-          $StaffID = 0;
+            $StaffUser = "System";
+            $StaffID = 0;
         }
 
         foreach ($UserInfo as $User) {
@@ -196,7 +204,8 @@ class AutoEnable {
      *
      * @param int $ID The request ID
      */
-    public static function unresolve_request($ID) {
+    public static function unresolve_request($ID)
+    {
         $ID = (int) $ID;
 
         if (empty($ID)) {
@@ -235,12 +244,13 @@ class AutoEnable {
      * @param int $Outcome The outcome integer
      * @return string The formatted output string
      */
-    public static function get_outcome_string($Outcome) {
+    public static function get_outcome_string($Outcome)
+    {
         if ($Outcome == self::APPROVED) {
             $String = "Approved";
-        } else if ($Outcome == self::DENIED) {
+        } elseif ($Outcome == self::DENIED) {
             $String = "Rejected";
-        } else if ($Outcome == self::DISCARDED) {
+        } elseif ($Outcome == self::DISCARDED) {
             $String = "Discarded";
         } else {
             $String = "---";
@@ -255,7 +265,8 @@ class AutoEnable {
      * @param string $Token The token
      * @return string The error output, or an empty string
      */
-    public static function handle_token($Token) {
+    public static function handle_token($Token)
+    {
         $Token = db_string($Token);
         G::$DB->query("
             SELECT uer.UserID, uer.HandledTimestamp, um.torrent_pass, um.Visible, um.IP
@@ -299,7 +310,8 @@ class AutoEnable {
      * @param boolean $Checked Should checked requests be included?
      * @return array The WHERE conditions for the query
      */
-    public static function build_search_query($Username, $IP, $SubmittedBetween, $SubmittedTimestamp1, $SubmittedTimestamp2, $HandledUsername, $HandledBetween, $HandledTimestamp1, $HandledTimestamp2, $OutcomeSearch, $Checked) {
+    public static function build_search_query($Username, $IP, $SubmittedBetween, $SubmittedTimestamp1, $SubmittedTimestamp2, $HandledUsername, $HandledBetween, $HandledTimestamp1, $HandledTimestamp2, $OutcomeSearch, $Checked)
+    {
         $Where = [];
 
         if (!empty($Username)) {
@@ -312,7 +324,7 @@ class AutoEnable {
         }
 
         if (!empty($SubmittedTimestamp1)) {
-            switch($SubmittedBetween) {
+            switch ($SubmittedBetween) {
                 case 'on':
                     $Where[] = "DATE(uer.Timestamp) = DATE('$SubmittedTimestamp1')";
                     break;
@@ -333,7 +345,7 @@ class AutoEnable {
         }
 
         if (!empty($HandledTimestamp1)) {
-            switch($HandledBetween) {
+            switch ($HandledBetween) {
                 case 'on':
                     $Where[] = "DATE(uer.HandledTimestamp) = DATE('$HandledTimestamp1')";
                     break;

classes/rules.class.php

@@ -109,6 +109,8 @@ class Rules
 
   <li>Please discuss site news in the corresponding Announcements thread instead of making a new General thread.
     Discussing science-related news in General is highly encouraged, but discussing political news is much less so.
+    But don't self-censor, e.g., you can discuss the political and economic factors of the 2019-nCoV outbreak,
+    but you can't start a thread about trade deals and hope to steer it toward biology.
     Thank you.</li>
 
   <li>No advertising, referrals, affiliate links, cryptocurrency pumps, or calls to action that involve using a

sections/donate/donate.php

@@ -17,12 +17,15 @@ View::show_header('Donate');
 ?>
 
 <div class="thin">
-  <span class="donation_info_title"><?= SITE_NAME ?> budget breakdown</span>
+  <span class="donation_info_title"><?= SITE_NAME ?> budget
+    breakdown</span>
   <div class="box pad donation_info">
-  <p>
-      <?= SITE_NAME ?> has no advertisements, is not sponsored, and provides its services free of charge.
+    <p>
+      <?= SITE_NAME ?> has no advertisements, is not sponsored, and
+      provides its services free of charge.
       For these reasons, its main income source is voluntary user donations.
-      Supporting <?= SITE_NAME ?> is and will always remain voluntary.
+      Supporting <?= SITE_NAME ?> is and will always remain
+      voluntary.
       If you're financially able, please help pay its bills by donating.
       We use the donations to cover the costs of running the site, tracker, and IRC network.
     </p>
@@ -30,7 +33,8 @@ View::show_header('Donate');
     <p>
       No staff member or other individual responsible for the site's operation personally profits from user donations.
       As a donor, your financial support is exclusively applied to operating costs.
-      By donating to <?= SITE_NAME ?>, you're helping to defray the recurring costs of necessary information services.
+      By donating to <?= SITE_NAME ?>, you're helping to defray the
+      recurring costs of necessary information services.
     </p>
 
     <p>
@@ -41,70 +45,85 @@ View::show_header('Donate');
     </p>
 
     <ul>
-        <li><strong>Tracker Server.</strong> We currently use one budget VPS at 2.50€ per month, and can add more at the same price as needed.</li>
-        <li><strong>Seedbox Server.</strong> A dedicated seedbox in Europe to supplement my home servers in North America is forthcoming. It's not expected to exceed $20 per month.</li>
-        <li><strong>Domain Name.</strong> The site domain name costs $15 per year. The SSL certificate is gratis.</li>
-        <li><strong>Parent Company.</strong> Because I'm handling personal information such as email and IP addresses, and soliciting donations from the public, legal protection is prudent. An LLC is forthcoming and not expected to exceed $75 per year.</li>
-      </ul>
+      <li><strong>Tracker Server.</strong> We currently use one budget VPS at 2.50€ per month, and can add more at the
+        same price as needed.</li>
+      <li><strong>Seedbox Server.</strong> A dedicated seedbox in Europe to supplement my home servers in North America
+        is forthcoming. It's not expected to exceed $20 per month.</li>
+      <li><strong>Domain Name.</strong> The site domain name costs $15 per year. The SSL certificate is gratis.</li>
+      <li><strong>Parent Company.</strong> Because I'm handling personal information such as email and IP addresses, and
+        soliciting donations from the public, legal protection is prudent. An LLC is forthcoming and not expected to
+        exceed $75 per year.</li>
+    </ul>
   </div>
 
   <span class="donation_info_title">How to donate to <?= SITE_NAME ?></span>
   <div class="box pad donation_info">
     <p>
-      <?= SITE_NAME ?> accepts donations on a tactful array of platforms.
+      <?= SITE_NAME ?> accepts donations on a tactful array of
+      platforms.
       We also accept <strong>tax-deductible donations</strong> on behalf of the
       <a href="https://www.boslab.org/donate" target="_blank">Boston Open Science Laboratory (BosLab)</a>,
       a registered 501c3.
       Please use the memo field on BosLab's PayPal form to credit your <?= SITE_NAME ?> account.
-      <strong>From: your username on <?= SITE_NAME ?>'s behalf, CC: ohm at biotorrents dot de.</strong>
+      <strong>From: your username on <?= SITE_NAME ?>'s behalf, CC:
+        ohm at biotorrents dot de.</strong>
     </p>
 
     <p>
-      Unlike affiliate donations to BosLab, where the funds are beyond my control, direct donations are used exclusively for <?= SITE_NAME ?>'s operating costs.
-      Please see <a href="https://www.patreon.com/biotorrents" target="_blank"><?= SITE_NAME ?>'s Patreon</a> for a detailed overview of funding goals.
+      Unlike affiliate donations to BosLab, where the funds are beyond my control, direct donations are used exclusively
+      for <?= SITE_NAME ?>'s operating costs.
+      Please see <a href="https://www.patreon.com/biotorrents" target="_blank"><?= SITE_NAME ?>'s Patreon</a> for a detailed overview of funding
+      goals.
       There are some benefits to donating that culmulate with each tier pledged.
       Each tier's awards include those already listed.
     </p>
 
     <p style="margin: 2em 0;">
-    <a href="https://www.patreon.com/bePatron?u=27142321" data-patreon-widget-type="become-patron-button">Become a Patron!</a><script async src="https://c6.patreon.com/becomePatronButton.bundle.js"></script>
+      <a href="https://www.patreon.com/bePatron?u=27142321" data-patreon-widget-type="become-patron-button">Become a
+        Patron!</a>
+      <script async src="https://c6.patreon.com/becomePatronButton.bundle.js"></script>
     </p>
 
-      <ul>
-        <li><strong>Bronze.</strong> A donor badge and forum access for your user account on the BioTorrents.de website
-        </li>
-        <li><strong>Silver.</strong> Unlimited API calls to the BioTorrents.de database</li>
-        <li><strong>Gold.</strong> Monthly Skype calls to discuss wetlab and software ideas.
-          My expertise includes fungal biotechnology, nonprofit administration, and LEMP+ development</li>
-        <li><strong>Sponsor a Seedbox.</strong> Shell access to, and share ratio credit from, a seedbox that I manage on
-          your behalf.
-          Please understand that network services beyond the scope of seedbox administration should be negotiated
-          separately</li>
-      </ul>
+    <ul>
+      <li><strong>Bronze.</strong> A donor badge and forum access for your user account on the BioTorrents.de website
+      </li>
+      <li><strong>Silver.</strong> Unlimited API calls to the BioTorrents.de database</li>
+      <li><strong>Gold.</strong> Monthly Skype calls to discuss wetlab and software ideas.
+        My expertise includes fungal biotechnology, nonprofit administration, and LEMP+ development</li>
+      <!--
+        <li><strong>Sponsor a Seedbox.</strong> Shell access to, and share ratio credit from, a seedbox that I manage on your behalf.
+          Please understand that network services beyond the scope of seedbox administration should be negotiated separately</li>
+        -->
+    </ul>
 
     <p>
-      I also accept private donations of cash and cash equivalents, including <strong>Bitcoin</strong> and other cryptocurrencies.
-      Besides gift transactions sent to my personal <strong>PayPal</strong> account, I'll also accept <strong>USPS money orders</strong> in the mail.
+      I also accept private donations of cash and cash equivalents, including <strong>Bitcoin</strong> and other
+      cryptocurrencies.
+      Besides gift transactions sent to my personal <strong>PayPal</strong> account, I'll also accept <strong>USPS money
+        orders</strong> in the mail.
       I can generate unique cryptocurrency addresses for donations in Bitcoin, Litecoin, Curecoin, and Namecoin.
-      Please use <a href="https://pgp.mit.edu/pks/lookup?op=get&search=0x760EBED7CFE266D7" target="_blank">GPG key 760EBED7CFE266D7</a> if you desire.
+      Please use <a href="https://pgp.mit.edu/pks/lookup?op=get&search=0x760EBED7CFE266D7" target="_blank">GPG key
+        760EBED7CFE266D7</a> if you desire.
     </p>
   </div>
 
   <span class="donation_info_title">What donating means for your account</span>
   <div class="box pad donation_info">
-  <p>
-    Please remember that when you make a donation, you aren't "purchasing" Donor Ranks, invites, or any <?= SITE_NAME ?>-specific benefit.
-    When donating, you're helping <?= SITE_NAME ?> pay its bills, and your donation should be made in this spirit.
-    The <?= SITE_NAME ?> staff does its best to recognize our financial supporters in a fair and fun way,
-    but all donor perks are subject to change or cancellation at any time, without notice.
-  </p>
-
-  <p>
-    Any donation or contribution option listed above gives you the opportunity to receive Donor Points.
-    Donor Points are awarded at a rate of one point per transaction, regardless of the amount.
-    After acquiring your first Donor Point, your account will unlock Donor Rank #1.
-    This rank will last forever, and you'll receive the below perks when you unlock it.
-  </p>
+    <p>
+      Please remember that when you make a donation, you aren't "purchasing" Donor Ranks, invites, or any <?= SITE_NAME ?>-specific benefit.
+      When donating, you're helping <?= SITE_NAME ?> pay its bills,
+      and your donation should be made in this spirit.
+      The <?= SITE_NAME ?> staff does its best to recognize our
+      financial supporters in a fair and fun way,
+      but all donor perks are subject to change or cancellation at any time, without notice.
+    </p>
+
+    <p>
+      Any donation or contribution option listed above gives you the opportunity to receive Donor Points.
+      Donor Points are awarded at a rate of one point per transaction, regardless of the amount.
+      After acquiring your first Donor Point, your account will unlock Donor Rank #1.
+      This rank will last forever, and you'll receive the below perks when you unlock it.
+    </p>
 
     <ul>
       <li>Our eternal love, as represented by the heart you get next to your name</li>
@@ -117,12 +136,10 @@ View::show_header('Donate');
       <li>A warm, fuzzy feeling</li>
     </ul>
 
-<p>What you won't receive for donating:</P.
-
-    <ul>
+    <p>What you won't receive for donating:</P. <ul>
       <li>Immunity from the rules</li>
       <li>Additional upload credit</li>
-    </ul>
+      </ul>
   </div>
 </div>
 <!-- END Donate -->

sections/login/index.php

@@ -6,17 +6,17 @@ Add the JavaScript validation into the display page using the class
 
 // Allow users to reset their password while logged in
 if (!empty($LoggedUser['ID']) && $_REQUEST['act'] != 'recover') {
-  header('Location: index.php');
-  die();
+    header('Location: index.php');
+    die();
 }
 
 if (BLOCK_OPERA_MINI && isset($_SERVER['HTTP_X_OPERAMINI_PHONE'])) {
-  error('Opera Mini is banned. Please use another browser.');
+    error('Opera Mini is banned. Please use another browser.');
 }
 
 // Check if IP is banned
 if (Tools::site_ban_ip($_SERVER['REMOTE_ADDR'])) {
-  error('Your IP address has been banned.');
+    error('Your IP address has been banned.');
 }
 
 require_once SERVER_ROOT.'/classes/twofa.class.php';
@@ -27,404 +27,407 @@ $Validate = new Validate;
 $TwoFA = new TwoFactorAuth(SITE_NAME);
 $U2F = new u2f\U2F('https://'.SITE_DOMAIN);
 
+# todo: Test strict equality very gently here
 if (array_key_exists('action', $_GET) && $_GET['action'] == 'disabled') {
-  require('disabled.php');
-  die();
+    require('disabled.php');
+    die();
 }
 
 if (isset($_REQUEST['act']) && $_REQUEST['act'] == 'recover') {
-  // Recover password
-  if (!empty($_REQUEST['key'])) {
-    // User has entered a new password, use step 2
-    $DB->query("
-      SELECT
-        m.ID,
-        m.Email,
-        m.ipcc,
-        i.ResetExpires
-      FROM users_main AS m
-        INNER JOIN users_info AS i ON i.UserID = m.ID
-      WHERE i.ResetKey = ?
-        AND i.ResetKey != ''", $_REQUEST['key']);
-    list($UserID, $Email, $Country, $Expires) = $DB->next_record();
-
-    if (!apcu_exists('DBKEY')) {
-      error('Database not fully decrypted. Please wait for staff to fix this and try again later');
-    }
-
-    $Email = Crypto::decrypt($Email);
-
-    if ($UserID && strtotime($Expires) > time()) {
-      // If the user has requested a password change, and his key has not expired
-      $Validate->SetFields('password', '1', 'regex', 'You entered an invalid password. Any password at least 6 characters long is accepted, but a strong password is 8 characters or longer, contains at least 1 lowercase and uppercase letter, contains at least a number or symbol', array('regex' => '/(?=^.{6,}$).*$/'));
-      $Validate->SetFields('verifypassword', '1', 'compare', 'Your passwords did not match.', array('comparefield' => 'password'));
-
-      if (!empty($_REQUEST['password'])) {
-        // If the user has entered a password.
-        // If the user has not entered a password, $PassWasReset is not set to 1, and the success message is not shown
-        $Err = $Validate->ValidateForm($_REQUEST);
-        if ($Err == '') {
-          // Form validates without error, set new secret and password.
-          $DB->query("
-            UPDATE
-              users_main AS m,
-              users_info AS i
-            SET
-              m.PassHash = ?,
-              i.ResetKey = '',
-              m.LastLogin = NOW(),
-              i.ResetExpires = NULL
-            WHERE m.ID = ?
-              AND i.UserID = m.ID", Users::make_sec_hash($_REQUEST['password']), $UserID);
-          $DB->query("
-            INSERT INTO users_history_passwords
-              (UserID, ChangerIP, ChangeTime)
-            VALUES
-              (?, ?, NOW())", $UserID, Crypto::encrypt($_SERVER['REMOTE_ADDR']));
-          $PassWasReset = true;
-          $LoggedUser['ID'] = $UserID; // Set $LoggedUser['ID'] for logout_all_sessions() to work
-          logout_all_sessions();
-
+    // Recover password
+    if (!empty($_REQUEST['key'])) {
+        // User has entered a new password, use step 2
+        $DB->query("
+        SELECT
+          m.ID,
+          m.Email,
+          m.ipcc,
+          i.ResetExpires
+        FROM users_main AS m
+          INNER JOIN users_info AS i ON i.UserID = m.ID
+          WHERE i.ResetKey = ?
+          AND i.ResetKey != ''", $_REQUEST['key']);
+        list($UserID, $Email, $Country, $Expires) = $DB->next_record();
+
+        if (!apcu_exists('DBKEY')) {
+            error('Database not fully decrypted. Please wait for staff to fix this and try again later');
         }
-      }
-
-      // Either a form asking for them to enter the password
-      // Or a success message if $PassWasReset is 1
-      require('recover_step2.php');
 
-    } else {
-      // Either his key has expired, or he hasn't requested a pass change at all
-      if (strtotime($Expires) < time() && $UserID) {
-        // If his key has expired, clear all the reset information
-        $DB->query("
-          UPDATE users_info
-          SET ResetKey = '',
-            ResetExpires = NULL
-          WHERE UserID = ?", $UserID);
-        $_SESSION['reseterr'] = 'The link you were given has expired.'; // Error message to display on form
-      }
-      // Show him the first form (enter email address)
-      header('Location: login.php?act=recover');
-    }
+        $Email = Crypto::decrypt($Email);
 
-  } // End step 2
+        if ($UserID && strtotime($Expires) > time()) {
+            // If the user has requested a password change, and his key has not expired
+            $Validate->SetFields('password', '1', 'regex', 'You entered an invalid password. Any password at least 6 characters long is accepted, but a strong password is 8 characters or longer, contains at least 1 lowercase and uppercase letter, contains at least a number or symbol', array('regex' => '/(?=^.{6,}$).*$/'));
+            $Validate->SetFields('verifypassword', '1', 'compare', 'Your passwords did not match.', array('comparefield' => 'password'));
+
+            if (!empty($_REQUEST['password'])) {
+                // If the user has entered a password.
+                // If the user has not entered a password, $PassWasReset is not set to 1, and the success message is not shown
+                $Err = $Validate->ValidateForm($_REQUEST);
+                if ($Err == '') {
+                    // Form validates without error, set new secret and password.
+                    $DB->query("
+                    UPDATE
+                      users_main AS m,
+                      users_info AS i
+                    SET
+                      m.PassHash = ?,
+                      i.ResetKey = '',
+                      m.LastLogin = NOW(),
+                      i.ResetExpires = NULL
+                      WHERE m.ID = ?
+                      AND i.UserID = m.ID", Users::make_sec_hash($_REQUEST['password']), $UserID);
+                    $DB->query("
+                    INSERT INTO users_history_passwords
+                      (UserID, ChangerIP, ChangeTime)
+                    VALUES
+                      (?, ?, NOW())", $UserID, Crypto::encrypt($_SERVER['REMOTE_ADDR']));
+                    $PassWasReset = true;
+                    $LoggedUser['ID'] = $UserID; // Set $LoggedUser['ID'] for logout_all_sessions() to work
+                    logout_all_sessions();
+                }
+            }
 
-  // User has not clicked the link in his email, use step 1
-  else {
-    $Validate->SetFields('email', '1', 'email', 'You entered an invalid email address.');
+            // Either a form asking for them to enter the password
+            // Or a success message if $PassWasReset is 1
+            require('recover_step2.php');
+        } else {
+            // Either his key has expired, or he hasn't requested a pass change at all
+            if (strtotime($Expires) < time() && $UserID) {
+                // If his key has expired, clear all the reset information
+                $DB->query("
+                UPDATE users_info
+                SET ResetKey = '',
+                  ResetExpires = NULL
+                  WHERE UserID = ?", $UserID);
+                $_SESSION['reseterr'] = 'The link you were given has expired.'; // Error message to display on form
+            }
+            // Show him the first form (enter email address)
+            header('Location: login.php?act=recover');
+        }
+    } // End step 2
 
-    if (!empty($_REQUEST['email'])) {
-      // User has entered email and submitted form
-      $Err = $Validate->ValidateForm($_REQUEST);
-      if (!apcu_exists('DBKEY')) {
-        $Err = 'Database not fully decrypted. Please wait for staff to fix this and try again.';
-      }
+    // User has not clicked the link in his email, use step 1
+    else {
+        $Validate->SetFields('email', '1', 'email', 'You entered an invalid email address');
 
-      if (!$Err) {
-        // Form validates correctly
-        $DB->query("
-          SELECT
-            Email
-          FROM users_main");
-        while(list($EncEmail) = $DB->next_record()) {
-          if (strtolower($_REQUEST['email']) == strtolower(Crypto::decrypt($EncEmail))) {
-            break; // $EncEmail is now the encrypted form of the given email from the database
-          }
-        }
+        if (!empty($_REQUEST['email'])) {
+            // User has entered email and submitted form
+            $Err = $Validate->ValidateForm($_REQUEST);
+            if (!apcu_exists('DBKEY')) {
+                $Err = 'Database not fully decrypted. Please wait for staff to fix this and try again';
+            }
 
-        $DB->query("
-          SELECT
-            ID,
-            Username,
-            Email
-          FROM users_main
-          WHERE Email = ?", $EncEmail);
-        list($UserID, $Username, $Email) = $DB->next_record();
-        $Email = Crypto::decrypt($Email);
+            if (!$Err) {
+                // Form validates correctly
+                $DB->query("
+                SELECT
+                  Email
+                FROM users_main");
+                while (list($EncEmail) = $DB->next_record()) {
+                    if (strtolower($_REQUEST['email']) == strtolower(Crypto::decrypt($EncEmail))) {
+                        break; // $EncEmail is now the encrypted form of the given email from the database
+                    }
+                }
 
-        if ($UserID) {
-          // Email exists in the database
-          // Set ResetKey, send out email, and set $Sent to 1 to show success page
-          Users::reset_password($UserID, $Username, $Email);
-
-          $Sent = 1; // If $Sent is 1, recover_step1.php displays a success message
-
-          //Log out all of the users current sessions
-          $Cache->delete_value("user_info_$UserID");
-          $Cache->delete_value("user_info_heavy_$UserID");
-          $Cache->delete_value("user_stats_$UserID");
-          $Cache->delete_value("enabled_$UserID");
-
-          $DB->query("
-            SELECT SessionID
-            FROM users_sessions
-            WHERE UserID = ?", $UserID);
-          while (list($SessionID) = $DB->next_record()) {
-            $Cache->delete_value("session_$UserID"."_$SessionID");
-          }
-          $DB->query("
-            UPDATE users_sessions
-            SET Active = 0
-            WHERE UserID = ?
-              AND Active = 1", $UserID);
-        } else {
-          $Err = 'There is no user with that email address.';
+                $DB->query("
+                SELECT
+                  ID,
+                  Username,
+                  Email
+                FROM users_main
+                  WHERE Email = ?", $EncEmail);
+                list($UserID, $Username, $Email) = $DB->next_record();
+                $Email = Crypto::decrypt($Email);
+
+                if ($UserID) {
+                    // Email exists in the database
+                    // Set ResetKey, send out email, and set $Sent to 1 to show success page
+                    Users::reset_password($UserID, $Username, $Email);
+
+                    $Sent = 1; // If $Sent is 1, recover_step1.php displays a success message
+
+                    //Log out all of the users current sessions
+                    $Cache->delete_value("user_info_$UserID");
+                    $Cache->delete_value("user_info_heavy_$UserID");
+                    $Cache->delete_value("user_stats_$UserID");
+                    $Cache->delete_value("enabled_$UserID");
+
+                    $DB->query("
+                    SELECT SessionID
+                    FROM users_sessions
+                      WHERE UserID = ?", $UserID);
+                    while (list($SessionID) = $DB->next_record()) {
+                        $Cache->delete_value("session_$UserID"."_$SessionID");
+                    }
+                    $DB->query("
+                    UPDATE users_sessions
+                    SET Active = 0
+                      WHERE UserID = ?
+                      AND Active = 1", $UserID);
+                } else {
+                    $Err = 'There is no user with that email address';
+                }
+            }
+        } elseif (!empty($_SESSION['reseterr'])) {
+            // User has not entered email address, and there is an error set in session data
+            // This is typically because their key has expired.
+            // Stick the error into $Err so recover_step1.php can take care of it
+            $Err = $_SESSION['reseterr'];
+            unset($_SESSION['reseterr']);
         }
-      }
-
-    } elseif (!empty($_SESSION['reseterr'])) {
-      // User has not entered email address, and there is an error set in session data
-      // This is typically because their key has expired.
-      // Stick the error into $Err so recover_step1.php can take care of it
-      $Err = $_SESSION['reseterr'];
-      unset($_SESSION['reseterr']);
-    }
-
-    // Either a form for the user's email address, or a success message
-    require('recover_step1.php');
-  }
 
+        // Either a form for the user's email address, or a success message
+        require('recover_step1.php');
+    }
 } // End password recovery
 
-else if (isset($_REQUEST['act']) && $_REQUEST['act'] == 'newlocation') {
-  if (isset($_REQUEST['key'])) {
-    if ($ASNCache = $Cache->get_value('new_location_'.$_REQUEST['key'])) {
-      $Cache->cache_value('new_location_'.$ASNCache['UserID'].'_'.$ASNCache['ASN'], true);
-      require('newlocation.php');
-      die();
+elseif (isset($_REQUEST['act']) && $_REQUEST['act'] == 'newlocation') {
+    if (isset($_REQUEST['key'])) {
+        if ($ASNCache = $Cache->get_value('new_location_'.$_REQUEST['key'])) {
+            $Cache->cache_value('new_location_'.$ASNCache['UserID'].'_'.$ASNCache['ASN'], true);
+            require('newlocation.php');
+            die();
+        } else {
+            error(403);
+        }
     } else {
-      error(403);
+        error(403);
     }
-  } else {
-    error(403);
-  }
 } // End new location
 
 // Normal login
 else {
-  $Validate->SetFields('username', true, 'regex', 'You did not enter a valid username.', array('regex' => USERNAME_REGEX));
-  $Validate->SetFields('password', '1', 'string', 'You entered an invalid password.', array('minlength' => '6', 'maxlength' => '307200'));
-
-  list($Attempts, $Banned) = $Cache->get_value('login_attempts_'.db_string($_SERVER['REMOTE_ADDR']));
-
-  // Function to log a user's login attempt
-  function log_attempt() {
-    global $Cache, $Attempts;
-    $Attempts = ($Attempts ?? 0) + 1;
-    $Cache->cache_value('login_attempts_'.db_string($_SERVER['REMOTE_ADDR']), array($Attempts, ($Attempts > 5)), 60*60*$Attempts);
-    $AllAttempts = $Cache->get_value('login_attempts');
-    $AllAttempts[$_SERVER['REMOTE_ADDR']] = time()+(60*60*$Attempts);
-    foreach($AllAttempts as $IP => $Time) {
-      if ($Time < time()) { unset($AllAttempts[$IP]); }
-    }
-    $Cache->cache_value('login_attempts', $AllAttempts, 0);
-  }
-
-  // If user has submitted form
-  if (isset($_POST['username']) && !empty($_POST['username']) && isset($_POST['password']) && !empty($_POST['password'])) {
-    if ($Banned) {
-      header("Location: login.php");
-      die();
+    $Validate->SetFields('username', true, 'regex', 'You did not enter a valid username', array('regex' => USERNAME_REGEX));
+    $Validate->SetFields('password', '1', 'string', 'You entered an invalid password', array('minlength' => '6', 'maxlength' => '307200'));
+
+    list($Attempts, $Banned) = $Cache->get_value('login_attempts_'.db_string($_SERVER['REMOTE_ADDR']));
+
+    // Function to log a user's login attempt
+    function log_attempt()
+    {
+        global $Cache, $Attempts;
+        $Attempts = ($Attempts ?? 0) + 1;
+        $Cache->cache_value('login_attempts_'.db_string($_SERVER['REMOTE_ADDR']), array($Attempts, ($Attempts > 5)), 60*60*$Attempts);
+        $AllAttempts = $Cache->get_value('login_attempts');
+        $AllAttempts[$_SERVER['REMOTE_ADDR']] = time()+(60*60*$Attempts);
+        foreach ($AllAttempts as $IP => $Time) {
+            if ($Time < time()) {
+                unset($AllAttempts[$IP]);
+            }
+        }
+        $Cache->cache_value('login_attempts', $AllAttempts, 0);
     }
-    $Err = $Validate->ValidateForm($_POST);
 
-    if (!$Err) {
-      // Passes preliminary validation (username and password "look right")
-      $DB->query("
-        SELECT
-          ID,
-          PermissionID,
-          CustomPermissions,
-          PassHash,
-          TwoFactor,
-          Enabled
-        FROM users_main
-        WHERE Username = ?
-          AND Username != ''", $_POST['username']);
-      list($UserID, $PermissionID, $CustomPermissions, $PassHash, $TwoFactor, $Enabled) = $DB->next_record(MYSQLI_NUM, array(2));
-      if (!$Banned) {
-        if ($UserID && Users::check_password($_POST['password'], $PassHash)) {
-          // Update hash if better algorithm available
-          if (password_needs_rehash($PassHash, PASSWORD_DEFAULT)) {
+    // If user has submitted form
+    if (isset($_POST['username']) && !empty($_POST['username']) && isset($_POST['password']) && !empty($_POST['password'])) {
+        if ($Banned) {
+            header("Location: login.php");
+            die();
+        }
+        $Err = $Validate->ValidateForm($_POST);
+
+        if (!$Err) {
+            // Passes preliminary validation (username and password "look right")
             $DB->query("
-              UPDATE users_main
-              SET PassHash = ?
-              WHERE Username = ?", make_sec_hash($_POST['password']), $_POST['username']);
-          }
+            SELECT
+              ID,
+              PermissionID,
+              CustomPermissions,
+              PassHash,
+              TwoFactor,
+              Enabled
+            FROM users_main
+              WHERE Username = ?
+              AND Username != ''", $_POST['username']);
+            list($UserID, $PermissionID, $CustomPermissions, $PassHash, $TwoFactor, $Enabled) = $DB->next_record(MYSQLI_NUM, array(2));
+            if (!$Banned) {
+                if ($UserID && Users::check_password($_POST['password'], $PassHash)) {
+                    // Update hash if better algorithm available
+                    if (password_needs_rehash($PassHash, PASSWORD_DEFAULT)) {
+                        $DB->query("
+                        UPDATE users_main
+                        SET PassHash = ?
+                          WHERE Username = ?", make_sec_hash($_POST['password']), $_POST['username']);
+                    }
 
-          if (empty($TwoFactor) || $TwoFA->verifyCode($TwoFactor, $_POST['twofa'])) {
-            # todo: Make sure the type is (int)
-            if ($Enabled === '1') {
+                    if (empty($TwoFactor) || $TwoFA->verifyCode($TwoFactor, $_POST['twofa'])) {
+                        # todo: Make sure the type is (int)
+                        if ($Enabled === '1') {
 
               // Check if the current login attempt is from a location previously logged in from
-              if (apcu_exists('DBKEY')) {
-                $DB->query("
-                  SELECT IP
-                  FROM users_history_ips
-                  WHERE UserID = ?", $UserID);
-                $IPs = $DB->to_array(false, MYSQLI_NUM);
-                $QueryParts = [];
-                foreach ($IPs as $i => $IP) {
-                  $IPs[$i] = Crypto::decrypt($IP[0]);
-                }
-                $IPs = array_unique($IPs);
-                if (count($IPs) > 0) { // Always allow first login
-                  foreach ($IPs as $IP) {
-                    $QueryParts[] = "(StartIP<=INET6_ATON('$IP') AND EndIP>=INET6_ATON('$IP'))";
-                  }
-                  $DB->query('SELECT ASN FROM geoip_asn WHERE '.implode(' OR ', $QueryParts));
-                  $PastASNs = array_column($DB->to_array(false, MYSQLI_NUM), 0);
-                  $DB->query("SELECT ASN FROM geoip_asn WHERE StartIP<=INET6_ATON('$_SERVER[REMOTE_ADDR]') AND EndIP>=INET6_ATON('$_SERVER[REMOTE_ADDR]')");
-                  list($CurrentASN) = $DB->next_record();
-
-                  // If FEATURE_ENFORCE_LOCATIONS is enabled, require users to confirm new logins
-                  if (!in_array($CurrentASN, $PastASNs) && FEATURE_ENFORCE_LOCATIONS) {
-                    // Never logged in from this location before
-                    if ($Cache->get_value('new_location_'.$UserID.'_'.$CurrentASN) !== true) {
-                      $DB->query("
-                        SELECT
-                          UserName,
-                          Email
-                        FROM users_main
-                        WHERE ID = ?", $UserID);
-                      list($Username, $Email) = $DB->next_record();
-                      Users::auth_location($UserID, $Username, $CurrentASN, Crypto::decrypt($Email));
-                      require('newlocation.php');
-                      die();
-                    }
-                  }
-                }
-              }
-
-              $U2FRegs = [];
-              $DB->query("
-                SELECT KeyHandle, PublicKey, Certificate, Counter, Valid
-                FROM u2f
-                WHERE UserID = ?", $UserID);
-              // Needs to be an array of objects, so we can't use to_array()
-              while (list($KeyHandle, $PublicKey, $Certificate, $Counter, $Valid) = $DB->next_record()) {
-                $U2FRegs[] = (object)['keyHandle'=>$KeyHandle, 'publicKey'=>$PublicKey, 'certificate'=>$Certificate, 'counter'=>$Counter, 'valid'=>$Valid];
-              }
-
-              if (sizeof($U2FRegs) > 0) {
-                // U2F is enabled for this account
-                if (isset($_POST['u2f-request']) && isset($_POST['u2f-response'])) {
-                  // Data from the U2F login page is present. Verify it.
-                  try {
-                    $U2FReg = $U2F->doAuthenticate(json_decode($_POST['u2f-request']), $U2FRegs, json_decode($_POST['u2f-response']));
-                    if ($U2FReg->valid != '1') throw new Exception('Token disabled.');
-                    $DB->query("UPDATE u2f
+                            if (apcu_exists('DBKEY')) {
+                                $DB->query("
+                                SELECT IP
+                                FROM users_history_ips
+                                  WHERE UserID = ?", $UserID);
+                                $IPs = $DB->to_array(false, MYSQLI_NUM);
+                                $QueryParts = [];
+                                foreach ($IPs as $i => $IP) {
+                                    $IPs[$i] = Crypto::decrypt($IP[0]);
+                                }
+                                $IPs = array_unique($IPs);
+                                if (count($IPs) > 0) { // Always allow first login
+                                    foreach ($IPs as $IP) {
+                                        $QueryParts[] = "(StartIP<=INET6_ATON('$IP') AND EndIP>=INET6_ATON('$IP'))";
+                                    }
+                                    $DB->query('SELECT ASN FROM geoip_asn WHERE '.implode(' OR ', $QueryParts));
+                                    $PastASNs = array_column($DB->to_array(false, MYSQLI_NUM), 0);
+                                    $DB->query("SELECT ASN FROM geoip_asn WHERE StartIP<=INET6_ATON('$_SERVER[REMOTE_ADDR]') AND EndIP>=INET6_ATON('$_SERVER[REMOTE_ADDR]')");
+                                    list($CurrentASN) = $DB->next_record();
+
+                                    // If FEATURE_ENFORCE_LOCATIONS is enabled, require users to confirm new logins
+                                    if (!in_array($CurrentASN, $PastASNs) && FEATURE_ENFORCE_LOCATIONS) {
+                                        // Never logged in from this location before
+                                        if ($Cache->get_value('new_location_'.$UserID.'_'.$CurrentASN) !== true) {
+                                            $DB->query("
+                                            SELECT
+                                              UserName,
+                                              Email
+                                            FROM users_main
+                                              WHERE ID = ?", $UserID);
+                                            list($Username, $Email) = $DB->next_record();
+                                            Users::auth_location($UserID, $Username, $CurrentASN, Crypto::decrypt($Email));
+                                            require('newlocation.php');
+                                            die();
+                                        }
+                                    }
+                                }
+                            }
+
+                            $U2FRegs = [];
+                            $DB->query("
+                            SELECT KeyHandle, PublicKey, Certificate, Counter, Valid
+                            FROM u2f
+                              WHERE UserID = ?", $UserID);
+                            // Needs to be an array of objects, so we can't use to_array()
+                            while (list($KeyHandle, $PublicKey, $Certificate, $Counter, $Valid) = $DB->next_record()) {
+                                $U2FRegs[] = (object)['keyHandle'=>$KeyHandle, 'publicKey'=>$PublicKey, 'certificate'=>$Certificate, 'counter'=>$Counter, 'valid'=>$Valid];
+                            }
+
+                            if (sizeof($U2FRegs) > 0) {
+                                // U2F is enabled for this account
+                                if (isset($_POST['u2f-request']) && isset($_POST['u2f-response'])) {
+                                    // Data from the U2F login page is present. Verify it.
+                                    try {
+                                        $U2FReg = $U2F->doAuthenticate(json_decode($_POST['u2f-request']), $U2FRegs, json_decode($_POST['u2f-response']));
+                                        if ($U2FReg->valid != '1') {
+                                            throw new Exception('Token disabled.');
+                                        }
+                                        $DB->query(
+                                            "UPDATE u2f
                                 SET Counter = ?
                                 WHERE KeyHandle = ?
                                 AND UserID = ?",
-                      $U2FReg->counter, $U2FReg->keyHandle, $UserID);
-                  } catch (Exception $e) {
-                    $U2FErr = 'U2F key invalid. Error: '.($e->getMessage());
-                    if ($e->getMessage() == 'Token disabled.') {
-                      $U2FErr = 'This token was disabled due to suspected cloning. Contact staff for assistance';
-                    }
-                    if ($e->getMessage() == 'Counter too low.') {
-                      $BadHandle = json_decode($_POST['u2f-response'], true)['keyHandle'];
-                      $DB->query("UPDATE u2f
+                                            $U2FReg->counter,
+                                            $U2FReg->keyHandle,
+                                            $UserID
+                                        );
+                                    } catch (Exception $e) {
+                                        $U2FErr = 'U2F key invalid. Error: '.($e->getMessage());
+                                        if ($e->getMessage() == 'Token disabled.') {
+                                            $U2FErr = 'This token was disabled due to suspected cloning. Contact staff for assistance';
+                                        }
+                                        if ($e->getMessage() == 'Counter too low.') {
+                                            $BadHandle = json_decode($_POST['u2f-response'], true)['keyHandle'];
+                                            $DB->query("UPDATE u2f
                                   SET Valid = '0'
                                   WHERE KeyHandle = ?
                                   AND UserID = ?", $BadHandle, $UserID);
-                      $U2FErr = 'U2F counter too low. This token has been disabled due to suspected cloning. Contact staff for assistance.';
-                    }
-                  }
-                } else {
-                  // Data from the U2F login page is not present. Go there
-                  require('u2f.php');
-                  die();
-                }
-              }
-
-              if (sizeof($U2FRegs) == 0 || !isset($U2FErr)) {
-                $SessionID = Users::make_secret(64);
-                setcookie('session', $SessionID, (time()+60*60*24*365), '/', '', true, true);
-                setcookie('userid', $UserID, (time()+60*60*24*365), '/', '', true, true);
-
-                // Because we <3 our staff
-                $Permissions = Permissions::get_permissions($PermissionID);
-                $CustomPermissions = unserialize($CustomPermissions);
-                if (isset($Permissions['Permissions']['site_disable_ip_history'])
-                  || isset($CustomPermissions['site_disable_ip_history'])
+                                            $U2FErr = 'U2F counter too low. This token has been disabled due to suspected cloning. Contact staff for assistance';
+                                        }
+                                    }
+                                } else {
+                                    // Data from the U2F login page is not present. Go there
+                                    require('u2f.php');
+                                    die();
+                                }
+                            }
+
+                            if (sizeof($U2FRegs) == 0 || !isset($U2FErr)) {
+                                $SessionID = Users::make_secret(64);
+                                setcookie('session', $SessionID, (time()+60*60*24*365), '/', '', true, true);
+                                setcookie('userid', $UserID, (time()+60*60*24*365), '/', '', true, true);
+
+                                // Because we <3 our staff
+                                $Permissions = Permissions::get_permissions($PermissionID);
+                                $CustomPermissions = unserialize($CustomPermissions);
+                                if (isset($Permissions['Permissions']['site_disable_ip_history'])
+                                 || isset($CustomPermissions['site_disable_ip_history'])
                 ) {
-                  $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
-                }
-
-                $DB->query("
-                  INSERT INTO users_sessions
-                    (UserID, SessionID, KeepLogged, Browser, OperatingSystem, IP, LastUpdate, FullUA)
-                  VALUES
-                    ('$UserID', '".db_string($SessionID)."', '1', '$Browser', '$OperatingSystem', '".db_string(apcu_exists('DBKEY')?Crypto::encrypt($_SERVER['REMOTE_ADDR']):'0.0.0.0')."', NOW(), '".db_string($_SERVER['HTTP_USER_AGENT'])."')");
-
-                $Cache->begin_transaction("users_sessions_$UserID");
-                $Cache->insert_front($SessionID, [
-                  'SessionID' => $SessionID,
-                  'Browser' => $Browser,
-                  'OperatingSystem' => $OperatingSystem,
-                  'IP' => (apcu_exists('DBKEY')?Crypto::encrypt($_SERVER['REMOTE_ADDR']):'0.0.0.0'),
-                  'LastUpdate' => sqltime()
-                ]);
-                $Cache->commit_transaction(0);
-
-                $Sql = "
-                  UPDATE users_main
-                  SET
-                    LastLogin = NOW(),
-                    LastAccess = NOW()
-                  WHERE ID = '".db_string($UserID)."'";
-
-                $DB->query($Sql);
-
-                if (!empty($_COOKIE['redirect'])) {
-                  $URL = $_COOKIE['redirect'];
-                  setcookie('redirect', '', time() - 60 * 60 * 24, '/', '', false);
-                  header("Location: $URL");
-                  die();
+                                    $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
+                                }
+
+                                $DB->query("
+                                INSERT INTO users_sessions
+                                  (UserID, SessionID, KeepLogged, Browser, OperatingSystem, IP, LastUpdate, FullUA)
+                                VALUES
+                                  ('$UserID', '".db_string($SessionID)."', '1', '$Browser', '$OperatingSystem', '".db_string(apcu_exists('DBKEY')?Crypto::encrypt($_SERVER['REMOTE_ADDR']):'0.0.0.0')."', NOW(), '".db_string($_SERVER['HTTP_USER_AGENT'])."')");
+
+                                $Cache->begin_transaction("users_sessions_$UserID");
+                                $Cache->insert_front($SessionID, [
+                                  'SessionID' => $SessionID,
+                                  'Browser' => $Browser,
+                                  'OperatingSystem' => $OperatingSystem,
+                                  'IP' => (apcu_exists('DBKEY')?Crypto::encrypt($_SERVER['REMOTE_ADDR']):'0.0.0.0'),
+                                  'LastUpdate' => sqltime()
+                                ]);
+                                $Cache->commit_transaction(0);
+
+                                $Sql = "
+                                UPDATE users_main
+                                SET
+                                  LastLogin = NOW(),
+                                  LastAccess = NOW()
+                                  WHERE ID = '".db_string($UserID)."'";
+
+                                $DB->query($Sql);
+
+                                if (!empty($_COOKIE['redirect'])) {
+                                    $URL = $_COOKIE['redirect'];
+                                    setcookie('redirect', '', time() - 60 * 60 * 24, '/', '', false);
+                                    header("Location: $URL");
+                                    die();
+                                } else {
+                                    header('Location: index.php');
+                                    die();
+                                }
+                            } else {
+                                log_attempt();
+                                $Err = $U2FErr;
+                                setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
+                            }
+                        } else {
+                            log_attempt();
+                            if ($Enabled == 2) {
+
+                                // Save the username in a cookie for the disabled page
+                                setcookie('username', db_string($_POST['username']), time() + 60 * 60, '/', '', false);
+                                header('Location: login.php?action=disabled');
+                            # todo: Make sure the type is (int)
+                            } elseif ($Enabled === '0') {
+                                $Err = 'Your account has not been confirmed. Please check your email, including the spam folder';
+                            }
+                            setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
+                        }
+                    } else {
+                        log_attempt();
+                        $Err = 'Two-factor authentication failed';
+                        setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
+                    }
                 } else {
-                  header('Location: index.php');
-                  die();
+                    log_attempt();
+                    $Err = 'Your username or password was incorrect';
+                    setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
                 }
-              } else {
+            } else {
                 log_attempt();
-                $Err = $U2FErr;
                 setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
-              }
-            } else {
-              log_attempt();
-              if ($Enabled == 2) {
-
-                // Save the username in a cookie for the disabled page
-                setcookie('username', db_string($_POST['username']), time() + 60 * 60, '/', '', false);
-                header('Location: login.php?action=disabled');
-                # todo: Make sure the type is (int)
-              } elseif ($Enabled === '0') {
-                $Err = 'Your account has not been confirmed.<br />Please check your email.';
-              }
-              setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
             }
-          } else {
+        } else {
             log_attempt();
-            $Err = 'Two-factor authentication failed.';
             setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
-          }
-        } else {
-          log_attempt();
-          $Err = 'Your username or password was incorrect.';
-          setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
         }
-
-      } else {
-        log_attempt();
-        setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
-      }
-
-    } else {
-      log_attempt();
-      setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
     }
-  }
-  require('sections/login/login.php');
+    require('sections/login/login.php');
 }

sections/login/recover_step1.php

@@ -1,39 +1,40 @@
 <?php
+
 View::show_header('Recover Password', 'validate');
 echo $Validate->GenerateJS('recoverform');
 ?>
 <form class="auth_form" name="recovery" id="recoverform" method="post" action="" onsubmit="return formVal();">
   <div style="width: 250px;">
     <p class="titletext"><strong>Reset Your Password</strong></p>
-<?php
+    <?php
 if (empty($Sent) || (!empty($Sent) && $Sent != 1)) {
     if (!empty($Err)) {
         ?>
     <strong class="important_text"><?=$Err ?></strong>
-<?php
+    <?php
     } ?>
-    <p>An email will be sent to your email address with information on how to reset your password.</p>
+    <p>An email will be sent to your email address with information on how to reset your password. Please remember to
+      check your spam folder.</p>
     <table class="layout" cellpadding="2" cellspacing="1" border="0" align="center">
       <tr valign="center">
         <!-- <td align="right"><strong>Email Address&nbsp;</strong></td> -->
         <td align="left">
-        <input type="email" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" name="email"
-          id="email" class="inputtext" required="required" maxlength="50"
-          autofocus="autofocus" placeholder="Email" size="40"
-          autocomplete="email" />
-      </td>
+          <input type="email" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" name="email"
+            id="email" class="inputtext" required="required" maxlength="50" autofocus="autofocus" placeholder="Email"
+            size="40" autocomplete="email" />
+        </td>
       </tr>
       <tr>
         <td colspan="2" align="right"><input type="submit" name="reset" value="Reset" class="submit" /></td>
       </tr>
     </table>
-<?php
+    <?php
 } else { ?>
-  <p>An email has been sent to you. Please follow the directions to reset your password.</p>
-<?php
+    <p>An email has been sent to you. Please follow the directions to reset your password and remember to check your
+      spam folder.</p>
+    <?php
 } ?>
   </div>
 </form>
 <?php
 View::show_footer(['recover' => true]);
-?>