Context Navigation

source: trunk/password.php @ 25635

Last change on this file since 25635 was 25018, checked in by mistic100, 11 years ago
remove all array_push (50% slower than []) + some changes missing for feature:2978
Property svn:eol-style set to `LF`
File size: 10.3 KB

Rev	Line
[866]	1	<?php
	2	// +-----------------------------------------------------------------------+
[8728]	3	// \| Piwigo - a PHP based photo gallery \|
[2297]	4	// +-----------------------------------------------------------------------+
[19703]	5	// \| Copyright(C) 2008-2013 Piwigo Team http://piwigo.org \|
[2297]	6	// \| Copyright(C) 2003-2008 PhpWebGallery Team http://phpwebgallery.net \|
	7	// \| Copyright(C) 2002-2003 Pierrick LE GALL http://le-gall.net/pierrick \|
	8	// +-----------------------------------------------------------------------+
	9	// \| This program is free software; you can redistribute it and/or modify \|
	10	// \| it under the terms of the GNU General Public License as published by \|
	11	// \| the Free Software Foundation \|
	12	// \| \|
	13	// \| This program is distributed in the hope that it will be useful, but \|
	14	// \| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	15	// \| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU \|
	16	// \| General Public License for more details. \|
	17	// \| \|
	18	// \| You should have received a copy of the GNU General Public License \|
	19	// \| along with this program; if not, write to the Free Software \|
	20	// \| Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, \|
	21	// \| USA. \|
	22	// +-----------------------------------------------------------------------+
[866]	23
	24	// +-----------------------------------------------------------------------+
	25	// \| initialization \|
	26	// +-----------------------------------------------------------------------+
	27
	28	define('PHPWG_ROOT_PATH','./');
	29	include_once( PHPWG_ROOT_PATH.'include/common.inc.php' );
[1018]	30	include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
[866]	31
	32	// +-----------------------------------------------------------------------+
[1851]	33	// \| Check Access and exit when user status is not ok \|
	34	// +-----------------------------------------------------------------------+
[11992]	35
[2325]	36	check_status(ACCESS_FREE);
[1851]	37
[18063]	38	trigger_action('loc_begin_password');
	39
[1851]	40	// +-----------------------------------------------------------------------+
[11992]	41	// \| Functions \|
[866]	42	// +-----------------------------------------------------------------------+
	43
[11992]	44	/**
	45	* checks the validity of input parameters, fills $page['errors'] and
	46	* $page['infos'] and send an email with confirmation link
	47	*
	48	* @return bool (true if email was sent, false otherwise)
	49	*/
	50	function process_password_request()
[866]	51	{
[11992]	52	global $page, $conf;
	53
	54	if (empty($_POST['username_or_email']))
	55	{
[25018]	56	$page['errors'][] = l10n('Invalid username or email');
[11992]	57	return false;
	58	}
	59
	60	$user_id = get_userid_by_email($_POST['username_or_email']);
	61
	62	if (!is_numeric($user_id))
	63	{
	64	$user_id = get_userid($_POST['username_or_email']);
	65	}
[866]	66
[11992]	67	if (!is_numeric($user_id))
[866]	68	{
[25018]	69	$page['errors'][] = l10n('Invalid username or email');
[11992]	70	return false;
[866]	71	}
[11992]	72
	73	$userdata = getuserdata($user_id, false);
	74
	75	// password request is not possible for guest/generic users
	76	$status = $userdata['status'];
	77	if (is_a_guest($status) or is_generic($status))
[866]	78	{
[25018]	79	$page['errors'][] = l10n('Password reset is not allowed for this user');
[11992]	80	return false;
	81	}
	82
	83	if (empty($userdata['email']))
	84	{
[25018]	85	$page['errors'][] = l10n(
	86	'User "%s" has no email address, password reset is not possible',
	87	$userdata['username']
[11992]	88	);
	89	return false;
	90	}
	91
	92	if (empty($userdata['activation_key']))
	93	{
	94	$activation_key = get_user_activation_key();
	95
	96	single_update(
	97	USER_INFOS_TABLE,
	98	array('activation_key' => $activation_key),
	99	array('user_id' => $user_id)
	100	);
	101
	102	$userdata['activation_key'] = $activation_key;
	103	}
	104
	105	set_make_full_url();
	106
	107	$message = l10n('Someone requested that the password be reset for the following user account:') . "\r\n\r\n";
[25005]	108	$message.= l10n(
	109	'Username "%s" on gallery %s',
[11992]	110	$userdata['username'],
	111	get_gallery_home_url()
	112	);
	113	$message.= "\r\n\r\n";
	114	$message.= l10n('To reset your password, visit the following address:') . "\r\n";
	115	$message.= get_gallery_home_url().'/password.php?key='.$userdata['activation_key']."\r\n\r\n";
	116	$message.= l10n('If this was a mistake, just ignore this email and nothing will happen.')."\r\n";
	117
	118	unset_make_full_url();
	119
	120	$message = trigger_event('render_lost_password_mail_content', $message);
	121
	122	$email_params = array(
	123	'subject' => '['.$conf['gallery_title'].'] '.l10n('Password Reset'),
	124	'content' => $message,
	125	'email_format' => 'text/plain',
	126	);
	127
	128	if (pwg_mail($userdata['email'], $email_params))
	129	{
[25018]	130	$page['infos'][] = l10n('Check your email for the confirmation link');
[11992]	131	return true;
	132	}
	133	else
	134	{
[25018]	135	$page['errors'][] = l10n('Error sending email');
[11992]	136	return false;
	137	}
	138	}
	139
	140	/**
	141	* checks the activation key: does it match the expected pattern? is it
	142	* linked to a user? is this user allowed to reset his password?
	143	*
	144	* @return mixed (user_id if OK, false otherwise)
	145	*/
	146	function check_password_reset_key($key)
	147	{
	148	global $page;
	149
	150	if (!preg_match('/^[a-z0-9]{20}$/i', $key))
	151	{
[25018]	152	$page['errors'][] = l10n('Invalid key');
[11992]	153	return false;
	154	}
	155
	156	$query = '
	157	SELECT
	158	user_id,
	159	status
	160	FROM '.USER_INFOS_TABLE.'
	161	WHERE activation_key = \''.$key.'\'
[866]	162	;';
[11992]	163	$result = pwg_query($query);
[866]	164
[11992]	165	if (pwg_db_num_rows($result) == 0)
	166	{
[25018]	167	$page['errors'][] = l10n('Invalid key');
[11992]	168	return false;
	169	}
	170
	171	$userdata = pwg_db_fetch_assoc($result);
	172
	173	if (is_a_guest($userdata['status']) or is_generic($userdata['status']))
	174	{
[25018]	175	$page['errors'][] = l10n('Password reset is not allowed for this user');
[11992]	176	return false;
	177	}
	178
	179	return $userdata['user_id'];
	180	}
	181
	182	/**
	183	* checks the passwords, checks that user is allowed to reset his password,
	184	* update password, fills $page['errors'] and $page['infos'].
	185	*
	186	* @return bool (true if password was reset, false otherwise)
	187	*/
	188	function reset_password()
	189	{
	190	global $page, $user, $conf;
	191
	192	if ($_POST['use_new_pwd'] != $_POST['passwordConf'])
	193	{
[25018]	194	$page['errors'][] = l10n('The passwords do not match');
[11992]	195	return false;
	196	}
	197
	198	if (isset($_GET['key']))
	199	{
	200	$user_id = check_password_reset_key($_GET['key']);
	201	if (!is_numeric($user_id))
[866]	202	{
[25018]	203	$page['errors'][] = l10n('Invalid key');
[11992]	204	return false;
	205	}
	206	}
	207	else
	208	{
	209	// we check the currently logged in user
	210	if (is_a_guest() or is_generic())
	211	{
[25018]	212	$page['errors'][] = l10n('Password reset is not allowed for this user');
[11992]	213	return false;
	214	}
[866]	215
[11992]	216	$user_id = $user['id'];
	217	}
	218
	219	single_update(
	220	USERS_TABLE,
[18889]	221	array($conf['user_fields']['password'] => $conf['password_hash']($_POST['use_new_pwd'])),
[11992]	222	array($conf['user_fields']['id'] => $user_id)
	223	);
[866]	224
[25018]	225	$page['infos'][] = l10n('Your password has been reset');
[9169]	226
[11992]	227	if (isset($_GET['key']))
	228	{
[25018]	229	$page['infos'][] = '<a href="'.get_root_url().'identification.php">'.l10n('Login').'</a>';
[11992]	230	}
	231	else
	232	{
[25018]	233	$page['infos'][] = '<a href="'.get_gallery_home_url().'">'.l10n('Return to home page').'</a>';
[11992]	234	}
[866]	235
[11992]	236	return true;
	237	}
[866]	238
[11992]	239	// +-----------------------------------------------------------------------+
	240	// \| Process form \|
	241	// +-----------------------------------------------------------------------+
	242	if (isset($_POST['submit']))
	243	{
	244	check_pwg_token();
	245
	246	if ('lost' == $_GET['action'])
	247	{
	248	if (process_password_request())
	249	{
	250	$page['action'] = 'none';
[866]	251	}
[11992]	252	}
	253
	254	if ('reset' == $_GET['action'])
	255	{
	256	if (reset_password())
[866]	257	{
[11992]	258	$page['action'] = 'none';
[866]	259	}
	260	}
	261	}
	262
	263	// +-----------------------------------------------------------------------+
[11992]	264	// \| key and action \|
[866]	265	// +-----------------------------------------------------------------------+
	266
[11992]	267	// a connected user can't reset the password from a mail
	268	if (isset($_GET['key']) and !is_a_guest())
	269	{
	270	unset($_GET['key']);
	271	}
	272
	273	if (isset($_GET['key']))
	274	{
	275	$user_id = check_password_reset_key($_GET['key']);
	276	if (is_numeric($user_id))
	277	{
	278	$userdata = getuserdata($user_id, false);
	279	$page['username'] = $userdata['username'];
	280	$template->assign('key', $_GET['key']);
	281
	282	if (!isset($page['action']))
	283	{
	284	$page['action'] = 'reset';
	285	}
	286	}
	287	else
	288	{
	289	$page['action'] = 'none';
	290	}
	291	}
	292
	293	if (!isset($page['action']))
	294	{
	295	if (!isset($_GET['action']))
	296	{
	297	$page['action'] = 'lost';
	298	}
	299	elseif (in_array($_GET['action'], array('lost', 'reset', 'none')))
	300	{
	301	$page['action'] = $_GET['action'];
	302	}
	303	}
	304
	305	if ('reset' == $page['action'] and !isset($_GET['key']) and (is_a_guest() or is_generic()))
	306	{
	307	redirect(get_gallery_home_url());
	308	}
	309
	310	if ('lost' == $page['action'] and !is_a_guest())
	311	{
	312	redirect(get_gallery_home_url());
	313	}
	314
	315	// +-----------------------------------------------------------------------+
	316	// \| template initialization \|
	317	// +-----------------------------------------------------------------------+
	318
[12672]	319	$title = l10n('Password Reset');
[11992]	320	if ('lost' == $page['action'])
	321	{
	322	$title = l10n('Forgot your password?');
	323
	324	if (isset($_POST['username_or_email']))
	325	{
[18700]	326	$template->assign('username_or_email', htmlspecialchars(stripslashes($_POST['username_or_email'])));
[11992]	327	}
	328	}
	329
[866]	330	$page['body_id'] = 'thePasswordPage';
[2223]	331
[866]	332	$template->set_filenames(array('password'=>'password.tpl'));
[11992]	333	$template->assign(
	334	array(
	335	'title' => $title,
	336	'form_action'=> get_root_url().'password.php',
	337	'action' => $page['action'],
	338	'username' => isset($page['username']) ? $page['username'] : $user['username'],
	339	'PWG_TOKEN' => get_pwg_token(),
[866]	340	)
	341	);
[11992]	342
	343
[10812]	344	// include menubar
	345	$themeconf = $template->get_template_vars('themeconf');
[10824]	346	if (!isset($themeconf['hide_menu_on']) OR !in_array('thePasswordPage', $themeconf['hide_menu_on']))
[10812]	347	{
	348	include( PHPWG_ROOT_PATH.'include/menubar.inc.php');
	349	}
	350
[866]	351	// +-----------------------------------------------------------------------+
	352	// \| html code display \|
	353	// +-----------------------------------------------------------------------+
[11992]	354
[2223]	355	include(PHPWG_ROOT_PATH.'include/page_header.php');
[18063]	356	trigger_action('loc_end_password');
[20609]	357	flush_page_messages();
[2223]	358	$template->pparse('password');
[866]	359	include(PHPWG_ROOT_PATH.'include/page_tail.php');
	360
[1903]	361	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: