source: trunk/password.php @ 19874

Last change on this file since 19874 was 19703, checked in by plg, 11 years ago

update Piwigo headers to 2013 (the end of the world didn't occur as expected on r12922)

  • Property svn:eol-style set to LF
File size: 10.5 KB
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | Piwigo - a PHP based photo gallery                                    |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008-2013 Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
23
24// +-----------------------------------------------------------------------+
25// |                           initialization                              |
26// +-----------------------------------------------------------------------+
27
28define('PHPWG_ROOT_PATH','./');
29include_once( PHPWG_ROOT_PATH.'include/common.inc.php' );
30include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
31
32// +-----------------------------------------------------------------------+
33// | Check Access and exit when user status is not ok                      |
34// +-----------------------------------------------------------------------+
35
36check_status(ACCESS_FREE);
37
38trigger_action('loc_begin_password');
39
40// +-----------------------------------------------------------------------+
41// | Functions                                                             |
42// +-----------------------------------------------------------------------+
43
44/**
45 * checks the validity of input parameters, fills $page['errors'] and
46 * $page['infos'] and send an email with confirmation link
47 *
48 * @return bool (true if email was sent, false otherwise)
49 */
50function process_password_request()
51{
52  global $page, $conf;
53 
54  if (empty($_POST['username_or_email']))
55  {
56    array_push($page['errors'], l10n('Invalid username or email'));
57    return false;
58  }
59 
60  $user_id = get_userid_by_email($_POST['username_or_email']);
61   
62  if (!is_numeric($user_id))
63  {
64    $user_id = get_userid($_POST['username_or_email']);
65  }
66
67  if (!is_numeric($user_id))
68  {
69    array_push($page['errors'], l10n('Invalid username or email'));
70    return false;
71  }
72
73  $userdata = getuserdata($user_id, false);
74
75  // password request is not possible for guest/generic users
76  $status = $userdata['status'];
77  if (is_a_guest($status) or is_generic($status))
78  {
79    array_push($page['errors'], l10n('Password reset is not allowed for this user'));
80    return false;
81  }
82
83  if (empty($userdata['email']))
84  {
85    array_push(
86      $page['errors'],
87      sprintf(
88        l10n('User "%s" has no email address, password reset is not possible'),
89        $userdata['username']
90        )
91      );
92    return false;
93  }
94
95  if (empty($userdata['activation_key']))
96  {
97    $activation_key = get_user_activation_key();
98
99    single_update(
100      USER_INFOS_TABLE,
101      array('activation_key' => $activation_key),
102      array('user_id' => $user_id)
103      );
104
105    $userdata['activation_key'] = $activation_key;
106  }
107
108  set_make_full_url();
109 
110  $message = l10n('Someone requested that the password be reset for the following user account:') . "\r\n\r\n";
111  $message.= sprintf(
112    l10n('Username "%s" on gallery %s'),
113    $userdata['username'],
114    get_gallery_home_url()
115    );
116  $message.= "\r\n\r\n";
117  $message.= l10n('To reset your password, visit the following address:') . "\r\n";
118  $message.= get_gallery_home_url().'/password.php?key='.$userdata['activation_key']."\r\n\r\n";
119  $message.= l10n('If this was a mistake, just ignore this email and nothing will happen.')."\r\n";
120
121  unset_make_full_url();
122
123  $message = trigger_event('render_lost_password_mail_content', $message);
124
125  $email_params = array(
126    'subject' => '['.$conf['gallery_title'].'] '.l10n('Password Reset'),
127    'content' => $message,
128    'email_format' => 'text/plain',
129    );
130
131  if (pwg_mail($userdata['email'], $email_params))
132  {
133    array_push($page['infos'], l10n('Check your email for the confirmation link'));
134    return true;
135  }
136  else
137  {
138    array_push($page['errors'], l10n('Error sending email'));
139    return false;
140  }
141}
142
143/**
144 *  checks the activation key: does it match the expected pattern? is it
145 *  linked to a user? is this user allowed to reset his password?
146 *
147 * @return mixed (user_id if OK, false otherwise)
148 */
149function check_password_reset_key($key)
150{
151  global $page;
152 
153  if (!preg_match('/^[a-z0-9]{20}$/i', $key))
154  {
155    array_push($page['errors'], l10n('Invalid key'));
156    return false;
157  }
158
159  $query = '
160SELECT
161    user_id,
162    status
163  FROM '.USER_INFOS_TABLE.'
164  WHERE activation_key = \''.$key.'\'
165;';
166  $result = pwg_query($query);
167
168  if (pwg_db_num_rows($result) == 0)
169  {
170    array_push($page['errors'], l10n('Invalid key'));
171    return false;
172  }
173 
174  $userdata = pwg_db_fetch_assoc($result);
175
176  if (is_a_guest($userdata['status']) or is_generic($userdata['status']))
177  {
178    array_push($page['errors'], l10n('Password reset is not allowed for this user'));
179    return false;
180  }
181
182  return $userdata['user_id'];
183}
184
185/**
186 * checks the passwords, checks that user is allowed to reset his password,
187 * update password, fills $page['errors'] and $page['infos'].
188 *
189 * @return bool (true if password was reset, false otherwise)
190 */
191function reset_password()
192{
193  global $page, $user, $conf;
194
195  if ($_POST['use_new_pwd'] != $_POST['passwordConf'])
196  {
197    array_push($page['errors'], l10n('The passwords do not match'));
198    return false;
199  }
200
201  if (isset($_GET['key']))
202  {
203    $user_id = check_password_reset_key($_GET['key']);
204    if (!is_numeric($user_id))
205    {
206      array_push($page['errors'], l10n('Invalid key'));
207      return false;
208    }
209  }
210  else
211  {
212    // we check the currently logged in user
213    if (is_a_guest() or is_generic())
214    {
215      array_push($page['errors'], l10n('Password reset is not allowed for this user'));
216      return false;
217    }
218
219    $user_id = $user['id'];
220  }
221   
222  single_update(
223    USERS_TABLE,
224    array($conf['user_fields']['password'] => $conf['password_hash']($_POST['use_new_pwd'])),
225    array($conf['user_fields']['id'] => $user_id)
226    );
227
228  array_push($page['infos'], l10n('Your password has been reset'));
229
230  if (isset($_GET['key']))
231  {
232    array_push($page['infos'], '<a href="'.get_root_url().'identification.php">'.l10n('Login').'</a>');
233  }
234  else
235  {
236    array_push($page['infos'], '<a href="'.get_gallery_home_url().'">'.l10n('Return to home page').'</a>');
237  }
238
239  return true;
240}
241
242// +-----------------------------------------------------------------------+
243// | Process form                                                          |
244// +-----------------------------------------------------------------------+
245if (isset($_POST['submit']))
246{
247  check_pwg_token();
248 
249  if ('lost' == $_GET['action'])
250  {
251    if (process_password_request())
252    {
253      $page['action'] = 'none';
254    }
255  }
256
257  if ('reset' == $_GET['action'])
258  {
259    if (reset_password())
260    {
261      $page['action'] = 'none';
262    }
263  }
264}
265
266// +-----------------------------------------------------------------------+
267// | key and action                                                        |
268// +-----------------------------------------------------------------------+
269
270// a connected user can't reset the password from a mail
271if (isset($_GET['key']) and !is_a_guest())
272{
273  unset($_GET['key']);
274}
275
276if (isset($_GET['key']))
277{
278  $user_id = check_password_reset_key($_GET['key']);
279  if (is_numeric($user_id))
280  {
281    $userdata = getuserdata($user_id, false);
282    $page['username'] = $userdata['username'];
283    $template->assign('key', $_GET['key']);
284
285    if (!isset($page['action']))
286    {
287      $page['action'] = 'reset';
288    }
289  }
290  else
291  {
292    $page['action'] = 'none';
293  }
294}
295
296if (!isset($page['action']))
297{
298  if (!isset($_GET['action']))
299  {
300    $page['action'] = 'lost';
301  }
302  elseif (in_array($_GET['action'], array('lost', 'reset', 'none')))
303  {
304    $page['action'] = $_GET['action'];
305  }
306}
307
308if ('reset' == $page['action'] and !isset($_GET['key']) and (is_a_guest() or is_generic()))
309{
310  redirect(get_gallery_home_url());
311}
312
313if ('lost' == $page['action'] and !is_a_guest())
314{
315  redirect(get_gallery_home_url());
316}
317
318// +-----------------------------------------------------------------------+
319// | template initialization                                               |
320// +-----------------------------------------------------------------------+
321
322$title = l10n('Password Reset');
323if ('lost' == $page['action'])
324{
325  $title = l10n('Forgot your password?');
326
327  if (isset($_POST['username_or_email']))
328  {
329    $template->assign('username_or_email', htmlspecialchars(stripslashes($_POST['username_or_email'])));
330  }
331}
332
333$page['body_id'] = 'thePasswordPage';
334
335$template->set_filenames(array('password'=>'password.tpl'));
336$template->assign(
337  array(
338    'title' => $title,
339    'form_action'=> get_root_url().'password.php',
340    'action' => $page['action'],
341    'username' => isset($page['username']) ? $page['username'] : $user['username'],
342    'PWG_TOKEN' => get_pwg_token(),
343    )
344  );
345
346
347// include menubar
348$themeconf = $template->get_template_vars('themeconf');
349if (!isset($themeconf['hide_menu_on']) OR !in_array('thePasswordPage', $themeconf['hide_menu_on']))
350{
351  include( PHPWG_ROOT_PATH.'include/menubar.inc.php');
352}
353
354// +-----------------------------------------------------------------------+
355// |                           html code display                           |
356// +-----------------------------------------------------------------------+
357
358include(PHPWG_ROOT_PATH.'include/page_header.php');
359trigger_action('loc_end_password');
360include(PHPWG_ROOT_PATH.'include/page_messages.php');
361$template->pparse('password');
362include(PHPWG_ROOT_PATH.'include/page_tail.php');
363
364?>
Note: See TracBrowser for help on using the repository browser.