source: trunk/password.php @ 27005

Last change on this file since 27005 was 26461, checked in by mistic100, 10 years ago

Update headers to 2014. Happy new year!!

  • Property svn:eol-style set to LF
File size: 10.3 KB
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | Piwigo - a PHP based photo gallery                                    |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008-2014 Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
23
24// +-----------------------------------------------------------------------+
25// |                           initialization                              |
26// +-----------------------------------------------------------------------+
27
28define('PHPWG_ROOT_PATH','./');
29include_once( PHPWG_ROOT_PATH.'include/common.inc.php' );
30include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
31
32// +-----------------------------------------------------------------------+
33// | Check Access and exit when user status is not ok                      |
34// +-----------------------------------------------------------------------+
35
36check_status(ACCESS_FREE);
37
38trigger_action('loc_begin_password');
39
40// +-----------------------------------------------------------------------+
41// | Functions                                                             |
42// +-----------------------------------------------------------------------+
43
44/**
45 * checks the validity of input parameters, fills $page['errors'] and
46 * $page['infos'] and send an email with confirmation link
47 *
48 * @return bool (true if email was sent, false otherwise)
49 */
50function process_password_request()
51{
52  global $page, $conf;
53 
54  if (empty($_POST['username_or_email']))
55  {
56    $page['errors'][] = l10n('Invalid username or email');
57    return false;
58  }
59 
60  $user_id = get_userid_by_email($_POST['username_or_email']);
61   
62  if (!is_numeric($user_id))
63  {
64    $user_id = get_userid($_POST['username_or_email']);
65  }
66
67  if (!is_numeric($user_id))
68  {
69    $page['errors'][] = l10n('Invalid username or email');
70    return false;
71  }
72
73  $userdata = getuserdata($user_id, false);
74
75  // password request is not possible for guest/generic users
76  $status = $userdata['status'];
77  if (is_a_guest($status) or is_generic($status))
78  {
79    $page['errors'][] = l10n('Password reset is not allowed for this user');
80    return false;
81  }
82
83  if (empty($userdata['email']))
84  {
85    $page['errors'][] = l10n(
86      'User "%s" has no email address, password reset is not possible',
87      $userdata['username']
88      );
89    return false;
90  }
91
92  if (empty($userdata['activation_key']))
93  {
94    $activation_key = get_user_activation_key();
95
96    single_update(
97      USER_INFOS_TABLE,
98      array('activation_key' => $activation_key),
99      array('user_id' => $user_id)
100      );
101
102    $userdata['activation_key'] = $activation_key;
103  }
104
105  set_make_full_url();
106 
107  $message = l10n('Someone requested that the password be reset for the following user account:') . "\r\n\r\n";
108  $message.= l10n(
109    'Username "%s" on gallery %s',
110    $userdata['username'],
111    get_gallery_home_url()
112    );
113  $message.= "\r\n\r\n";
114  $message.= l10n('To reset your password, visit the following address:') . "\r\n";
115  $message.= get_gallery_home_url().'/password.php?key='.$userdata['activation_key']."\r\n\r\n";
116  $message.= l10n('If this was a mistake, just ignore this email and nothing will happen.')."\r\n";
117
118  unset_make_full_url();
119
120  $message = trigger_event('render_lost_password_mail_content', $message);
121
122  $email_params = array(
123    'subject' => '['.$conf['gallery_title'].'] '.l10n('Password Reset'),
124    'content' => $message,
125    'email_format' => 'text/plain',
126    );
127
128  if (pwg_mail($userdata['email'], $email_params))
129  {
130    $page['infos'][] = l10n('Check your email for the confirmation link');
131    return true;
132  }
133  else
134  {
135    $page['errors'][] = l10n('Error sending email');
136    return false;
137  }
138}
139
140/**
141 *  checks the activation key: does it match the expected pattern? is it
142 *  linked to a user? is this user allowed to reset his password?
143 *
144 * @return mixed (user_id if OK, false otherwise)
145 */
146function check_password_reset_key($key)
147{
148  global $page;
149 
150  if (!preg_match('/^[a-z0-9]{20}$/i', $key))
151  {
152    $page['errors'][] = l10n('Invalid key');
153    return false;
154  }
155
156  $query = '
157SELECT
158    user_id,
159    status
160  FROM '.USER_INFOS_TABLE.'
161  WHERE activation_key = \''.$key.'\'
162;';
163  $result = pwg_query($query);
164
165  if (pwg_db_num_rows($result) == 0)
166  {
167    $page['errors'][] = l10n('Invalid key');
168    return false;
169  }
170 
171  $userdata = pwg_db_fetch_assoc($result);
172
173  if (is_a_guest($userdata['status']) or is_generic($userdata['status']))
174  {
175    $page['errors'][] = l10n('Password reset is not allowed for this user');
176    return false;
177  }
178
179  return $userdata['user_id'];
180}
181
182/**
183 * checks the passwords, checks that user is allowed to reset his password,
184 * update password, fills $page['errors'] and $page['infos'].
185 *
186 * @return bool (true if password was reset, false otherwise)
187 */
188function reset_password()
189{
190  global $page, $user, $conf;
191
192  if ($_POST['use_new_pwd'] != $_POST['passwordConf'])
193  {
194    $page['errors'][] = l10n('The passwords do not match');
195    return false;
196  }
197
198  if (isset($_GET['key']))
199  {
200    $user_id = check_password_reset_key($_GET['key']);
201    if (!is_numeric($user_id))
202    {
203      $page['errors'][] = l10n('Invalid key');
204      return false;
205    }
206  }
207  else
208  {
209    // we check the currently logged in user
210    if (is_a_guest() or is_generic())
211    {
212      $page['errors'][] = l10n('Password reset is not allowed for this user');
213      return false;
214    }
215
216    $user_id = $user['id'];
217  }
218   
219  single_update(
220    USERS_TABLE,
221    array($conf['user_fields']['password'] => $conf['password_hash']($_POST['use_new_pwd'])),
222    array($conf['user_fields']['id'] => $user_id)
223    );
224
225  $page['infos'][] = l10n('Your password has been reset');
226
227  if (isset($_GET['key']))
228  {
229    $page['infos'][] = '<a href="'.get_root_url().'identification.php">'.l10n('Login').'</a>';
230  }
231  else
232  {
233    $page['infos'][] = '<a href="'.get_gallery_home_url().'">'.l10n('Return to home page').'</a>';
234  }
235
236  return true;
237}
238
239// +-----------------------------------------------------------------------+
240// | Process form                                                          |
241// +-----------------------------------------------------------------------+
242if (isset($_POST['submit']))
243{
244  check_pwg_token();
245 
246  if ('lost' == $_GET['action'])
247  {
248    if (process_password_request())
249    {
250      $page['action'] = 'none';
251    }
252  }
253
254  if ('reset' == $_GET['action'])
255  {
256    if (reset_password())
257    {
258      $page['action'] = 'none';
259    }
260  }
261}
262
263// +-----------------------------------------------------------------------+
264// | key and action                                                        |
265// +-----------------------------------------------------------------------+
266
267// a connected user can't reset the password from a mail
268if (isset($_GET['key']) and !is_a_guest())
269{
270  unset($_GET['key']);
271}
272
273if (isset($_GET['key']))
274{
275  $user_id = check_password_reset_key($_GET['key']);
276  if (is_numeric($user_id))
277  {
278    $userdata = getuserdata($user_id, false);
279    $page['username'] = $userdata['username'];
280    $template->assign('key', $_GET['key']);
281
282    if (!isset($page['action']))
283    {
284      $page['action'] = 'reset';
285    }
286  }
287  else
288  {
289    $page['action'] = 'none';
290  }
291}
292
293if (!isset($page['action']))
294{
295  if (!isset($_GET['action']))
296  {
297    $page['action'] = 'lost';
298  }
299  elseif (in_array($_GET['action'], array('lost', 'reset', 'none')))
300  {
301    $page['action'] = $_GET['action'];
302  }
303}
304
305if ('reset' == $page['action'] and !isset($_GET['key']) and (is_a_guest() or is_generic()))
306{
307  redirect(get_gallery_home_url());
308}
309
310if ('lost' == $page['action'] and !is_a_guest())
311{
312  redirect(get_gallery_home_url());
313}
314
315// +-----------------------------------------------------------------------+
316// | template initialization                                               |
317// +-----------------------------------------------------------------------+
318
319$title = l10n('Password Reset');
320if ('lost' == $page['action'])
321{
322  $title = l10n('Forgot your password?');
323
324  if (isset($_POST['username_or_email']))
325  {
326    $template->assign('username_or_email', htmlspecialchars(stripslashes($_POST['username_or_email'])));
327  }
328}
329
330$page['body_id'] = 'thePasswordPage';
331
332$template->set_filenames(array('password'=>'password.tpl'));
333$template->assign(
334  array(
335    'title' => $title,
336    'form_action'=> get_root_url().'password.php',
337    'action' => $page['action'],
338    'username' => isset($page['username']) ? $page['username'] : $user['username'],
339    'PWG_TOKEN' => get_pwg_token(),
340    )
341  );
342
343
344// include menubar
345$themeconf = $template->get_template_vars('themeconf');
346if (!isset($themeconf['hide_menu_on']) OR !in_array('thePasswordPage', $themeconf['hide_menu_on']))
347{
348  include( PHPWG_ROOT_PATH.'include/menubar.inc.php');
349}
350
351// +-----------------------------------------------------------------------+
352// |                           html code display                           |
353// +-----------------------------------------------------------------------+
354
355include(PHPWG_ROOT_PATH.'include/page_header.php');
356trigger_action('loc_end_password');
357flush_page_messages();
358$template->pparse('password');
359include(PHPWG_ROOT_PATH.'include/page_tail.php');
360
361?>
Note: See TracBrowser for help on using the repository browser.