From c57dcb62c2affd402e8e9afac1bc2c953eb2dcaf Mon Sep 17 00:00:00 2001 From: skodak Date: Thu, 22 Feb 2007 22:20:51 +0000 Subject: [PATCH] MDL-8590 auth cleanup - reset password cleanup+fixes --- auth/db/auth.php | 4 +- auth/email/auth.php | 4 +- auth/manual/auth.php | 2 +- auth/none/auth.php | 4 +- lang/en_utf8/moodle.php | 2 + lib/moodlelib.php | 6 +- login/forgot_password.php | 259 ++++++++++----------------------- login/forgot_password_form.php | 50 ++++++- 8 files changed, 135 insertions(+), 196 deletions(-) diff --git a/auth/db/auth.php b/auth/db/auth.php index a13744b149..babface7c1 100644 --- a/auth/db/auth.php +++ b/auth/db/auth.php @@ -190,8 +190,8 @@ class auth_plugin_db { /** * Change a user's password * - * @param object $user The user to update - * @param string $newpassword The new password + * @param object $user User table object (with system magic quotes) + * @param string $newpassword Plaintext password (with system magic quotes) * * @return bool True on success */ diff --git a/auth/email/auth.php b/auth/email/auth.php index 6c2191a62b..2a1a515685 100644 --- a/auth/email/auth.php +++ b/auth/email/auth.php @@ -64,8 +64,8 @@ class auth_plugin_email { * * called when the user password is updated. * - * @param object $user User - * @param string $newpassword Plaintext password + * @param object $user User table object (with system magic quotes) + * @param string $newpassword Plaintext password (with system magic quotes) * @return boolean result * */ diff --git a/auth/manual/auth.php b/auth/manual/auth.php index d8bd41fe3f..23ebf4b1d4 100644 --- a/auth/manual/auth.php +++ b/auth/manual/auth.php @@ -58,7 +58,7 @@ class auth_plugin_manual * called when the user password is updated. * * @param object $user User table object (with system magic quotes) - * @param string $newpassword Plaintext password (with system magic quotes) + * @param string $newpassword Plaintext password (with system magic quotes) * @return boolean result * */ diff --git a/auth/none/auth.php b/auth/none/auth.php index f7b8f0a9cb..01305c9d9b 100644 --- a/auth/none/auth.php +++ b/auth/none/auth.php @@ -57,8 +57,8 @@ class auth_plugin_none { * * called when the user password is updated. * - * @param object $user User - * @param string $newpassword Plaintext password + * @param object $user User table object (with system magic quotes) + * @param string $newpassword Plaintext password (with system magic quotes) * @return boolean result * */ diff --git a/lang/en_utf8/moodle.php b/lang/en_utf8/moodle.php index fcfb467174..916c8444d0 100644 --- a/lang/en_utf8/moodle.php +++ b/lang/en_utf8/moodle.php @@ -604,6 +604,7 @@ $string['forcepasswordchangenotice'] = 'You must change your password to proceed $string['forcetheme'] = 'Force theme'; $string['forgotaccount'] = 'Lost password?'; $string['forgotten'] = 'Forgotten your username or password?'; +$string['forgottenduplicate'] = 'The email address is shared by several accounts, please enter username instead'; $string['forgotteninvalidurl'] = 'Invalid password reset URL'; $string['format'] = 'Format'; $string['formathtml'] = 'HTML format'; @@ -1462,6 +1463,7 @@ $string['userfiles'] = 'User Files'; $string['userlist'] = 'User list'; $string['username'] = 'Username'; $string['usernameemailmatch'] = 'The username and email address do not relate to the same user'; +$string['usernameoremail'] = 'Enter either username or email address'; $string['usernameexists'] = 'This username already exists, choose another'; $string['usernamelowercase'] = 'Only lowercase letters allowed'; $string['usernamenotfound'] = 'The username was not found in the database'; diff --git a/lib/moodlelib.php b/lib/moodlelib.php index ba37c87790..9b5d93fba5 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -3473,17 +3473,15 @@ function reset_password_and_mail($user) { $site = get_site(); $from = get_admin(); - $external = false; - $userauth = get_auth_plugin($user->auth); - if (!$userauth->can_change_password()) { + if (!$userauth->can_reset_password()) { trigger_error("Attempt to reset user password for user $user->username with Auth $user->auth."); return false; } $newpassword = generate_password(); - if (!$userauth->user_update_password($user->username, $newpassword)) { + if (!$userauth->user_update_password(addslashes_recursive($user), addslashes($newpassword))) { error("Could not set user password!"); } diff --git a/login/forgot_password.php b/login/forgot_password.php index d0d5309fc9..2d6e75b1f6 100644 --- a/login/forgot_password.php +++ b/login/forgot_password.php @@ -7,150 +7,23 @@ require_once('../config.php'); require_once('forgot_password_form.php'); -$action = optional_param('action', '', PARAM_ALPHA); $p_secret = optional_param('p', false, PARAM_RAW); $p_username = optional_param('s', false, PARAM_RAW); httpsrequired(); -$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID); +$sitecontext = get_context_instance(CONTEXT_SYSTEM); // setup text strings -$strcancel = get_string('cancel'); -$strconfirmednot = get_string('confirmednot'); -$stremail = get_string('email'); -$stremailnotfound = get_string('emailnotfound'); -$strerror = get_string('error'); -$strforgotten = get_string('passwordforgotten'); -$strforgottenduplicate = get_string('forgottenduplicate', 'moodle', get_admin()); // does not exist in lang file?? -$strforgotteninstruct = get_string('passwordforgotteninstructions'); -$strinvalidemail = get_string('invalidemail'); -$strinvalidurl = get_string('forgotteninvalidurl'); -$strlogin = get_string('login'); -$strloginalready = get_string('loginalready'); -$strok = get_string('ok'); -$strpasswordnohelp = get_string('passwordnohelp'); -$strsecretalreadyused = get_string('secretalreadyused'); -$strsenddetails = get_string('senddetails'); -$strusername = get_string('username'); -$strusernameemailmatch = get_string('usernameemailmatch'); -$strusernamenotfound = get_string('usernamenotfound'); - -$errors = array(); -$page = ''; // page to display - +$strforgotten = get_string('passwordforgotten'); +$strlogin = get_string('login'); // if you are logged in then you shouldn't be here! -if (isloggedin() && !isguestuser()) { - redirect($CFG->wwwroot.'/index.php', $strloginalready, 5); +if (isloggedin() and !isguestuser()) { + redirect($CFG->wwwroot.'/index.php', get_string('loginalready'), 5); } -$mform = new login_forgot_password_form(); - -if ($mform->is_cancelled()) { - redirect($CFG->httpswwwroot.'/login/index.php'); -} - -if ($action == 'find' and $param = $mform->get_data()) { -///===================== -/// find the user in the database and mail info -///===================== - - // first try the username - if (!empty($param->username)) { - if (!$user = get_complete_user_data('username', $param->username)) { - $errors[] = $strusernamenotfound; - } - } else { - $user = false; - } - - // now try email - if (!empty($param->email)) { - // validate email address 1st - if (!validate_email($param->email)) { - $errors[] = $strinvalidemail; - - } else if (count_records('user', 'email', $param->email) > 1) { - // (if there is more than one instance of the email then we - // cannot complete automated recovery) - $page = 'duplicateemail'; - $errors[] = $strforgottenduplicate; - - } else if (!$mailuser = get_complete_user_data('email', $param->email)) { - $errors[] = $stremailnotfound; - } - - // just in case they did specify both... - // if $user exists then check they actually match (then just use $user) - if (!empty($user) and !empty($mailuser)) { - if ($user->id != $mailuser->id) { - $errors[] = $strusernameemailmatch; - } - $user = $mailuser; - } - - // use email user if username not used or located - if (!empty($mailuser) and empty($user)) { - $user = $mailuser; - } - } - - // if user located (and no errors) take the appropriate action - if (empty($errors) and !empty($user)) { - - $userauth = get_auth_plugin($user->auth); - - // check this user isn't 'unconfirmed' - if (empty($user->confirmed)) { - $errors[] = $strconfirmednot; - - } else { - if (method_exists($userauth, 'can_reset_password') and $userauth->can_reset_password()) { - // reset internal password and notify user - - // set 'secret' string - $user->secret = random_string(15); - if (!set_field('user', 'secret', $user->secret, 'id', $user->id)) { - error('error setting user secret string'); - } - - // send email (make sure mail block is off) - $user->mailstop = 0; - if (!send_password_change_confirmation_email($user)) { - error('error sending password change confirmation email'); - } - - // display confirm message - $page = 'emailconfirm'; - - } else { - // send email (make sure mail block is off) - $user->mailstop = 0; - if (!send_password_change_info($user)) { - error('error sending password change confirmation email'); - } - - // display confirm message - $page = 'emailconfirm'; - } - } - } - - if (!empty($CFG->protectusernames)) { - // do not give any hints about usernames or email! - $errors = array(); - $page = 'emailmaybeconfirmed'; - } - - if (empty($param->username) and empty($param->email)) { - // nothing supplied - show error in any case - $errors[] = 'no email or username'; - $page = ''; - } - - -} else if ($p_secret !== false) { +if ($p_secret !== false) { ///===================== /// user clicked on link in email message ///===================== @@ -160,14 +33,16 @@ if ($action == 'find' and $param = $mform->get_data()) { $user = get_complete_user_data('username', $p_username); if (!empty($user) and $user->secret === '') { - $errors[] = $strsecretalreadyused; + print_header($strforgotten, $strforgotten, + "wwwroot}/login/index.php\">{$strlogin}->{$strforgotten}"); + error(get_string('secretalreadyused')); } else if (!empty($user) and $user->secret == stripslashes($p_secret)) { // make sure that url relates to a valid user // check this isn't guest user // TODO: add change password capability so that we can prevent participants to change password - if (isguestuser($user) or has_capability('moodle/legacy:guest', $sitecontext, $user->id, false)) { + if (has_capability('moodle/legacy:guest', $sitecontext, $user->id, false)) { error('You cannot reset the guest password'); } @@ -184,72 +59,94 @@ if ($action == 'find' and $param = $mform->get_data()) { } reset_login_count(); - $page = 'emailsent'; $changepasswordurl = "{$CFG->httpswwwroot}/login/change_password.php"; $a = new object(); $a->email = $user->email; $a->link = $changepasswordurl; - $stremailpasswordsent = get_string('emailpasswordsent', '', $a); + + print_header($strforgotten, $strforgotten, + "wwwroot}/login/index.php\">{$strlogin}->{$strforgotten}"); + notice(get_string('emailpasswordsent', '', $a), $changepasswordurl); + } else { - $errors[] = $strinvalidurl; + print_header($strforgotten, $strforgotten, + "wwwroot}/login/index.php\">{$strlogin}->{$strforgotten}"); + error(get_string('forgotteninvalidurl')); } + die; //never reached } +$mform = new login_forgot_password_form(); -//****************************** -// DISPLAY PART -//****************************** +if ($mform->is_cancelled()) { + redirect($CFG->httpswwwroot.'/login/index.php'); -print_header($strforgotten, $strforgotten, - "wwwroot}/login/index.php\">{$strlogin}->{$strforgotten}", - 'form.email'); +} else if ($data = $mform->get_data()) { +/// find the user in the database and mail info -if ($page == 'emailmaybeconfirmed') { - // Print general confirmation message - notice(get_string('emailpasswordconfirmmaybesent'), $CFG->wwwroot.'/index.php'); -} + // first try the username + if (!empty($data->username)) { + $user = get_complete_user_data('username', $data->username); + } else { + + $user = get_complete_user_data('email', $data->email); + } + + if ($user and !empty($user->confirmed)) { + $userauth = get_auth_plugin($user->auth); -/// --------------------------------------------- -/// check $page for appropriate page to display -if ($page == 'emailconfirm') { - // Confirm (internal method) email sent - $protectedemail = preg_replace('/([^@]*)@(.*)/', '******@$2', $user->email); // obfuscate the email address to protect privacy - $stremailpasswordconfirmsent = get_string('emailpasswordconfirmsent', '', $protectedemail); - notice($stremailpasswordconfirmsent, $CFG->wwwroot.'/index.php'); - -} else if ($page == 'emailsent') { - // mail sent with new password - notice($stremailpasswordsent, $changepasswordurl); - -} else if ($page == 'duplicateemail') { - // email address appears more than once - notice($strforgottenduplicate, $CFG->wwwroot.'/index.php'); - -} else { - // display any errors - if (!empty($errors)) { - print_box_start('generalbox boxwidthnormal boxaligncenter'); - $s = $strerror; - $s .= ''; - notify($s, 'notifyproblem'); - print_box_end(); } -} -if(!$mform->get_data() or !empty($errors)) { - print_box_start('generalbox boxwidthnormal boxaligncenter'); - echo $strforgotteninstruct; - print_box_end(); - $mform->display(); + print_header($strforgotten, $strforgotten, + "wwwroot}/login/index.php\">{$strlogin}->{$strforgotten}"); + + if (empty($user->email) or !empty($CFG->protectusernames)) { + // Print general confirmation message + notice(get_string('emailpasswordconfirmmaybesent'), $CFG->wwwroot.'/index.php'); + + } else { + // Confirm email sent + $protectedemail = preg_replace('/([^@]*)@(.*)/', '******@$2', $user->email); // obfuscate the email address to protect privacy + $stremailpasswordconfirmsent = get_string('emailpasswordconfirmsent', '', $protectedemail); + notice($stremailpasswordconfirmsent, $CFG->wwwroot.'/index.php'); + } + + die; // never reached } + +/// DISPLAY FORM +print_header($strforgotten, $strforgotten, + "wwwroot}/login/index.php\">{$strlogin}->{$strforgotten}", 'id_email'); + +print_box(get_string('passwordforgotteninstructions'), 'generalbox boxwidthnormal boxaligncenter'); +$mform->display(); + print_footer(); ?> \ No newline at end of file diff --git a/login/forgot_password_form.php b/login/forgot_password_form.php index dad611647f..c19d994fed 100644 --- a/login/forgot_password_form.php +++ b/login/forgot_password_form.php @@ -16,12 +16,54 @@ class login_forgot_password_form extends moodleform { $mform->addElement('text', 'email', get_string('email')); $mform->setType('email', PARAM_RAW); - // hidden params - $mform->addElement('hidden', 'action', 'find'); - $mform->setType('action', PARAM_ALPHA); - $this->add_action_buttons(true, get_string('ok')); } + + function validation($data) { + global $CFG; + + $errors = array(); + + if ((!empty($data['username']) and !empty($data['email'])) or (empty($data['username']) and empty($data['email']))) { + $errors['username'] = get_string('usernameoremail'); + $errors['email'] = get_string('usernameoremail'); + + } else if (!empty($data['email'])) { + if (!validate_email($data['email'])) { + $errors['email'] = get_string('invalidemail'); + + } else if (count_records('user', 'email', $data['email']) > 1) { + $errors['email'] = get_string('forgottenduplicate'); + + } else { + if ($user = get_complete_user_data('email', $data['email'])) { + if (empty($user->confirmed)) { + $errors['email'] = get_string('confirmednot'); + } + } + if (!$user and empty($CFG->protectusernames)) { + $errors['email'] = get_string('emailnotfound'); + } + } + + } else { + if ($user = get_complete_user_data('username', $data['username'])) { + if (empty($user->confirmed)) { + $errors['email'] = get_string('confirmednot'); + } + } + if (!$user and empty($CFG->protectusernames)) { + $errors['username'] = get_string('usernamenotfound'); + } + } + + if (0 == count($errors)){ + return true; + } else { + return $errors; + } + } + } ?> \ No newline at end of file -- 2.39.5