/** * Update User Password * Updates the users password for current hash algorithm and stretch site settings. * If not password is specified, a random password will be generated. * * @param string $password Password to encrypt * @param int $uid User id to update * @return int 0 for success, non-zero indicates error. */ function SEC_updateUserPassword(&$password = '', $uid = '') { global $_TABLES, $_CONF, $_USER; // if no password is specified, generate a random one if (empty($password)) { $password = SEC_generateRandomPassword(); } // if $uid is empty, assume current user if (empty($uid)) { $uid = $_USER['uid']; } // validate $uid nonempty and valid user (anonymous, uid = 1, not valid) if (empty($uid) || $uid < 1) { return -1; } // update the database with the new password using algorithm and stretch from $_CONF $salt = SEC_generateSalt(); $newhash = SEC_encryptPassword($password, $salt, $_CONF['pass_alg'], $_CONF['pass_stretch']); $query = 'UPDATE ' . $_TABLES['users'] . " SET passwd = '{$newhash}', " . "salt = '{$salt}', algorithm ='" . $_CONF['pass_alg'] . "', " . 'stretch = ' . $_CONF['pass_stretch'] . " WHERE uid = {$uid}"; DB_query($query); // return success return 0; }
/** * Create a new user * Also calls the custom user registration (if enabled) and plugin functions. * NOTE: Does NOT send out password emails. * * @param string $username username (mandatory) * @param string $email user's email address (mandatory) * @param string $passwd password (optional, see above) * @param string $fullname user's full name (optional) * @param string $homepage user's home page (optional) * @param string $remoteUserName * @param string $service * @param boolean $batchImport set to true when called from importuser() in admin/users.php (optional) * @return int new user's ID */ function USER_createAccount($username, $email, $passwd = '', $fullname = '', $homepage = '', $remoteUserName = '', $service = '', $batchImport = false) { global $_CONF, $_TABLES; $queueUser = false; $username = DB_escapeString($username); $email = DB_escapeString($email); $regdate = strftime('%Y-%m-%d %H:%M:%S', time()); $fields = 'username,email,regdate,cookietimeout'; $values = "'{$username}','{$email}','{$regdate}','{$_CONF['default_perm_cookie_timeout']}'"; if (!empty($passwd)) { // Since no uid exists yet we can't use SEC_updateUserPassword and must handle things manually $salt = SEC_generateSalt(); $passwd = SEC_encryptPassword($passwd, $salt, $_CONF['pass_alg'], $_CONF['pass_stretch']); $fields .= ',passwd,salt,algorithm,stretch'; $values .= ",'{$passwd}','{$salt}','" . $_CONF['pass_alg'] . "','" . $_CONF['pass_stretch'] . "'"; } if (!empty($fullname)) { $fullname = DB_escapeString($fullname); $fields .= ',fullname'; $values .= ",'{$fullname}'"; } if (!empty($homepage)) { $homepage = DB_escapeString($homepage); $fields .= ',homepage'; $values .= ",'{$homepage}'"; } if ($_CONF['usersubmission'] == 1 && !SEC_hasRights('user.edit')) { $queueUser = true; if (!empty($_CONF['allow_domains'])) { if (USER_emailMatches($email, $_CONF['allow_domains'])) { $queueUser = false; } } if ($queueUser) { $fields .= ',status'; $values .= ',' . USER_ACCOUNT_AWAITING_APPROVAL; } } else { if (!empty($remoteUserName)) { $fields .= ',remoteusername'; $values .= ",'{$remoteUserName}'"; } if (!empty($service)) { $fields .= ',remoteservice'; $values .= ",'{$service}'"; } } DB_query("INSERT INTO {$_TABLES['users']} ({$fields}) VALUES ({$values})"); // Get the uid of the user, possibly given a service: if ($remoteUserName != '') { $uid = DB_getItem($_TABLES['users'], 'uid', "remoteusername = '******' AND remoteservice='{$service}'"); } else { $uid = DB_getItem($_TABLES['users'], 'uid', "username = '******' AND remoteservice IS NULL"); } // Add user to Logged-in group (i.e. members) and the All Users group $normal_grp = DB_getItem($_TABLES['groups'], 'grp_id', "grp_name='Logged-in Users'"); $all_grp = DB_getItem($_TABLES['groups'], 'grp_id', "grp_name='All Users'"); DB_query("INSERT INTO {$_TABLES['group_assignments']} (ug_main_grp_id, ug_uid) VALUES ({$normal_grp}, {$uid})"); DB_query("INSERT INTO {$_TABLES['group_assignments']} (ug_main_grp_id, ug_uid) VALUES ({$all_grp}, {$uid})"); // any default groups? $result = DB_query("SELECT grp_id FROM {$_TABLES['groups']} WHERE grp_default = 1"); $num_groups = DB_numRows($result); for ($i = 0; $i < $num_groups; $i++) { list($def_grp) = DB_fetchArray($result); DB_query("INSERT INTO {$_TABLES['group_assignments']} (ug_main_grp_id, ug_uid) VALUES ({$def_grp}, {$uid})"); } DB_query("INSERT INTO {$_TABLES['userprefs']} (uid) VALUES ({$uid})"); if ($_CONF['emailstoriesperdefault'] == 1) { DB_query("INSERT INTO {$_TABLES['userindex']} (uid,etids) VALUES ({$uid},'')"); } else { DB_query("INSERT INTO {$_TABLES['userindex']} (uid,etids) VALUES ({$uid}, '-')"); } DB_query("INSERT INTO {$_TABLES['usercomment']} (uid,commentmode,commentorder,commentlimit) VALUES ({$uid},'{$_CONF['comment_mode']}','{$_CONF['comment_order']}','{$_CONF['comment_limit']}')"); DB_query("INSERT INTO {$_TABLES['userinfo']} (uid) VALUES ({$uid})"); // call custom registration function and plugins if ($_CONF['custom_registration'] && function_exists('CUSTOM_userCreate')) { CUSTOM_userCreate($uid, $batchImport); } PLG_createUser($uid); // Notify the admin? if (isset($_CONF['notification']) && in_array('user', $_CONF['notification'])) { $mode = $queueUser ? 'inactive' : 'active'; $username = COM_getDisplayName($uid, $username, $fullname, $remoteUserName, $service); USER_sendNotification($username, $email, $uid, $mode); } return $uid; }