/**
* Reset the user's password
* Take into account the 'send_reset_password' setting
* - if it is ON, generate a random password and send an email
* (unless the second parameter is false)
* - if it is OFF, set the password to blank
* Return false if the user is protected, true if the password was
* successfully reset
*
* @param integer $p_user_id A valid user identifier.
* @param boolean $p_send_email Whether to send confirmation email.
* @return boolean
*/
function user_reset_password($p_user_id, $p_send_email = true)
{
$t_protected = user_get_field($p_user_id, 'protected');
# Go with random password and email it to the user
if (ON == $t_protected) {
return false;
}
# @@@ do we want to force blank password instead of random if
# email notifications are turned off?
# How would we indicate that we had done this with a return value?
# Should we just have two functions? (user_reset_password_random()
# and user_reset_password() )?
if (ON == config_get('send_reset_password') && ON == config_get('enable_email_notification')) {
$t_email = user_get_field($p_user_id, 'email');
if (is_blank($t_email)) {
trigger_error(ERROR_LOST_PASSWORD_NO_EMAIL_SPECIFIED, ERROR);
}
# Create random password
$t_password = auth_generate_random_password();
$t_password2 = auth_process_plain_password($t_password);
user_set_field($p_user_id, 'password', $t_password2);
# Send notification email
if ($p_send_email) {
$t_confirm_hash = auth_generate_confirm_hash($p_user_id);
email_send_confirm_hash_url($p_user_id, $t_confirm_hash);
}
} else {
# use blank password, no emailing
$t_password = auth_process_plain_password('');
user_set_field($p_user_id, 'password', $t_password);
# reset the failed login count because in this mode there is no emailing
user_reset_failed_login_count_to_zero($p_user_id);
}
return true;
}
OFF == config_get( 'send_reset_password' ) ) {
trigger_error( ERROR_LOST_PASSWORD_NOT_ENABLED, ERROR );
}
$f_user_id = gpc_get_string('id');
$f_confirm_hash = gpc_get_string('confirm_hash');
# force logout on the current user if already authenticated
if( auth_is_user_authenticated() ) {
auth_logout();
# reload the page after logout
print_header_redirect( "verify.php?id=$f_user_id&confirm_hash=$f_confirm_hash" );
}
$t_calculated_confirm_hash = auth_generate_confirm_hash( $f_user_id );
if ( $f_confirm_hash != $t_calculated_confirm_hash ) {
trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );
}
# set a temporary cookie so the login information is passed between pages.
auth_set_cookies( $f_user_id, false );
user_reset_failed_login_count_to_zero( $f_user_id );
user_reset_lost_password_in_progress_count_to_zero( $f_user_id );
# fake login so the user can set their password
auth_attempt_script_login( user_get_field( $f_user_id, 'username' ) );
user_increment_failed_login_count( $f_user_id );
$result = db_query_bound($query, array($f_username, $f_email, true));
if (0 == db_num_rows($result)) {
trigger_error(ERROR_LOST_PASSWORD_NOT_MATCHING_DATA, ERROR);
}
if (is_blank($f_email)) {
trigger_error(ERROR_LOST_PASSWORD_NO_EMAIL_SPECIFIED, ERROR);
}
$row = db_fetch_array($result);
$t_user_id = $row['id'];
if (user_is_protected($t_user_id)) {
trigger_error(ERROR_PROTECTED_ACCOUNT, ERROR);
}
if (!user_is_lost_password_request_allowed($t_user_id)) {
trigger_error(ERROR_LOST_PASSWORD_MAX_IN_PROGRESS_ATTEMPTS_REACHED, ERROR);
}
$t_confirm_hash = auth_generate_confirm_hash($t_user_id);
email_send_confirm_hash_url($t_user_id, $t_confirm_hash);
user_increment_lost_password_in_progress_count($t_user_id);
form_security_purge('lost_pwd');
$t_redirect_url = 'login_page.php';
html_page_top();
?>
<br />
<div>
<table class="width50" cellspacing="1">
<tr>
<td class="center">
<strong><?php
echo lang_get('lost_password_done_title');
?>
