/** * Used by the "forget password?" page to have a client's login information sent to them. * * @param array $info the $_POST containing a "username" key. That value is used to find the user * account information to email them. * @return array [0]: true/false (success / failure) * [1]: message string */ function ft_send_password($info) { global $g_root_url, $g_root_dir, $g_table_prefix, $LANG; $info = ft_sanitize($info); extract(ft_process_hook_calls("start", compact("info"), array("info")), EXTR_OVERWRITE); $success = true; $message = $LANG["notify_login_info_emailed"]; if (!isset($info["username"]) || empty($info["username"])) { $success = false; $message = $LANG["validation_no_username_or_js"]; return array($success, $message); } $username = $info["username"]; $query = mysql_query("\r\n SELECT *\r\n FROM {$g_table_prefix}accounts\r\n WHERE username = '******'\r\n "); // not found if (!mysql_num_rows($query)) { $success = false; $message = $LANG["validation_account_not_recognized_info"]; return array($success, $message); } $account_info = mysql_fetch_assoc($query); $email = $account_info["email"]; // one final check: confirm the email is defined & valid if (empty($email) || !ft_is_valid_email($email)) { $success = false; $message = $LANG["validation_email_not_found_or_invalid"]; return array($success, $message); } $account_id = $account_info["account_id"]; $username = $account_info["username"]; $new_password = ft_generate_password(); $encrypted_password = md5(md5($new_password)); // update the database with the new password (encrypted). As of 2.1.0 there's a second field to store the // temporary generated password, leaving the original password intact. This prevents a situation arising when // someone other than the admin / client uses the "Forget Password" feature and invalidates a valid, known password. // Any time the user successfully logs in, mysql_query("\r\n UPDATE {$g_table_prefix}accounts\r\n SET temp_reset_password = '******'\r\n WHERE account_id = {$account_id}\r\n "); // now build and sent the email // 1. build the email content $placeholders = array("login_url" => "{$g_root_url}/?id={$account_id}", "email" => $email, "username" => $username, "new_password" => $new_password); $smarty_template_email_content = file_get_contents("{$g_root_dir}/global/emails/forget_password.tpl"); $email_content = ft_eval_smarty_string($smarty_template_email_content, $placeholders); // 2. build the email subject line $placeholders = array("program_name" => ft_get_settings("program_name")); $smarty_template_email_subject = file_get_contents("{$g_root_dir}/global/emails/forget_password_subject.tpl"); $email_subject = trim(ft_eval_smarty_string($smarty_template_email_subject, $placeholders)); // if Swift Mailer is enabled, send the emails with that. In case there's a problem sending the message with // Swift, it falls back the default mail() function. $swift_mail_error = false; $swift_mail_enabled = ft_check_module_enabled("swift_mailer"); if ($swift_mail_enabled) { $sm_settings = ft_get_module_settings("", "swift_mailer"); if ($sm_settings["swiftmailer_enabled"] == "yes") { ft_include_module("swift_mailer"); // get the admin info. We'll use that info for the "from" and "reply-to" values. Note // that we DON'T use that info for the regular mail() function. This is because retrieving // the password is important functionality and we don't want to cause problems that could // prevent the email being sent. Many servers don't all the 4th headers parameter of the mail() // function $admin_info = ft_get_admin_info(); $admin_email = $admin_info["email"]; $email_info = array(); $email_info["to"] = array(); $email_info["to"][] = array("email" => $email); $email_info["from"] = array(); $email_info["from"]["email"] = $admin_email; $email_info["subject"] = $email_subject; $email_info["text_content"] = $email_content; list($success, $sm_message) = swift_send_email($email_info); // if the email couldn't be sent, display the appropriate error message. Otherwise // the default success message is used if (!$success) { $swift_mail_error = true; $message = $sm_message; } } } // if there was an error sending with Swift, or if it wasn't installed, send it by mail() if (!$swift_mail_enabled || $swift_mail_error) { // send email [note: the double quotes around the email recipient and content are intentional: some systems fail without it] if (!@mail("{$email}", $email_subject, $email_content)) { $success = false; $message = $LANG["notify_email_not_sent"]; return array($success, $message); } } extract(ft_process_hook_calls("end", compact("success", "message", "info"), array("success", "message")), EXTR_OVERWRITE); return array($success, $message); }
/** * Creates a client account in the database. * * @param array $account_info this has has 4 required keys: first_name, last_name, user_name, password * * The password is automatically encrypted by this function. * * It also accepts the following optional keys: * account_status: "active", "disabled", "pending" * ui_language: (should only be one of the languages currently supported by the script, e.g. "en_us") * timezone_offset: +- an integer value, for each hour * sessions_timeout: * date_format: * login_page: * logout_url: * theme: * menu_id: * * @return array [0] true / false * [1] an array of error codes (if false) or the new account ID */ function ft_api_create_client_account($account_info) { global $g_api_debug, $g_table_prefix; $account_info = ft_sanitize($account_info); $error_codes = array(); // check all the valid fields if (!isset($account_info["first_name"]) || empty($account_info["first_name"])) { $error_codes[] = 700; } if (!isset($account_info["last_name"]) || empty($account_info["last_name"])) { $error_codes[] = 701; } if (!isset($account_info["email"]) || empty($account_info["email"])) { $error_codes[] = 702; } if (!ft_is_valid_email($account_info["email"])) { $error_codes[] = 703; } if (!isset($account_info["username"]) || empty($account_info["username"])) { $error_codes[] = 704; } else { if (preg_match('/[^A-Za-z0-9]/', $account_info["username"])) { $error_codes[] = 705; } if (!_ft_is_valid_username($account_info["username"])) { $error_codes[] = 706; } } if (!isset($account_info["password"]) || empty($account_info["password"])) { $error_codes[] = 707; } else { if (preg_match('/[^A-Za-z0-9]/', $account_info["password"])) { $error_codes[] = 708; } } if (!empty($error_codes)) { if ($g_api_debug) { $page_vars = array("message_type" => "error", "error_codes" => $error_codes); ft_display_page("error.tpl", $page_vars); exit; } else { return array(false, $error_codes); } } $first_name = $account_info["first_name"]; $last_name = $account_info["last_name"]; $email = $account_info["email"]; $username = $account_info["username"]; $password = md5(md5($account_info["password"])); $settings = ft_get_settings(); $account_status = isset($account_info["account_status"]) ? $account_info["account_status"] : "pending"; $language = isset($account_info["ui_language"]) ? $account_info["ui_language"] : $settings["default_language"]; $timezone_offset = isset($account_info["timezone_offset"]) ? $account_info["timezone_offset"] : $settings["default_timezone_offset"]; $sessions_timeout = isset($account_info["sessions_timeout"]) ? $account_info["sessions_timeout"] : $settings["default_sessions_timeout"]; $date_format = isset($account_info["date_format"]) ? $account_info["date_format"] : $settings["default_date_format"]; $login_page = isset($account_info["login_page"]) ? $account_info["login_page"] : $settings["default_login_page"]; $logout_url = isset($account_info["logout_url"]) ? $account_info["logout_url"] : $settings["default_logout_url"]; $theme = isset($account_info["theme"]) ? $account_info["theme"] : $settings["default_theme"]; $menu_id = isset($account_info["menu_id"]) ? $account_info["menu_id"] : $settings["default_client_menu_id"]; // first, insert the record into the accounts table. This contains all the settings common to ALL // accounts (including the administrator and any other future account types) $query = "\n INSERT INTO {$g_table_prefix}accounts (account_type, account_status, ui_language, timezone_offset, sessions_timeout,\n date_format, login_page, logout_url, theme, menu_id, first_name, last_name, email, username, password)\n VALUES ('client', '{$account_status}', '{$language}', '{$timezone_offset}', '{$sessions_timeout}',\n '{$date_format}', '{$login_page}', '{$logout_url}', '{$theme}', {$menu_id}, '{$first_name}', '{$last_name}', '{$email}',\n '{$username}', '{$password}')\n "; if (!mysql_query($query)) { if ($g_api_debug) { $page_vars = array("message_type" => "error", "error_code" => 709, "error_type" => "user", "debugging" => "Failed query in <b>" . __FUNCTION__ . "</b>: <i>{$query}</i> " . mysql_error()); ft_display_page("error.tpl", $page_vars); exit; } else { return array(false, $error_codes); } } $new_user_id = mysql_insert_id(); // now create all the custom client account settings, most of which are based on the default values // in the settings table $account_settings = array("client_notes" => "", "company_name" => "", "page_titles" => $settings["default_page_titles"], "footer_text" => $settings["default_footer_text"], "may_edit_page_titles" => $settings["clients_may_edit_page_titles"], "may_edit_footer_text" => $settings["clients_may_edit_footer_text"], "may_edit_theme" => $settings["clients_may_edit_theme"], "may_edit_logout_url" => $settings["clients_may_edit_logout_url"], "may_edit_language" => $settings["clients_may_edit_ui_language"], "may_edit_timezone_offset" => $settings["clients_may_edit_timezone_offset"], "may_edit_sessions_timeout" => $settings["clients_may_edit_sessions_timeout"], "may_edit_date_format" => $settings["clients_may_edit_date_format"]); ft_set_account_settings($new_user_id, $account_settings); return array(true, $new_user_id); }