function user_receive() { if (isset($_POST['user_update_settings'])) { if (isset($_GET['user'])) { if (user_get_admin($_SESSION[PREFIX . "user_id"]) && user_exists($_GET['user'])) { $user_id = $_GET['user']; } } else { $user_id = $_SESSION[PREFIX . "user_id"]; } if (!$user_id) { add_error("No valid user"); } else { //Username if (isset($_POST['username']) && $_POST['username'] != "") { user_set_name($user_id, $_POST['username']); } //Email if (isset($_POST['email']) && $_POST['email'] != "") { user_set_email($user_id, $_POST['email']); } //password if (isset($_POST['password']) && $_POST['password'] != "") { user_set_password($user_id, $_POST['password']); } //Flattr id if (isset($_POST['flattr_id']) && $_POST['flattr_id'] != "") { flattr_set_flattrID($user_id, $_POST['flattr_id']); } //Flattr choice. Allways do this! flattr_set_flattr_choice($user_id, $_POST['flattr_choice']); } } else { if (isset($_POST['profile_save'])) { $sql = "UPDATE " . PREFIX . "user SET description='" . sql_safe($_POST['description']) . "' WHERE id=" . sql_safe($_SESSION[PREFIX . 'user_id']) . ";"; if (mysql_query($sql)) { add_message(_("Profile updated")); } else { add_error(sprintf(_("Profile update fail<br />SQL: %s<br />ERROR: %s"), $sql, mysql_error())); } } } }
# strip extra spaces from real name $t_realname = string_normalize($f_realname); if ($t_realname != user_get_field($t_user_id, 'realname')) { # checks for problems with realnames $t_username = user_get_field($t_user_id, 'username'); user_ensure_realname_unique($t_username, $t_realname); user_set_realname($t_user_id, $t_realname); $t_realname_updated = true; } # Update password if the two match and are not empty if (!is_blank($f_password)) { if ($f_password != $f_password_confirm) { trigger_error(ERROR_USER_CREATE_PASSWORD_MISMATCH, ERROR); } else { if (!auth_does_password_match($t_user_id, $f_password)) { user_set_password($t_user_id, $f_password); $t_password_updated = true; } } } form_security_purge('account_update'); html_page_top(null, $t_redirect); echo '<br /><div align="center">'; if ($t_email_updated) { echo lang_get('email_updated') . '<br />'; } if ($t_password_updated) { echo lang_get('password_updated') . '<br />'; } if ($t_realname_updated) { echo lang_get('realname_updated') . '<br />';
/** * Return true if the password for the user id given matches the given * password (taking into account the global login method) * @param int $p_user_id User id to check password against * @param string $p_test_password Password * @return bool indicating whether password matches given the user id * @access public */ function auth_does_password_match($p_user_id, $p_test_password) { $t_configured_login_method = config_get('login_method'); if (LDAP == $t_configured_login_method) { return ldap_authenticate($p_user_id, $p_test_password); } $t_password = user_get_field($p_user_id, 'password'); $t_login_methods = array(MD5, CRYPT, PLAIN); foreach ($t_login_methods as $t_login_method) { # pass the stored password in as the salt if (auth_process_plain_password($p_test_password, $t_password, $t_login_method) == $t_password) { # Do not support migration to PLAIN, since this would be a crazy thing to do. # Also if we do, then a user will be able to login by providing the MD5 value # that is copied from the database. See #8467 for more details. if ($t_configured_login_method != PLAIN && $t_login_method == PLAIN) { continue; } # Check for migration to another login method and test whether the password was encrypted # with our previously insecure implemention of the CRYPT method if ($t_login_method != $t_configured_login_method || CRYPT == $t_configured_login_method && utf8_substr($t_password, 0, 2) == utf8_substr($p_test_password, 0, 2)) { user_set_password($p_user_id, $p_test_password, true); } return true; } } return false; }
user_ensure_realname_unique($f_username, $f_realname); if ($f_password != $f_password_verify) { trigger_error(ERROR_USER_CREATE_PASSWORD_MISMATCH, ERROR); } $f_email = email_append_domain($f_email); email_ensure_not_disposable($f_email); if (is_blank($f_password)) { helper_ensure_confirmed(lang_get('empty_password_sure_msg'), lang_get('empty_password_button')); } lang_push(config_get('default_language')); $t_admin_name = user_get_name(auth_get_current_user_id()); $t_cookie = user_create($f_username, $f_password, $f_email, $f_access_level, $f_protected, $f_enabled, $t_realname, $t_admin_name); # set language back to user language lang_pop(); $t_user_id = user_get_id_by_name($f_username); user_set_password($t_user_id, $f_password, false); $agilemantis_au->setAgileMantisUserRights($t_user_id, $_POST['participant'], $_POST['developer'], $_POST['administrator']); header($agilemantis_au->forwardReturnToPage('agileuser.php')); } else { html_page_top(plugin_lang_get('manage_user_add_new_user')); } ?> <?php if (user_get_name(auth_get_current_user_id()) == 'administrator') { ?> <br> <div align="center"> <form method="post" action="<?php echo plugin_page("add_user.php"); ?>
function auth_does_password_match($p_user_id, $p_test_password) { $t_configured_login_method = config_get('login_method'); if (LDAP == $t_configured_login_method) { return ldap_authenticate($p_user_id, $p_test_password); } $t_password = user_get_field($p_user_id, 'password'); $t_login_methods = array(MD5, CRYPT, PLAIN); foreach ($t_login_methods as $t_login_method) { # pass the stored password in as the salt if (auth_process_plain_password($p_test_password, $t_password, $t_login_method) == $t_password) { # Check for migration to another login method and test whether the password was encrypted # with our previously insecure implemention of the CRYPT method if ($t_login_method != $t_configured_login_method || CRYPT == $t_configured_login_method && substr($t_password, 0, 2) == substr($p_test_password, 0, 2)) { user_set_password($p_user_id, $p_test_password, true); } return true; } } return false; }