Example #1
0
$username = $_REQUEST['username'];
$user_exists = check_user_exists($username);
if ($user_exists == false) {
    $msg = "User <b>{$username}</b> not found. Please check the username entered.";
} else {
    $user_profile = get_user_by_name($username);
    $email = $user_profile->email;
    # Remove the following line once get_user_profile works
    if (trim($email) == "") {
        $msg = "Email address not present for <b>{$username}</b>. Please contact sysadmin to reset your password.";
    } else {
        if (check_valid_email($email) === false) {
            $msg = "Email address <b>{$email}</b> not valid. Please contact sysadmin to reset your password.";
        } else {
            $new_password = get_random_password();
            $password_changed = change_user_password($username, $new_password);
            if ($password_changed === false) {
                $msg = "Error while resetting password. Please try again.";
            } else {
                $subject = "[BLIS] New password for " . $username;
                $to_addr = $email;
                $body = "Your password has been reset.\nPlease note that passwords are case-sensitive.\n\n" . "Username: "******"\n" . "New Password: "******"\n\n" . "Please login to update your password.\n" . "http://lis.cc.gatech.edu";
                if (mail($email, $subject, $body)) {
                    $msg = "New password emailed to <u>" . $email . "</u>";
                } else {
                    $msg = "Error sending email to <u>" . $email . "</u>. Please contact sysadmin to reset your password.";
                }
            }
        }
    }
}
Example #2
0
function update_lab_user($updated_entry)
{
    # Updates lab user (non-admin) account
    $saved_db = DbUtil::switchToGlobal();
    $query_string = "UPDATE user " . "SET actualname='{$updated_entry->actualName}', " . "phone='{$updated_entry->phone}', " . "email='{$updated_entry->email}', " . "level={$updated_entry->level}, " . "lang_id='{$updated_entry->langId}' " . "WHERE user_id={$updated_entry->userId}";
    query_blind($query_string);
    if ($updated_entry->password != "") {
        change_user_password($updated_entry->username, $updated_entry->password);
    }
    DbUtil::switchRestore($saved_db);
}
Example #3
0
/**
 * Processes multi-edit actions.
 *
 * Accessing requires 'admin.edit' privileges.
 */
function admin_multi_edit()
{
    global $txp_user;
    require_privs('admin.edit');
    $selected = ps('selected');
    $method = ps('edit_method');
    $changed = array();
    $msg = '';
    if (!$selected or !is_array($selected)) {
        return author_list();
    }
    $names = safe_column('name', 'txp_users', "name IN (" . join(',', quote_list($selected)) . ") AND name != '" . doSlash($txp_user) . "'");
    if (!$names) {
        return author_list();
    }
    switch ($method) {
        case 'delete':
            $assign_assets = ps('assign_assets');
            if (!$assign_assets) {
                $msg = array('must_reassign_assets', E_ERROR);
            } elseif (in_array($assign_assets, $names)) {
                $msg = array('cannot_assign_assets_to_deletee', E_ERROR);
            } elseif (remove_user($names, $assign_assets)) {
                $changed = $names;
                callback_event('authors_deleted', '', 0, $changed);
                $msg = 'author_deleted';
            }
            break;
        case 'changeprivilege':
            if (change_user_group($names, ps('privs'))) {
                $changed = $names;
                $msg = 'author_updated';
            }
            break;
        case 'resetpassword':
            foreach ($names as $name) {
                $passwd = generate_password(PASSWORD_LENGTH);
                if (change_user_password($name, $passwd)) {
                    $email = safe_field('email', 'txp_users', "name = '" . doSlash($name) . "'");
                    if (send_new_password($passwd, $email, $name)) {
                        $changed[] = $name;
                        $msg = 'author_updated';
                    } else {
                        return author_list(array(gTxt('could_not_mail') . ' ' . txpspecialchars($name), E_ERROR));
                    }
                }
            }
            break;
    }
    if ($changed) {
        return author_list(gTxt($msg, array('{name}' => txpspecialchars(join(', ', $changed)))));
    }
    author_list($msg);
}
/**
 * Resets the given user's password and emails it.
 *
 * The old password is replaced with a new random-generated one.
 *
 * Should NEVER be used as sending plaintext passwords is wrong.
 * Will be removed in future, in lieu of sending reset request tokens.
 *
 * @param  string $name The login name
 * @return string A localized message string
 * @deprecated in 4.6.0
 * @see    PASSWORD_LENGTH
 * @see    generate_password()
 * @example
 * echo reset_author_pass('username');
 */
function reset_author_pass($name)
{
    $email = safe_field("email", 'txp_users', "name = '" . doSlash($name) . "'");
    $new_pass = Txp::get('\\Textpattern\\Password\\Random')->generate(PASSWORD_LENGTH);
    $rs = change_user_password($name, $new_pass);
    if ($rs) {
        if (send_new_password($new_pass, $email, $name)) {
            return gTxt('password_sent_to') . ' ' . $email;
        } else {
            return gTxt('could_not_mail') . ' ' . $email;
        }
    } else {
        return gTxt('could_not_update_author') . ' ' . txpspecialchars($name);
    }
}
Example #5
0
/**
 * Changes current user's password.
 */
function change_pass()
{
    global $txp_user;
    extract(psa(array('current_pass', 'new_pass')));
    if (empty($new_pass)) {
        new_pass_form(array(gTxt('password_required'), E_ERROR));
        return;
    }
    if (txp_validate($txp_user, $current_pass)) {
        $rs = change_user_password($txp_user, $new_pass);
        if ($rs) {
            $message = gTxt('password_changed');
            author_list($message);
        }
    } else {
        new_pass_form(array(gTxt('password_invalid'), E_ERROR));
    }
}
Example #6
0
function update_lab_user($updated_entry)
{
    # Updates lab user (non-admin) account
    $saved_db = DbUtil::switchToGlobal();
    // if($updated_entry->level == 17) {
    // 	$updated_entry->rwoption = LabConfig::getDoctorUserOptions();
    // }
    $query_string = "UPDATE user " . "SET actualname='{$updated_entry->actualName}', " . "phone='{$updated_entry->phone}', " . "email='{$updated_entry->email}', " . "level={$updated_entry->level}, " . "lang_id='{$updated_entry->langId}', " . "rwoptions='{$updated_entry->rwoption}' " . "WHERE user_id={$updated_entry->userId}";
    query_blind($query_string);
    if ($updated_entry->password != "") {
        change_user_password($updated_entry->username, $updated_entry->password);
    }
    DbUtil::switchRestore($saved_db);
    # Updates user_config
    $saved_db = DbUtil::switchToGlobal();
    $query_string = "UPDATE user_config \r\n\t\tSET level=" . $updated_entry->level . ", " . "value='" . $updated_entry->rwoption . "' " . " WHERE user_id=" . $updated_entry->userId . " and parameter = 'rwoptions'";
    query_blind($query_string);
    DbUtil::switchRestore($saved_db);
}
Example #7
0
$new_password = $_GET['password'];
$recovery = $_GET['email'];
$reset_hash = $_GET['hash'];
// Get the other user data
$query = "SELECT * FROM Users WHERE Username = '******';";
$result = $conn->query($query);
if ($result->num_rows < 1) {
    die("User \"{$username}\" not found!");
}
$user_data = $result->fetch_assoc();
// And use it to generate a hash
$firstname = $user_data["FirstName"];
$lastname = $user_data["LastName"];
$hash = hash('ripemd160', "{$firstname} {$lastname} {$password}");
// If we were given a valid hash and new password
if ($reset_hash == $hash && $new_password) {
    // change the password
    die(change_user_password($conn, $username, $new_password));
} else {
    if ($reset_hash) {
        die("Cannot change password for user {$username}.");
    }
}
// Otherwise, send a recovery email
$text = "We have received your request to reset your password, please follow this link to proceed:\n            http://baker.valpo.edu/scheduler/change-password?username={$username}&hash={$hash}";
$text = str_replace("\n.", "\n..", $text);
if (mail($recovery, "Recover Your LIMTS Password", $text)) {
    die("Successfully sent recovery message to {$recovery}.");
} else {
    die("Uknown Failure.");
}
Example #8
0
/**
 * Validates the sent login form and creates a session.
 *
 * During the reset request procedure, it is conceivable to verify the
 * token as soon as it's presented in the URL, but that would:
 *  a) require refactoring code similarities in both p_confirm and p_alter branches
 *  b) require some way (e.g. an Exception) to signal back to doLoginForm() that
 *     the token is bogus so the 'change your password' form is not displayed.
 *  c) leak information about the validity of a token, thus allowing rapid brute-force
 *     attempts.
 *
 * The inconvenience of a real user following an expired token and being told so
 * after they've set a password is a small price to pay for the improved security
 * and reduction of attack surface that validating after submission affords.
 *
 * @todo  Could the checks be done via a (reusable) Validator()?
 *
 * @return string A localised feedback message
 * @see    doLoginForm()
 */
function doTxpValidate()
{
    global $logout, $txp_user;
    $p_userid = ps('p_userid');
    $p_password = ps('p_password');
    $p_reset = ps('p_reset');
    $p_alter = ps('p_alter');
    $p_set = ps('p_set');
    $stay = ps('stay');
    $p_confirm = gps('confirm');
    $logout = gps('logout');
    $message = '';
    $pub_path = preg_replace('|//$|', '/', rhu . '/');
    if (cs('txp_login') && strpos(cs('txp_login'), ',')) {
        $txp_login = explode(',', cs('txp_login'));
        $c_hash = end($txp_login);
        $c_userid = join(',', array_slice($txp_login, 0, -1));
    } else {
        $c_hash = '';
        $c_userid = '';
    }
    if ($logout) {
        setcookie('txp_login', '', time() - 3600);
        setcookie('txp_login_public', '', time() - 3600, $pub_path);
    }
    if ($c_userid && strlen($c_hash) === 32) {
        // Cookie exists.
        // @todo Improve security by using a better nonce/salt mechanism. md5 and uniqid are bad.
        $r = safe_row("name, nonce", 'txp_users', "name = '" . doSlash($c_userid) . "' AND last_access > DATE_SUB(NOW(), INTERVAL 30 DAY)");
        if ($r && $r['nonce'] && $r['nonce'] === md5($c_userid . pack('H*', $c_hash))) {
            // Cookie is good.
            if ($logout) {
                // Destroy nonce.
                safe_update('txp_users', "nonce = '" . doSlash(md5(uniqid(mt_rand(), true))) . "'", "name = '" . doSlash($c_userid) . "'");
            } else {
                // Create $txp_user.
                $txp_user = $r['name'];
            }
            return $message;
        } else {
            txp_status_header('401 Your session has expired');
            setcookie('txp_login', $c_userid, time() + 3600 * 24 * 365);
            setcookie('txp_login_public', '', time() - 3600, $pub_path);
            $message = array(gTxt('bad_cookie'), E_ERROR);
        }
    } elseif ($p_userid && $p_password) {
        // Incoming login vars.
        $name = txp_validate($p_userid, $p_password);
        if ($name !== false) {
            $c_hash = md5(uniqid(mt_rand(), true));
            $nonce = md5($name . pack('H*', $c_hash));
            safe_update('txp_users', "nonce = '" . doSlash($nonce) . "'", "name = '" . doSlash($name) . "'");
            setcookie('txp_login', $name . ',' . $c_hash, $stay ? time() + 3600 * 24 * 365 : 0, null, null, null, LOGIN_COOKIE_HTTP_ONLY);
            setcookie('txp_login_public', substr(md5($nonce), -10) . $name, $stay ? time() + 3600 * 24 * 30 : 0, $pub_path);
            // Login is good, create $txp_user.
            $txp_user = $name;
            return '';
        } else {
            sleep(3);
            txp_status_header('401 Could not log in with that username/password');
            $message = array(gTxt('could_not_log_in'), E_ERROR);
        }
    } elseif ($p_reset) {
        // Reset request.
        sleep(3);
        include_once txpath . '/lib/txplib_admin.php';
        $message = $p_userid ? send_reset_confirmation_request($p_userid) : '';
    } elseif ($p_alter || $p_set) {
        // Password change/set confirmation.
        sleep(3);
        global $sitename;
        $pass = ps('p_password');
        $type = $p_alter ? 'password_reset' : 'account_activation';
        if (trim($pass) === '') {
            $message = array(gTxt('password_required'), E_ERROR);
        } else {
            $hash = gps('hash');
            $selector = substr($hash, SALT_LENGTH);
            $tokenInfo = safe_row("reference_id, token, expires", 'txp_token', "selector = '" . doSlash($selector) . "' AND type='{$type}'");
            if ($tokenInfo) {
                if (strtotime($tokenInfo['expires']) <= time()) {
                    $message = array(gTxt('token_expired'), E_ERROR);
                } else {
                    $uid = assert_int($tokenInfo['reference_id']);
                    $row = safe_row("name, email, nonce, pass AS old_pass", 'txp_users', "user_id = {$uid}");
                    if ($row && $row['nonce'] && $hash === bin2hex(pack('H*', substr(hash(HASHING_ALGORITHM, $row['nonce'] . $selector . $row['old_pass']), 0, SALT_LENGTH))) . $selector) {
                        if (change_user_password($row['name'], $pass)) {
                            $body = gTxt('salutation', array('{name}' => $row['name'])) . n . n . ($p_alter ? gTxt('password_change_confirmation') : gTxt('password_set_confirmation') . n . n . gTxt('log_in_at') . ': ' . hu . 'textpattern/index.php');
                            $message = $p_alter ? gTxt('password_changed') : gTxt('password_set');
                            txpMail($row['email'], "[{$sitename}] " . $message, $body);
                            // Invalidate all tokens in the wild for this user.
                            safe_delete("txp_token", "reference_id = {$uid} AND type IN ('password_reset', 'account_activation')");
                        }
                    } else {
                        $message = array(gTxt('invalid_token'), E_ERROR);
                    }
                }
            } else {
                $message = array(gTxt('invalid_token'), E_ERROR);
            }
        }
    }
    $txp_user = '';
    return $message;
}
Example #9
0
                    exit;
                }
            }
            if (isset($_POST["newPass"]) && isset($_POST["newPassConfirm"]) && isset($_POST["oldPass"])) {
                if (!($password = string_corrector($_POST["newPass"]))) {
                    echo "پسورد نمی تواند خالی باشد";
                } elseif (!wp_check_password(string_corrector($_POST["oldPass"]), $user->user_pass, $user->ID)) {
                    echo "پسورد اشتباه است";
                    echo "<br>";
                } elseif ($password !== $_POST["newPassConfirm"]) {
                    echo "پسورد و تایید پسورد یکسان نیستند";
                    echo "<br>";
                } elseif (!valid_email_change_time($user->ID)) {
                    echo "شما هر هفت روز تنها یک بار می توانید پسورد خود را تغییر دهید";
                    echo "<br>";
                } elseif (change_user_password($user->ID, $password) === true) {
                    echo "رمز عبور با موفقیت تغییر کرد";
                    echo "<br>";
                } else {
                    echo "مشکلی پیش آمده است.لطفا بعدا تلاش کنید";
                    exit;
                }
            }
            break;
    }
} elseif ($_SERVER["REQUEST_METHOD"] == "GET") {
    //TODO add email register
    exit;
}
/**
 * This function changes user user name if user does not change it's user yet;
Example #10
0
<?php

// Import the "Grab Bag"
require "common.php";
// Open an (OO) MySQL Connection
$conn = new mysqli($GLOBALS["dbhost"], $GLOBALS["dbuser"], $GLOBALS["dbpass"], $GLOBALS["dbname"]);
// Check connection
if ($conn->connect_error || !session_start()) {
    die("{\"response\": \"Connection failed: " . $conn->connect_error . "\"}");
}
// Get the values from the POST parameters
$username = $_POST["username"];
$firstname = $_POST["firstname"];
$lastname = $_POST["lastname"];
$password = $_POST["password"];
if (!check_parameters($username, $firstname, $lastname)) {
    die("{\"response\": \"You must specify the username, firstname and lastname!\"}");
}
// If we are updating the password, change it accordingly
if ($password && ($result = change_user_password($conn, $username, $password)) != "Successful") {
    die("{\"response\": \"{$result}\"}");
}
// Finally, update the other user information and die...
$result = update_user_info($conn, $username, $firstname, $lastname);
die("{\"response\": \"{$result}\"}");