/** * checks the validity of input parameters, fills $page['errors'] and * $page['infos'] and send an email with confirmation link * * @return bool (true if email was sent, false otherwise) */ function process_password_request() { global $page, $conf; if (empty($_POST['username_or_email'])) { $page['errors'][] = l10n('Invalid username or email'); return false; } $user_id = get_userid_by_email($_POST['username_or_email']); if (!is_numeric($user_id)) { $user_id = get_userid($_POST['username_or_email']); } if (!is_numeric($user_id)) { $page['errors'][] = l10n('Invalid username or email'); return false; } $userdata = getuserdata($user_id, false); // password request is not possible for guest/generic users $status = $userdata['status']; if (is_a_guest($status) or is_generic($status)) { $page['errors'][] = l10n('Password reset is not allowed for this user'); return false; } if (empty($userdata['email'])) { $page['errors'][] = l10n('User "%s" has no email address, password reset is not possible', $userdata['username']); return false; } $activation_key = generate_key(20); list($expire) = pwg_db_fetch_row(pwg_query('SELECT ADDDATE(NOW(), INTERVAL 1 HOUR)')); single_update(USER_INFOS_TABLE, array('activation_key' => pwg_password_hash($activation_key), 'activation_key_expire' => $expire), array('user_id' => $user_id)); $userdata['activation_key'] = $activation_key; set_make_full_url(); $message = l10n('Someone requested that the password be reset for the following user account:') . "\r\n\r\n"; $message .= l10n('Username "%s" on gallery %s', $userdata['username'], get_gallery_home_url()); $message .= "\r\n\r\n"; $message .= l10n('To reset your password, visit the following address:') . "\r\n"; $message .= get_gallery_home_url() . '/password.php?key=' . $activation_key . '-' . urlencode($userdata['email']); $message .= "\r\n\r\n"; $message .= l10n('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n"; unset_make_full_url(); $message = trigger_change('render_lost_password_mail_content', $message); $email_params = array('subject' => '[' . $conf['gallery_title'] . '] ' . l10n('Password Reset'), 'content' => $message, 'email_format' => 'text/plain'); if (pwg_mail($userdata['email'], $email_params)) { $page['infos'][] = l10n('Check your email for the confirmation link'); return true; } else { $page['errors'][] = l10n('Error sending email'); return false; } }
/** * Verifies a password, with the PasswordHash class from phpass security library. * If the hash is 'old' (assumed MD5) the hash is updated in database, used for * migration from Piwigo 2.4. * @since 2.5 * * @param string $password plain text * @param string $hash may be md5 or phpass hashed password * @param integer $user_id only useful to update password hash from md5 to phpass * @return bool */ function pwg_password_verify($password, $hash, $user_id = null) { global $conf, $pwg_hasher; // If the password has not been hashed with the current algorithm. if (strpos($hash, '$P') !== 0) { if (!empty($conf['pass_convert'])) { $check = $hash == $conf['pass_convert']($password); } else { $check = $hash == md5($password); } if ($check) { if (!isset($user_id) or $conf['external_authentification']) { return true; } // Rehash using new hash. $hash = pwg_password_hash($password); single_update(USERS_TABLE, array('password' => $hash), array('id' => $user_id)); } } // If the stored hash is longer than an MD5, presume the // new style phpass portable hash. if (empty($pwg_hasher)) { require_once PHPWG_ROOT_PATH . 'include/passwordhash.class.php'; // We use the portable hash feature $pwg_hasher = new PasswordHash(13, true); } return $pwg_hasher->CheckPassword($password, $hash); }