function prooveOldPassword($form) { if ($form->fields["newpassword1"]->getValue() != $form->fields["newpassword2"]->getValue()) { $form->fields["newpassword1"]->setError(" "); $form->fields["newpassword2"]->setError(t("password.does.not.match.the.previous")); return false; } if (isset($form->fields["password"]) && $form->fields["newpassword1"]->getValue() == $form->fields["password"]->getValue()) { $form->fields["newpassword1"]->setError(t("please.take.new.password")); return false; } $res = db_query("select * from {cdb_person} where id=:id", array(":id" => $_SESSION["user"]->id)); $ret = $res->fetch(); if (isset($form->fields["password"]) && !user_check_password($form->fields["password"], $ret)) { $form->fields["password"]->setError(t("password.is.incorrect")); } else { $scrambled_password = scramble_password($form->fields["newpassword1"]->getValue()); $res = db_query("update {cdb_person} set password=:password where id=:id", array(":id" => $_SESSION["user"]->id, ":password" => $scrambled_password)); $oldpwd = $_SESSION["user"]->password; addInfoMessage(t("password.changes.successfully")); // There is no old password? Then the person logged in with a loginstr and now has to be forwarded to home if ($oldpwd == null) { header("Location: ?q=home"); } } }
/** * * @param string $plain_password * @param object $user * @return bool */ function user_check_password($plain_password, $user) { $stored_password = $user->password; if (empty($plain_password)) { return null; } if (function_exists('password_verify')) { if (password_verify($plain_password, $stored_password)) { /* maybe the parameters changed, so we should rekey */ if (password_needs_rehash($stored_password, PASSWORD_DEFAULT)) { $new_stored_password = scramble_password($plain_password); db_query("UPDATE {cdb_person}\n SET password=:password\n WHERE id=:id", array(":id" => $user->id, ":password" => $new_stored_password), false); } return true; } else { /* maybe the password is still MD5? If so, rekey */ $compare = md5(trim($plain_password)); if ($compare == $stored_password) { $new_stored_password = scramble_password($plain_password); db_query("UPDATE {cdb_person}\n SET password=:password\n WHERE id=:id", array(":id" => $user->id, ":password" => $new_stored_password), false); return true; } return false; } } else { /* no password_verify, use old md5 method */ $compare = md5(trim($plain_password)); return $compare == $stored_password; } }
function login__newpwd() { $txt = ""; if ($email = getVar("email")) { $res = db_query("SELECT COUNT(*) c FROM {cdb_person}\n WHERE email=:email AND archiv_yn=0", array(':email' => $email))->fetch(); if ($res->c == 0) { $txt .= ' <div class="alert alert-error"> <p>' . t('login.error.longtext', '<a href="mailto:' . getConf("site_mail") . '">' . getConf("site_mail") . '</a>') . ' </div>'; } else { $newpwd = random_string(8); // TODO: not needed to send passwords by email, use one time login key instead // TODO: use email template $scrambled_password = scramble_password($newpwd); db_query("UPDATE {cdb_person}\n SET password='******'\n WHERE email=:email", array(':email' => $email)); $content = "<h3>" . t('hello') . "</h3>\n <p>" . t('new.password.requested.for.x.is.y', "<i>{$email}</i>", $newpwd) . "</p>"; churchcore_systemmail($email, "[" . getConf('site_name') . "] Neues Passwort", $content, true, 1); churchcore_sendMails(1); $txt .= '<div class="alert alert-info">' . t('new.password.was.sent.to.x', "<i>{$email}</i>") . '</div>'; ct_log("Neues Passwort angefordert: {$email}", 2, "-1", "login"); } } else { return "No email in parameter"; } $txt .= '<a href="?q=login&email=' . $email . '" class="btn">' . t("back.to.login") . '</a>'; return $txt; }
function login_main() { global $q, $config; $txt = ""; if (isset($config["admin_message"]) && $config["admin_message"] != "") { addErrorMessage($config["admin_message"]); } if (isset($_GET["message"]) && $_GET["message"] != "") { addInfoMessage($_GET["message"]); } // Sicherstellen, dass keiner eingelogt ist! if (!userLoggedIn()) { if (isset($config["login_message"])) { addInfoMessage($config["login_message"], true); } $model = new CTForm("LoginForm", "prooveLogin", "Login"); $model->setHeader(t("login.headline"), t("please.fill.following.fields")); $model->addField("email", "", "INPUT_REQUIRED", t("email.or.username"), true); $model->addField("password", "", "PASSWORD", t("password")); if (!isset($config["show_remember_me"]) || $config["show_remember_me"] == 1) { $model->addField("rememberMe", "", "CHECKBOX", t("remember.me")); } $model->addButton(t("login"), "ok"); if (isset($_GET["newpwd"])) { $res = db_query("select count(*) c from {cdb_person} where email='" . $_GET["email"] . "' and archiv_yn=0")->fetch(); if ($_GET["email"] == "" || $res->c == 0) { $txt .= '<div class="alert alert-error"><p>Bitte ein gültige EMail-Adresse angeben, an die das neue Passwort gesendet werden kann! Diese Adresse muss im System schon eingerichtet sein. <p>Falls die E-Mail-Adresse schon eingerichtet sein sollte, wende Dich bitte an <a href="' . variable_get("site_mail") . '">' . variable_get("site_mail") . '</a>.</div>'; } else { $newpwd = random_string(8); $scrambled_password = scramble_password($newpwd); db_query("update {cdb_person} set password='******' where email='" . $_GET["email"] . "'"); $content = "<h3>Hallo!</h3><p>Ein neues Passwort wurde für die E-Mail-Adresse <i>" . $_GET["email"] . "</i> angefordert: {$newpwd}"; churchcore_systemmail($_GET["email"], "[" . variable_get('site_name') . "] Neues Passwort", $content, true, 1); churchcore_sendMails(1); $txt .= '<div class="alert alert-info">Hinweis: Ein neues Passwort wurde nun an <i>' . $_GET["email"] . '</i> gesendet.</div>'; ct_log("Neues Passwort angefordert " . $_GET["email"], 2, "-1", "login"); } } else { if (isset($_POST["email"]) && isset($_POST["password"]) && isset($_POST["directtool"])) { include_once CHURCHCORE . "/churchcore_db.php"; $sql = "select * from {cdb_person} where email=:email and active_yn=1 and archiv_yn=0"; $res = db_query($sql, array(":email" => $_POST["email"]))->fetch(); if ($res == false) { drupal_json_output(jsend()->fail("Unbekannte E-Mail-Adresse")); } else { if (user_check_password($_POST["password"], $res)) { login_user($res); ct_log("Login durch Direct-Tool " . $_POST["directtool"] . " mit " . $_POST["email"], 2, "-1", "login"); drupal_json_output(jsend()->success()); } else { drupal_json_output(jsend()->fail("Falsches Passwort")); } } return; } else { if (isset($_GET["loginstr"]) && $_GET["loginstr"] != "" && isset($_GET["id"])) { // L�sche alte cc_loginurrls die �lter sind als 14 tage db_query("delete from {cc_loginstr} where DATEDIFF( current_date, create_date ) > 13"); $sql = "select * from {cc_loginstr} where loginstr=:loginstr and person_id=:id"; $res = db_query($sql, array(":loginstr" => $_GET["loginstr"], ":id" => $_GET["id"]))->fetch(); if ($res == false) { $txt .= '<div class="alert alert-info">Fehler: Der verwendete Login-Link ist nicht mehr aktuell und kann deshalb nicht mehr verwendet werden. Bitte mit E-Mail-Adresse und Passwort anmelden!</div>'; } else { // Nehme den LoginStr heraus, damit er nicht mi�braucht werden kann. $sql = "delete from {cc_loginstr} where loginstr=:loginstr and person_id=:id"; $res = db_query($sql, array(":loginstr" => $_GET["loginstr"], ":id" => $_GET["id"])); ct_log("Login User " . $_GET["id"] . " erfolgreich mit loginstr ", 2, "-1", "login"); $res = churchcore_getPersonById($_GET["id"]); login_user($res); } } } } $txt .= $model->render(); $txt .= '<script>jQuery("#newpwd").click(function(k,a) { if (confirm("' . t('want.to.receive.new.password') . '")) { window.location.href="?newpwd=true&email="+jQuery("#LoginForm_email").val()+"&q=' . $q . '"; } });</script>'; } else { // Wenn man sich ummelden m�chte und zur Familie geh�rt (also gleiche E-Mail-Adresse) if (isset($_GET["family_id"])) { if (isset($_SESSION["family"][$_GET["family_id"]])) { //logout_current_user(); login_user($_SESSION["family"][$_GET["family_id"]]); $txt .= '<div class="alert alert-info">Ummelden erfolgreich! Du arbeitest nun mit der Berechtigung von ' . $_SESSION["user"]->vorname . ' ' . $_SESSION["user"]->name . '.</div>'; } else { $txt .= '<div class="alert alert-info">Ummelden zu Id:' . $_GET["family_id"] . ' hat nicht funktioniert, Session ist leer!</div>'; } } else { $txt .= '<div class="alert alert-info"><i>Hinweis:</i> Du bist angemeldet als ' . $_SESSION["user"]->vorname . ', weiter geht es <a href="?q=home">hier</a>!</div>'; } } return $txt; }
/** * set password of person (will be scrambled before storing in DB) * @param int $id * @param string $password * @throws CTFail */ function churchdb_setPersonPassword($id, $password) { $scrambled_password = scramble_password($password); if ($scrambled_password == null) { throw new CTFail("Password nicht akzeptiert"); } // TODO: shouldnt better scramble_password throw the exception? db_query("UPDATE {cdb_person} SET password=:password WHERE id=:id", array(":id" => $id, ":password" => $scrambled_password), false); }