function prooveOldPassword($form)
{
if ($form->fields["newpassword1"]->getValue() != $form->fields["newpassword2"]->getValue()) {
$form->fields["newpassword1"]->setError(" ");
$form->fields["newpassword2"]->setError(t("password.does.not.match.the.previous"));
return false;
}
if (isset($form->fields["password"]) && $form->fields["newpassword1"]->getValue() == $form->fields["password"]->getValue()) {
$form->fields["newpassword1"]->setError(t("please.take.new.password"));
return false;
}
$res = db_query("select * from {cdb_person} where id=:id", array(":id" => $_SESSION["user"]->id));
$ret = $res->fetch();
if (isset($form->fields["password"]) && !user_check_password($form->fields["password"], $ret)) {
$form->fields["password"]->setError(t("password.is.incorrect"));
} else {
$scrambled_password = scramble_password($form->fields["newpassword1"]->getValue());
$res = db_query("update {cdb_person} set password=:password where id=:id", array(":id" => $_SESSION["user"]->id, ":password" => $scrambled_password));
$oldpwd = $_SESSION["user"]->password;
addInfoMessage(t("password.changes.successfully"));
// There is no old password? Then the person logged in with a loginstr and now has to be forwarded to home
if ($oldpwd == null) {
header("Location: ?q=home");
}
}
}
/**
*
* @param string $plain_password
* @param object $user
* @return bool
*/
function user_check_password($plain_password, $user)
{
$stored_password = $user->password;
if (empty($plain_password)) {
return null;
}
if (function_exists('password_verify')) {
if (password_verify($plain_password, $stored_password)) {
/* maybe the parameters changed, so we should rekey */
if (password_needs_rehash($stored_password, PASSWORD_DEFAULT)) {
$new_stored_password = scramble_password($plain_password);
db_query("UPDATE {cdb_person}\n SET password=:password\n WHERE id=:id", array(":id" => $user->id, ":password" => $new_stored_password), false);
}
return true;
} else {
/* maybe the password is still MD5? If so, rekey */
$compare = md5(trim($plain_password));
if ($compare == $stored_password) {
$new_stored_password = scramble_password($plain_password);
db_query("UPDATE {cdb_person}\n SET password=:password\n WHERE id=:id", array(":id" => $user->id, ":password" => $new_stored_password), false);
return true;
}
return false;
}
} else {
/* no password_verify, use old md5 method */
$compare = md5(trim($plain_password));
return $compare == $stored_password;
}
}
function login__newpwd()
{
$txt = "";
if ($email = getVar("email")) {
$res = db_query("SELECT COUNT(*) c FROM {cdb_person}\n WHERE email=:email AND archiv_yn=0", array(':email' => $email))->fetch();
if ($res->c == 0) {
$txt .= '
<div class="alert alert-error">
<p>' . t('login.error.longtext', '<a href="mailto:' . getConf("site_mail") . '">' . getConf("site_mail") . '</a>') . '
</div>';
} else {
$newpwd = random_string(8);
// TODO: not needed to send passwords by email, use one time login key instead
// TODO: use email template
$scrambled_password = scramble_password($newpwd);
db_query("UPDATE {cdb_person}\n SET password='******'\n WHERE email=:email", array(':email' => $email));
$content = "<h3>" . t('hello') . "</h3>\n <p>" . t('new.password.requested.for.x.is.y', "<i>{$email}</i>", $newpwd) . "</p>";
churchcore_systemmail($email, "[" . getConf('site_name') . "] Neues Passwort", $content, true, 1);
churchcore_sendMails(1);
$txt .= '<div class="alert alert-info">' . t('new.password.was.sent.to.x', "<i>{$email}</i>") . '</div>';
ct_log("Neues Passwort angefordert: {$email}", 2, "-1", "login");
}
} else {
return "No email in parameter";
}
$txt .= '<a href="?q=login&email=' . $email . '" class="btn">' . t("back.to.login") . '</a>';
return $txt;
}
function login_main()
{
global $q, $config;
$txt = "";
if (isset($config["admin_message"]) && $config["admin_message"] != "") {
addErrorMessage($config["admin_message"]);
}
if (isset($_GET["message"]) && $_GET["message"] != "") {
addInfoMessage($_GET["message"]);
}
// Sicherstellen, dass keiner eingelogt ist!
if (!userLoggedIn()) {
if (isset($config["login_message"])) {
addInfoMessage($config["login_message"], true);
}
$model = new CTForm("LoginForm", "prooveLogin", "Login");
$model->setHeader(t("login.headline"), t("please.fill.following.fields"));
$model->addField("email", "", "INPUT_REQUIRED", t("email.or.username"), true);
$model->addField("password", "", "PASSWORD", t("password"));
if (!isset($config["show_remember_me"]) || $config["show_remember_me"] == 1) {
$model->addField("rememberMe", "", "CHECKBOX", t("remember.me"));
}
$model->addButton(t("login"), "ok");
if (isset($_GET["newpwd"])) {
$res = db_query("select count(*) c from {cdb_person} where email='" . $_GET["email"] . "' and archiv_yn=0")->fetch();
if ($_GET["email"] == "" || $res->c == 0) {
$txt .= '<div class="alert alert-error"><p>Bitte ein gültige EMail-Adresse angeben,
an die das neue Passwort gesendet werden kann!
Diese Adresse muss im System schon eingerichtet sein.
<p>Falls die E-Mail-Adresse schon eingerichtet sein sollte,
wende Dich bitte an <a href="' . variable_get("site_mail") . '">' . variable_get("site_mail") . '</a>.</div>';
} else {
$newpwd = random_string(8);
$scrambled_password = scramble_password($newpwd);
db_query("update {cdb_person} set password='******' where email='" . $_GET["email"] . "'");
$content = "<h3>Hallo!</h3><p>Ein neues Passwort wurde für die E-Mail-Adresse <i>" . $_GET["email"] . "</i> angefordert: {$newpwd}";
churchcore_systemmail($_GET["email"], "[" . variable_get('site_name') . "] Neues Passwort", $content, true, 1);
churchcore_sendMails(1);
$txt .= '<div class="alert alert-info">Hinweis: Ein neues Passwort wurde nun an <i>' . $_GET["email"] . '</i> gesendet.</div>';
ct_log("Neues Passwort angefordert " . $_GET["email"], 2, "-1", "login");
}
} else {
if (isset($_POST["email"]) && isset($_POST["password"]) && isset($_POST["directtool"])) {
include_once CHURCHCORE . "/churchcore_db.php";
$sql = "select * from {cdb_person} where email=:email and active_yn=1 and archiv_yn=0";
$res = db_query($sql, array(":email" => $_POST["email"]))->fetch();
if ($res == false) {
drupal_json_output(jsend()->fail("Unbekannte E-Mail-Adresse"));
} else {
if (user_check_password($_POST["password"], $res)) {
login_user($res);
ct_log("Login durch Direct-Tool " . $_POST["directtool"] . " mit " . $_POST["email"], 2, "-1", "login");
drupal_json_output(jsend()->success());
} else {
drupal_json_output(jsend()->fail("Falsches Passwort"));
}
}
return;
} else {
if (isset($_GET["loginstr"]) && $_GET["loginstr"] != "" && isset($_GET["id"])) {
// L�sche alte cc_loginurrls die �lter sind als 14 tage
db_query("delete from {cc_loginstr} where DATEDIFF( current_date, create_date ) > 13");
$sql = "select * from {cc_loginstr} where loginstr=:loginstr and person_id=:id";
$res = db_query($sql, array(":loginstr" => $_GET["loginstr"], ":id" => $_GET["id"]))->fetch();
if ($res == false) {
$txt .= '<div class="alert alert-info">Fehler: Der verwendete Login-Link ist nicht mehr aktuell und kann deshalb nicht mehr verwendet werden. Bitte mit E-Mail-Adresse und Passwort anmelden!</div>';
} else {
// Nehme den LoginStr heraus, damit er nicht mi�braucht werden kann.
$sql = "delete from {cc_loginstr} where loginstr=:loginstr and person_id=:id";
$res = db_query($sql, array(":loginstr" => $_GET["loginstr"], ":id" => $_GET["id"]));
ct_log("Login User " . $_GET["id"] . " erfolgreich mit loginstr ", 2, "-1", "login");
$res = churchcore_getPersonById($_GET["id"]);
login_user($res);
}
}
}
}
$txt .= $model->render();
$txt .= '<script>jQuery("#newpwd").click(function(k,a) {
if (confirm("' . t('want.to.receive.new.password') . '")) {
window.location.href="?newpwd=true&email="+jQuery("#LoginForm_email").val()+"&q=' . $q . '";
}
});</script>';
} else {
// Wenn man sich ummelden m�chte und zur Familie geh�rt (also gleiche E-Mail-Adresse)
if (isset($_GET["family_id"])) {
if (isset($_SESSION["family"][$_GET["family_id"]])) {
//logout_current_user();
login_user($_SESSION["family"][$_GET["family_id"]]);
$txt .= '<div class="alert alert-info">Ummelden erfolgreich! Du arbeitest nun mit der Berechtigung von ' . $_SESSION["user"]->vorname . ' ' . $_SESSION["user"]->name . '.</div>';
} else {
$txt .= '<div class="alert alert-info">Ummelden zu Id:' . $_GET["family_id"] . ' hat nicht funktioniert, Session ist leer!</div>';
}
} else {
$txt .= '<div class="alert alert-info"><i>Hinweis:</i> Du bist angemeldet als ' . $_SESSION["user"]->vorname . ', weiter geht es <a href="?q=home">hier</a>!</div>';
}
}
return $txt;
}
/**
* set password of person (will be scrambled before storing in DB)
* @param int $id
* @param string $password
* @throws CTFail
*/
function churchdb_setPersonPassword($id, $password)
{
$scrambled_password = scramble_password($password);
if ($scrambled_password == null) {
throw new CTFail("Password nicht akzeptiert");
}
// TODO: shouldnt better scramble_password throw the exception?
db_query("UPDATE {cdb_person} SET password=:password WHERE id=:id", array(":id" => $id, ":password" => $scrambled_password), false);
}
