$errors = zen_update_user(FALSE, $_POST['email'], $_POST['id'], $_POST['profile']); if (sizeof($errors) > 0) { foreach ($errors as $error) { $messageStack->add($error, 'error'); } $action = 'edit'; $formAction = 'update'; $profilesList = array_merge(array(array('id' => 0, 'text' => 'Choose Profile')), zen_get_profiles()); } else { $action = ''; $messageStack->add(SUCCESS_USER_DETAILS_UPDATED, 'success'); } break; case 'reset': // reset existing user's password in database. Post data is prep'd for db in the first function call $errors = zen_reset_password($_POST['user'], $_POST['password'], $_POST['confirm']); if (sizeof($errors) > 0) { foreach ($errors as $error) { $messageStack->add($error, 'error'); } $action = 'password'; $formAction = 'reset'; } else { $action = ''; $messageStack->add(SUCCESS_PASSWORD_UPDATED, 'success'); } break; default: // no action, simply drop through and display existing users } // get this user's details
/** * Validate whether the password-reset request is permissible * @param string $admin_name * @param string $adm_old_pwd * @param string $adm_new_pwd * @param string $adm_conf_pwd */ function zen_validate_pwd_reset_request($admin_name, $adm_old_pwd, $adm_new_pwd, $adm_conf_pwd) { global $db; $errors = array(); $result = zen_read_user($admin_name); if (!isset($result) || $admin_name != $result['admin_name']) { $errors[] = ERROR_WRONG_LOGIN; } if ($result['lockout_expires'] > time()) { $errors[] = ERROR_SECURITY_ERROR; } // if entered password doesn't match current password, check for reset token if (!isset($result) || !zen_validate_password($adm_old_pwd, $result['admin_pass'])) { if ($result['reset_token'] != '') { list($expired_token, $token) = explode('}', $result['reset_token']); if ($expired_token > 0) { if ($expired_token <= time()) { // reset the reset_token field to blank, since token has expired $sql = "update " . TABLE_ADMIN . " set reset_token = '' where admin_name = :adminname: "; $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string'); $db->Execute($sql); } else { // if we have a token and it hasn't expired, check password against token if (!zen_validate_password($adm_old_pwd, $token)) { $errors[] = ERROR_WRONG_LOGIN; } else { // temporary password is good, so attempt to reset using new password $moreErrors = zen_reset_password($result['admin_id'], $adm_new_pwd, $adm_conf_pwd); if (sizeof($moreErrors)) { $errors = array_merge($errors, $moreErrors); } else { // password change was accepted, so reset token $sql = "update " . TABLE_ADMIN . " set reset_token = '', failed_logins = 0 where admin_name = :adminname: "; $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string'); $db->Execute($sql); } } } } } else { $errors[] = ENTRY_PASSWORD_CHANGE_ERROR . ' ' . sprintf(ERROR_PASSWORD_RULES, (int) ADMIN_PASSWORD_MIN_LENGTH < 7 ? 7 : (int) ADMIN_PASSWORD_MIN_LENGTH); } } else { // password matched, so proceed with reset $moreErrors = zen_reset_password($result['admin_id'], $adm_new_pwd, $adm_conf_pwd); if (sizeof($moreErrors)) { $errors = array_merge($errors, $moreErrors); } else { $sql = "update " . TABLE_ADMIN . " set reset_token = '' where admin_name = :adminname: "; $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string'); $db->Execute($sql); } } return $errors; }