/** * Retrieve one registration application for a new user account (one registration request). * * NOTE: Expired registrations are purged prior to performing the get. * * Parameters passed in the $args array: * ------------------------------------- * numeric $args['uid'] The uid of the registration record (registration request) to return; * required if uname and email are not specified, otherwise not allowed. * string $args['uname'] The uname of the registration record (registration request) to return; * required if id and email are not specified, otherwise not allowed. * string $args['email'] The e-mail address of the registration record (registration request) to return; * not allowed if the system allows an e-mail address to be registered * more than once; required if id and uname are not specified, otherwise not allowed. * * @param array $args All parameters passed to this function; either id, uname, or email must be specified, but * no more than one of those three, and email is not allowed if the system allows an email * address to be registered more than once. * * @return array|boolean An array containing the record, or false on error. * * @throws Zikula_Exception_Forbidden Thrown if the user is not logged in and does not have read access, or if the user is logged in * and does not have moderate access. */ public function get($args) { if ((!UserUtil::isLoggedIn() && !SecurityUtil::checkPermission('Users::', '::', ACCESS_READ)) || (UserUtil::isLoggedIn() && !SecurityUtil::checkPermission('Users::', '::', ACCESS_MODERATE))) { throw new Zikula_Exception_Forbidden(); } $uniqueEmails = $this->getVar('reg_uniemail', false); // Checks the following: // - none of the three possible IDs is set // - uid is set along with either uname or email // - uname is set with email // - email is set but the system allows multiple registrations per email if ((!isset($args['uid']) && !isset($args['uname']) && !isset($args['email'])) || (isset($args['uid']) && (isset($args['uname']) || isset($args['email']))) || (isset($args['uname']) && isset($args['email'])) || (isset($args['email']) && !$uniqueEmails)) { $this->registerError(LogUtil::getErrorMsgArgs()); return false; } if (isset($args['uid'])) { if (empty($args['uid']) || !is_numeric($args['uid']) || ((int)$args['uid'] != $args['uid'])) { $this->registerError(LogUtil::getErrorMsgArgs()); return false; } $idField = 'uid'; } elseif (isset($args['uname'])) { if (empty($args['uname']) || !is_string($args['uname'])) { $this->registerError(LogUtil::getErrorMsgArgs()); return false; } $idField = 'uname'; } elseif (isset($args['email'])) { if (empty($args['email']) || !is_string($args['email'])) { $this->registerError(LogUtil::getErrorMsgArgs()); return false; } $idField = 'email'; } $idValue = $args[$idField]; $this->purgeExpired(); if ($idField == 'email') { // If reg_uniemail was ever false, or the admin created one or more users with an existing e-mail address, // then more than one user with the same e-mail address might exists. The get function should not return the first // one it finds, as that is a security breach. It should return false, because we are not sure which one we want. $emailUsageCount = UserUtil::getEmailUsageCount($idValue); if ($emailUsageCount > 1) { return false; } } $userObj = UserUtil::getVars($idValue, false, $idField, true); if ($userObj === false) { $this->registerError($this->__('Error! Could not load data.')); } return $userObj; }
/** * Send the user a lost password confirmation code. * * Parameters passed in the $args array: * ------------------------------------- * string $args['email'] The user's e-mail address. * * @param array $args All parameters passed to this function. * * @return bool True if confirmation code sent; otherwise false. */ public function mailConfirmationCode($args) { $emailMessageSent = false; if (!isset($args['id']) || empty($args['id']) || !isset($args['idfield']) || empty($args['idfield']) || (($args['idfield'] != 'uname') && ($args['idfield'] != 'email') && ($args['idfield'] != 'uid')) ) { $this->registerError(LogUtil::getErrorMsgArgs()); return false; } if ($args['idfield'] == 'email') { $ucount = UserUtil::getEmailUsageCount($args['id']); if ($ucount > 1) { return false; } } $adminRequested = (isset($args['adminRequest']) && is_bool($args['adminRequest']) && $args['adminRequest']); $user = UserUtil::getVars($args['id'], true, $args['idfield']); if ($user) { $confirmationCode = UserUtil::generatePassword(); $hashedConfirmationCode = UserUtil::getHashedPassword($confirmationCode); if ($confirmationCodeHash !== false) { $tables = DBUtil::getTables(); $verifychgColumn = $tables['users_verifychg_column']; DBUtil::deleteWhere('users_verifychg', "({$verifychgColumn['uid']} = {$user['uid']}) AND ({$verifychgColumn['changetype']} = " . Users_Constant::VERIFYCHGTYPE_PWD . ")"); $nowUTC = new DateTime(null, new DateTimeZone('UTC')); $verifyChangeObj = array( 'changetype' => Users_Constant::VERIFYCHGTYPE_PWD, 'uid' => $user['uid'], 'newemail' => '', 'verifycode' => $hashedConfirmationCode, 'created_dt' => $nowUTC->format(Users_Constant::DATETIME_FORMAT), ); $codeSaved = DBUtil::insertObject($verifyChangeObj, 'users_verifychg'); if ($codeSaved) { $urlArgs = array(); $urlArgs['code'] = urlencode($confirmationCode); $urlArgs[$args['idfield']] = urlencode($args['id']); $view = Zikula_View::getInstance($this->name, false); $viewArgs=array( 'uname' => $user['uname'], 'sitename' => System::getVar('sitename'), 'hostname' => System::serverGetVar('REMOTE_ADDR'), 'code' => $confirmationCode, 'url' => ModUtil::url($this->name, 'user', 'lostPasswordCode', $urlArgs, null, null, true), 'adminRequested'=> $adminRequested, ); $view->assign($viewArgs); $htmlBody = $view->fetch('users_email_lostpassword_html.tpl'); $plainTextBody = $view->fetch('users_email_lostpassword_txt.tpl'); $subject = $this->__f('Confirmation code for %s', $user['uname']); $emailMessageSent = ModUtil::apiFunc('Mailer', 'user', 'sendMessage', array( 'toaddress' => $user['email'], 'subject' => $subject, 'body' => $htmlBody, 'altbody' => $plainTextBody )); if (!$emailMessageSent) { $this->registerError($this->__('Error! Unable to send confirmation code e-mail message.')); } } else { $this->registerError($this->__('Error! Unable to save confirmation code.')); } } else { $this->registerError($this->__("Error! Unable to create confirmation code.")); } } return $emailMessageSent; }