/**
* Processes a user's request to set a new password in the event they forgot the old one.
* If no user identifier has been supplied, it displays a form where they can submit their identifier.
* Where they have supplied identifier, the function will check their status, and send email as appropriate.
*/
function core_login_process_password_reset_request()
{
global $DB, $OUTPUT, $CFG, $PAGE;
$systemcontext = context_system::instance();
$mform = new login_forgot_password_form();
if ($mform->is_cancelled()) {
redirect(get_login_url());
} else {
if ($data = $mform->get_data()) {
// Requesting user has submitted form data.
// Next find the user account in the database which the requesting user claims to own.
if (!empty($data->username)) {
// Username has been specified - load the user record based on that.
$username = core_text::strtolower($data->username);
// Mimic the login page process.
$userparams = array('username' => $username, 'mnethostid' => $CFG->mnet_localhost_id, 'deleted' => 0, 'suspended' => 0);
$user = $DB->get_record('user', $userparams);
} else {
// Try to load the user record based on email address.
// this is tricky because
// 1/ the email is not guaranteed to be unique - TODO: send email with all usernames to select the account for pw reset
// 2/ mailbox may be case sensitive, the email domain is case insensitive - let's pretend it is all case-insensitive.
$select = $DB->sql_like('email', ':email', false, true, false, '|') . " AND mnethostid = :mnethostid AND deleted=0 AND suspended=0";
$params = array('email' => $DB->sql_like_escape($data->email, '|'), 'mnethostid' => $CFG->mnet_localhost_id);
$user = $DB->get_record_select('user', $select, $params, '*', IGNORE_MULTIPLE);
}
// Target user details have now been identified, or we know that there is no such account.
// Send email address to account's email address if appropriate.
$pwresetstatus = PWRESET_STATUS_NOEMAILSENT;
if ($user and !empty($user->confirmed)) {
$userauth = get_auth_plugin($user->auth);
if (!$userauth->can_reset_password() or !is_enabled_auth($user->auth) or !has_capability('moodle/user:changeownpassword', $systemcontext, $user->id)) {
if (send_password_change_info($user)) {
$pwresetstatus = PWRESET_STATUS_OTHEREMAILSENT;
} else {
print_error('cannotmailconfirm');
}
} else {
// The account the requesting user claims to be is entitled to change their password.
// Next, check if they have an existing password reset in progress.
$resetinprogress = $DB->get_record('user_password_resets', array('userid' => $user->id));
if (empty($resetinprogress)) {
// Completely new reset request - common case.
$resetrecord = core_login_generate_password_reset($user);
$sendemail = true;
} else {
if ($resetinprogress->timerequested < time() - $CFG->pwresettime) {
// Preexisting, but expired request - delete old record & create new one.
// Uncommon case - expired requests are cleaned up by cron.
$DB->delete_records('user_password_resets', array('id' => $resetinprogress->id));
$resetrecord = core_login_generate_password_reset($user);
$sendemail = true;
} else {
if (empty($resetinprogress->timererequested)) {
// Preexisting, valid request. This is the first time user has re-requested the reset.
// Re-sending the same email once can actually help in certain circumstances
// eg by reducing the delay caused by greylisting.
$resetinprogress->timererequested = time();
$DB->update_record('user_password_resets', $resetinprogress);
$resetrecord = $resetinprogress;
$sendemail = true;
} else {
// Preexisting, valid request. User has already re-requested email.
$pwresetstatus = PWRESET_STATUS_ALREADYSENT;
$sendemail = false;
}
}
}
if ($sendemail) {
$sendresult = send_password_change_confirmation_email($user, $resetrecord);
if ($sendresult) {
$pwresetstatus = PWRESET_STATUS_TOKENSENT;
} else {
print_error('cannotmailconfirm');
}
}
}
}
// Any email has now been sent.
// Next display results to requesting user if settings permit.
echo $OUTPUT->header();
if (!empty($CFG->protectusernames)) {
// Neither confirm, nor deny existance of any username or email address in database.
// Print general (non-commital) message.
notice(get_string('emailpasswordconfirmmaybesent'), $CFG->wwwroot . '/index.php');
die;
// Never reached.
} else {
if (empty($user)) {
// Protect usernames is off, and we couldn't find the user with details specified.
// Print failure advice.
notice(get_string('emailpasswordconfirmnotsent'), $CFG->wwwroot . '/forgot_password.php');
die;
// Never reached.
} else {
if (empty($user->email)) {
// User doesn't have an email set - can't send a password change confimation email.
notice(get_string('emailpasswordconfirmnoemail'), $CFG->wwwroot . '/index.php');
die;
// Never reached.
} else {
if ($pwresetstatus == PWRESET_STATUS_ALREADYSENT) {
// User found, protectusernames is off, but user has already (re) requested a reset.
// Don't send a 3rd reset email.
$stremailalreadysent = get_string('emailalreadysent');
notice($stremailalreadysent, $CFG->wwwroot . '/index.php');
die;
// Never reached.
} else {
if ($pwresetstatus == PWRESET_STATUS_NOEMAILSENT) {
// User found, protectusernames is off, but user is not confirmed.
// Pretend we sent them an email.
// This is a big usability problem - need to tell users why we didn't send them an email.
// Obfuscate email address to protect privacy.
$protectedemail = preg_replace('/([^@]*)@(.*)/', '******@$2', $user->email);
$stremailpasswordconfirmsent = get_string('emailpasswordconfirmsent', '', $protectedemail);
notice($stremailpasswordconfirmsent, $CFG->wwwroot . '/index.php');
die;
// Never reached.
} else {
// Confirm email sent. (Obfuscate email address to protect privacy).
$protectedemail = preg_replace('/([^@]*)@(.*)/', '******@$2', $user->email);
// This is a small usability problem - may be obfuscating the email address which the user has just supplied.
$stremailresetconfirmsent = get_string('emailresetconfirmsent', '', $protectedemail);
notice($stremailresetconfirmsent, $CFG->wwwroot . '/index.php');
die;
// Never reached.
}
}
}
}
}
die;
// Never reached.
}
}
// Make sure we really are on the https page when https login required.
$PAGE->verify_https_required();
// DISPLAY FORM.
echo $OUTPUT->header();
//echo $OUTPUT->box(get_string('passwordforgotteninstructions2'), 'generalbox boxwidthnormal boxaligncenter'); // GWL - Forgot Pwd page remove header content
echo '<div class="loginbox clearfix onecolumn forgot-password">';
echo '<div class="loginpanel">';
echo get_string('passwordforgotten2');
echo get_string('cantaccessaccount2');
echo get_string('dontpanic2');
$mform->display();
echo '</div>';
echo '</div>';
echo $OUTPUT->footer();
}
} else {
if (empty($errormsg)) {
$user = authenticate_user_login($frm->username, $frm->password, false, $errorcode);
}
}
}
// Intercept 'restored' users to provide them with info & reset password
if (!$user and $frm and is_restored_user($frm->username)) {
$PAGE->set_title(get_string('restoredaccount'));
$PAGE->set_heading($site->fullname);
echo $OUTPUT->header();
echo $OUTPUT->heading(get_string('restoredaccount'));
echo $OUTPUT->box(get_string('restoredaccountinfo'), 'generalbox boxaligncenter');
require_once 'restored_password_form.php';
// Use our "supplanter" login_forgot_password_form. MDL-20846
$form = new login_forgot_password_form('forgot_password.php', array('username' => $frm->username));
$form->display();
echo $OUTPUT->footer();
die;
}
if ($user) {
// language setup
if (isguestuser($user)) {
// no predefined language for guests - use existing session or default site lang
unset($user->lang);
} else {
if (!empty($user->lang)) {
// unset previous session language - use user preference instead
unset($SESSION->lang);
}
}
$a->link = $changepasswordurl;
print_header($strforgotten, $strforgotten, $navigation);
notice(get_string('emailpasswordsent', '', $a), $changepasswordurl);
} else {
if (!empty($user) and strlen($p_secret) === 15) {
// somebody probably tries to hack in by guessing secret - stop them!
$DB->set_field('user', 'secret', '', array('id' => $user->id));
}
print_header($strforgotten, $strforgotten, $navigation);
print_error('forgotteninvalidurl');
}
}
die;
//never reached
}
$mform = new login_forgot_password_form();
if ($mform->is_cancelled()) {
redirect(get_login_url());
} else {
if ($data = $mform->get_data()) {
/// find the user in the database and mail info
// first try the username
if (!empty($data->username)) {
$user = get_complete_user_data('username', $data->username);
} else {
$user = get_complete_user_data('email', $data->email);
}
if ($user and !empty($user->confirmed)) {
$userauth = get_auth_plugin($user->auth);
if (has_capability('moodle/user:changeownpassword', $systemcontext, $user->id)) {
// send email (make sure mail block is off)
