/**
  * Test the event.
  */
 public function test_event()
 {
     $this->resetAfterTest();
     $user1 = $this->getDataGenerator()->create_user();
     $context1 = context_user::instance($user1->id);
     $user2 = $this->getDataGenerator()->create_user();
     $context2 = context_user::instance($user2->id);
     $this->setUser($user1);
     // Changing own password.
     $event = \core\event\user_password_updated::create_from_user($user1);
     $this->assertEventContextNotUsed($event);
     $this->assertEquals($user1->id, $event->relateduserid);
     $this->assertSame($context1, $event->get_context());
     $this->assertEventLegacyLogData(null, $event);
     $this->assertFalse($event->other['forgottenreset']);
     $event->trigger();
     // Changing password of other user.
     $event = \core\event\user_password_updated::create_from_user($user2);
     $this->assertEventContextNotUsed($event);
     $this->assertEquals($user2->id, $event->relateduserid);
     $this->assertSame($context2, $event->get_context());
     $this->assertEventLegacyLogData(null, $event);
     $this->assertFalse($event->other['forgottenreset']);
     $event->trigger();
     // Password reset.
     $event = \core\event\user_password_updated::create_from_user($user1, true);
     $this->assertEventContextNotUsed($event);
     $this->assertEquals($user1->id, $event->relateduserid);
     $this->assertSame($context1, $event->get_context());
     $this->assertEventLegacyLogData(array(SITEID, 'user', 'set password', 'profile.php?id=' . $user1->id, $user1->id), $event);
     $this->assertTrue($event->other['forgottenreset']);
     $event->trigger();
 }
Example #2
0
/**
 * Update password hash in user object (if necessary).
 *
 * The password is updated if:
 * 1. The password has changed (the hash of $user->password is different
 *    to the hash of $password).
 * 2. The existing hash is using an out-of-date algorithm (or the legacy
 *    md5 algorithm).
 *
 * Updating the password will modify the $user object and the database
 * record to use the current hashing algorithm.
 * It will remove Web Services user tokens too.
 *
 * @param stdClass $user User object (password property may be updated).
 * @param string $password Plain text password.
 * @param bool $fasthash If true, use a low cost factor when generating the hash
 *                       This is much faster to generate but makes the hash
 *                       less secure. It is used when lots of hashes need to
 *                       be generated quickly.
 * @return bool Always returns true.
 */
function update_internal_user_password($user, $password, $fasthash = false)
{
    global $CFG, $DB;
    // Figure out what the hashed password should be.
    if (!isset($user->auth)) {
        debugging('User record in update_internal_user_password() must include field auth', DEBUG_DEVELOPER);
        $user->auth = $DB->get_field('user', 'auth', array('id' => $user->id));
    }
    $authplugin = get_auth_plugin($user->auth);
    if ($authplugin->prevent_local_passwords()) {
        $hashedpassword = AUTH_PASSWORD_NOT_CACHED;
    } else {
        $hashedpassword = hash_internal_user_password($password, $fasthash);
    }
    $algorithmchanged = false;
    if ($hashedpassword === AUTH_PASSWORD_NOT_CACHED) {
        // Password is not cached, update it if not set to AUTH_PASSWORD_NOT_CACHED.
        $passwordchanged = $user->password !== $hashedpassword;
    } else {
        if (isset($user->password)) {
            // If verification fails then it means the password has changed.
            $passwordchanged = !password_verify($password, $user->password);
            $algorithmchanged = password_needs_rehash($user->password, PASSWORD_DEFAULT);
        } else {
            // While creating new user, password in unset in $user object, to avoid
            // saving it with user_create()
            $passwordchanged = true;
        }
    }
    if ($passwordchanged || $algorithmchanged) {
        $DB->set_field('user', 'password', $hashedpassword, array('id' => $user->id));
        $user->password = $hashedpassword;
        // Trigger event.
        $user = $DB->get_record('user', array('id' => $user->id));
        \core\event\user_password_updated::create_from_user($user)->trigger();
        // Remove WS user tokens.
        if (!empty($CFG->passwordchangetokendeletion)) {
            require_once $CFG->dirroot . '/webservice/lib.php';
            webservice::delete_user_ws_tokens($user->id);
        }
    }
    return true;
}
Example #3
0
/**
 * Update password hash in user object (if necessary).
 *
 * The password is updated if:
 * 1. The password has changed (the hash of $user->password is different
 *    to the hash of $password).
 * 2. The existing hash is using an out-of-date algorithm (or the legacy
 *    md5 algorithm).
 *
 * Updating the password will modify the $user object and the database
 * record to use the current hashing algorithm.
 *
 * @param stdClass $user User object (password property may be updated).
 * @param string $password Plain text password.
 * @param bool $fasthash If true, use a low cost factor when generating the hash
 *                       This is much faster to generate but makes the hash
 *                       less secure. It is used when lots of hashes need to
 *                       be generated quickly.
 * @return bool Always returns true.
 */
function update_internal_user_password($user, $password, $fasthash = false)
{
    global $CFG, $DB;
    require_once $CFG->libdir . '/password_compat/lib/password.php';
    // Figure out what the hashed password should be.
    if (!isset($user->auth)) {
        debugging('User record in update_internal_user_password() must include field auth', DEBUG_DEVELOPER);
        $user->auth = $DB->get_field('user', 'auth', array('id' => $user->id));
    }
    $authplugin = get_auth_plugin($user->auth);
    if ($authplugin->prevent_local_passwords()) {
        $hashedpassword = AUTH_PASSWORD_NOT_CACHED;
    } else {
        $hashedpassword = hash_internal_user_password($password, $fasthash);
    }
    // If verification fails then it means the password has changed.
    if (isset($user->password)) {
        // While creating new user, password in unset in $user object, to avoid
        // saving it with user_create()
        $passwordchanged = !password_verify($password, $user->password);
        $algorithmchanged = password_needs_rehash($user->password, PASSWORD_DEFAULT);
    } else {
        $passwordchanged = true;
    }
    if ($passwordchanged || $algorithmchanged) {
        $DB->set_field('user', 'password', $hashedpassword, array('id' => $user->id));
        $user->password = $hashedpassword;
        // Trigger event.
        $user = $DB->get_record('user', array('id' => $user->id));
        \core\event\user_password_updated::create_from_user($user)->trigger();
    }
    return true;
}
Example #4
0
 public static function user_password_updated(\core\event\user_password_updated $event)
 {
     $sync_to_joomla = get_config('auth/joomdle', 'sync_to_joomla');
     if (!$sync_to_joomla) {
         return true;
     }
     $user = $event->get_record_snapshot('user', $event->contextinstanceid);
     if ($user->auth != 'joomdle') {
         return true;
     }
     $auth_joomdle = new auth_plugin_joomdle();
     $auth_joomdle->call_method('changePassword', $user->username, $user->password);
 }