/** * Reset the user's password * Take into account the 'send_reset_password' setting * - if it is ON, generate a random password and send an email * (unless the second parameter is false) * - if it is OFF, set the password to blank * Return false if the user is protected, true if the password was * successfully reset * * @param integer $p_user_id A valid user identifier. * @param boolean $p_send_email Whether to send confirmation email. * @return boolean */ function user_reset_password($p_user_id, $p_send_email = true) { $t_protected = user_get_field($p_user_id, 'protected'); # Go with random password and email it to the user if (ON == $t_protected) { return false; } # @@@ do we want to force blank password instead of random if # email notifications are turned off? # How would we indicate that we had done this with a return value? # Should we just have two functions? (user_reset_password_random() # and user_reset_password() )? if (ON == config_get('send_reset_password') && ON == config_get('enable_email_notification')) { $t_email = user_get_field($p_user_id, 'email'); if (is_blank($t_email)) { trigger_error(ERROR_LOST_PASSWORD_NO_EMAIL_SPECIFIED, ERROR); } # Create random password $t_password = auth_generate_random_password(); $t_password2 = auth_process_plain_password($t_password); user_set_field($p_user_id, 'password', $t_password2); # Send notification email if ($p_send_email) { $t_confirm_hash = auth_generate_confirm_hash($p_user_id); email_send_confirm_hash_url($p_user_id, $t_confirm_hash); } } else { # use blank password, no emailing $t_password = auth_process_plain_password(''); user_set_field($p_user_id, 'password', $t_password); # reset the failed login count because in this mode there is no emailing user_reset_failed_login_count_to_zero($p_user_id); } return true; }
OFF == config_get( 'send_reset_password' ) ) { trigger_error( ERROR_LOST_PASSWORD_NOT_ENABLED, ERROR ); } $f_user_id = gpc_get_string('id'); $f_confirm_hash = gpc_get_string('confirm_hash'); # force logout on the current user if already authenticated if( auth_is_user_authenticated() ) { auth_logout(); # reload the page after logout print_header_redirect( "verify.php?id=$f_user_id&confirm_hash=$f_confirm_hash" ); } $t_calculated_confirm_hash = auth_generate_confirm_hash( $f_user_id ); if ( $f_confirm_hash != $t_calculated_confirm_hash ) { trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR ); } # set a temporary cookie so the login information is passed between pages. auth_set_cookies( $f_user_id, false ); user_reset_failed_login_count_to_zero( $f_user_id ); user_reset_lost_password_in_progress_count_to_zero( $f_user_id ); # fake login so the user can set their password auth_attempt_script_login( user_get_field( $f_user_id, 'username' ) ); user_increment_failed_login_count( $f_user_id );
$result = db_query_bound($query, array($f_username, $f_email, true)); if (0 == db_num_rows($result)) { trigger_error(ERROR_LOST_PASSWORD_NOT_MATCHING_DATA, ERROR); } if (is_blank($f_email)) { trigger_error(ERROR_LOST_PASSWORD_NO_EMAIL_SPECIFIED, ERROR); } $row = db_fetch_array($result); $t_user_id = $row['id']; if (user_is_protected($t_user_id)) { trigger_error(ERROR_PROTECTED_ACCOUNT, ERROR); } if (!user_is_lost_password_request_allowed($t_user_id)) { trigger_error(ERROR_LOST_PASSWORD_MAX_IN_PROGRESS_ATTEMPTS_REACHED, ERROR); } $t_confirm_hash = auth_generate_confirm_hash($t_user_id); email_send_confirm_hash_url($t_user_id, $t_confirm_hash); user_increment_lost_password_in_progress_count($t_user_id); form_security_purge('lost_pwd'); $t_redirect_url = 'login_page.php'; html_page_top(); ?> <br /> <div> <table class="width50" cellspacing="1"> <tr> <td class="center"> <strong><?php echo lang_get('lost_password_done_title'); ?>