/** * checkDefaultPassword function that checks if the currently logged in user is using a default password. Sets a session message which is displayed when the user is redirected to the index page, which suggests the user to change their password. * @author Prayas Bhattarai * @return boolean */ function checkDefaultPassword() { $userProfile = retrieveCurrentUserProfile(); $currentPass = $userProfile->get_password(); if (getUserAccessLevel() == 1) { //use functions for social workers $fname = $userProfile->get_swFirstName(); $phone = $userProfile->get_swphone(); } else { if (getUserAccessLevel() > 1) { //use functions for rmh staff $fname = $userProfile->get_rmhStaffFirstName(); $phone = $userProfile->get_rmhStaffPhone(); } else { return false; } } $defaultPass = trim(strtolower($fname)) . trim(substr($phone, -4)); $defaultPass = getHashValue($defaultPass); if ($defaultPass != $currentPass) { return true; } else { setSessionMessage(array('default_pass' => 'You are using the default password for your account. It is advised that you change your password immediately by clicking on the "Manage Account" section.')); } }
$accountSettingsRules = array('title' => array('alpha', 'allow' => array('.')), 'old_pass' => array('password'), 'new_pass' => array('password'), 'verify_pass' => array('password', 'notempty'), 'submit' => array('ignore')); $validator = new DataValidator($_POST, $accountSettingsRules); $data = $validator->getData(); if ($validator->isValid()) { //validation successful $newPass = getHashValue($data['new_pass']); $verifyPass = getHashValue($data['verify_pass']); $oldPass = getHashValue($data['old_pass']); $title = $data['title']; $username = getCurrentUser(); //TODO we could add this check in the validator? if ($newPass === $verifyPass) { if (retrieve_UserByAuth($username, $oldPass)) { //verify password and new password match AND the user with the old password exists //retrieve user profile: $userProfile = retrieveCurrentUserProfile(); if ($userProfile) { //change the password $userProfile->set_password($newPass); //TODO set the user title too. But isn't that included in profile change? //update the user profile table if (update_UserProfile($userProfile)) { //set session message setSessionMessage("Your password has been successfully changed. You should log out and log in again for security reasons."); $data = array(); $dataErrors = array(); //TODO Logout the user here } else { ErrorHandler::error('Could not update user profile'); } } else {