function handle_user_password_change($user_id, $HTTP_VARS, &$errors) { $user_r = fetch_user_r($user_id); if (is_not_empty_array($user_r)) { // If at least one password specified, we will try to perform update. if (strlen($HTTP_VARS['pwd']) > 0 || strlen($HTTP_VARS['confirmpwd']) > 0) { if (get_opendb_config_var('user_admin', 'user_passwd_change_allowed') !== FALSE || is_user_granted_permission(PERM_ADMIN_CHANGE_PASSWORD)) { if ($HTTP_VARS['pwd'] != $HTTP_VARS['confirmpwd']) { $error = get_opendb_lang_var('passwds_do_not_match'); } else { if (strlen($HTTP_VARS['pwd']) == 0) { $error = get_opendb_lang_var('passwd_not_specified'); } else { if (update_user_passwd($user_id, $HTTP_VARS['pwd'])) { return TRUE; } else { $error = db_error(); return FALSE; } } } } else { return FALSE; } } else { $error = get_opendb_lang_var('passwd_not_specified'); return FALSE; } } else { return FALSE; } }
function perform_newpassword($HTTP_VARS, &$errors) { if (!is_user_valid($HTTP_VARS['uid'])) { opendb_logger(OPENDB_LOG_WARN, __FILE__, __FUNCTION__, 'New password request failure: User does not exist', array($HTTP_VARS['uid'])); // make user look successful to prevent mining for valid userids return TRUE; } else { if (!is_user_active($HTTP_VARS['uid'])) { // Do not allow new password operation for 'deactivated' user. opendb_logger(OPENDB_LOG_WARN, __FILE__, __FUNCTION__, 'New password request failure: User is not active', array($HTTP_VARS['uid'])); return FALSE; } else { if (!is_user_granted_permission(PERM_CHANGE_PASSWORD, $HTTP_VARS['uid'])) { opendb_logger(OPENDB_LOG_WARN, __FILE__, __FUNCTION__, 'New password request failure: User does not have permission to change password', array($HTTP_VARS['uid'])); return FALSE; } else { if (get_opendb_config_var('user_admin', 'user_passwd_change_allowed') === FALSE && !is_user_granted_permission(PERM_ADMIN_CHANGE_PASSWORD)) { opendb_logger(OPENDB_LOG_WARN, __FILE__, __FUNCTION__, 'New password request failure: Password change is disabled', array($HTTP_VARS['uid'])); return FALSE; } else { opendb_logger(OPENDB_LOG_INFO, __FILE__, __FUNCTION__, 'User requested to be emailed a new password', array($HTTP_VARS['uid'])); $user_r = fetch_user_r($HTTP_VARS['uid']); $user_passwd = generate_password(8); // only send if valid user (email) if (strlen($user_r['email_addr']) > 0) { $pass_result = update_user_passwd($HTTP_VARS['uid'], $user_passwd); if ($pass_result === TRUE) { $subject = get_opendb_lang_var('lost_password'); $message = get_opendb_lang_var('to_user_email_intro', 'fullname', $user_r['fullname']) . "\n\n" . get_opendb_lang_var('new_passwd_email') . "\n\n" . get_opendb_lang_var('userid') . ": " . $HTTP_VARS['uid'] . "\n" . get_opendb_lang_var('password') . ": " . $user_passwd; if (opendb_user_email($user_r['user_id'], NULL, $subject, $message, $errors)) { return TRUE; } else { return "EMAIL_NOT_SENT"; } } } else { $errors[] = "User '" . $HTTP_VARS['uid'] . "' does not have a valid email address."; return FALSE; } } } } } }