function author_save_new()
{
extract(doSlash(psa(array('privs', 'name', 'email', 'RealName'))));
$pw = generate_password(6);
$nonce = md5(uniqid(rand(), true));
if ($name) {
$rs = safe_insert("txp_users", "privs = '{$privs}',\n\t\t\t\t name = '{$name}',\n\t\t\t\t email = '{$email}',\n\t\t\t\t RealName = '{$RealName}',\n\t\t\t\t pass = password(lower('{$pw}')),\n\t\t\t\t nonce = '{$nonce}'");
}
if ($rs) {
send_password($pw, $email);
admin(gTxt('password_sent_to') . sp . $email);
} else {
admin(gTxt('error_adding_new_author'));
}
}
</td>
<td width="35%" valign="top" align="right">
<form method="get" action="people.php">
<?php
selectPeople("person");
?>
</form>
<?php
user_opts();
?>
</td>
</tr>
</table>
<hr />
<?php
//find out the state
@($state = $_REQUEST["state"]);
switch ($state) {
case "lost":
echo $strLost . "<br>\n";
include "inc/lostpasswdform.inc.php";
break;
case "sent":
send_password($_REQUEST["pwdEmail"]);
echo $strSent;
default:
include "inc/loginform.inc.php";
}
}
include "inc/footer.inc.php";
// eof
function author_save_new()
{
require_privs('admin.edit');
extract(doSlash(psa(array('privs', 'name', 'email', 'RealName'))));
$privs = assert_int($privs);
if ($name && is_valid_email($email)) {
$password = doSlash(generate_password(6));
$nonce = doSlash(md5(uniqid(mt_rand(), TRUE)));
$rs = safe_insert('txp_users', "\n\t\t\t\tprivs = {$privs},\n\t\t\t\tname = '{$name}',\n\t\t\t\temail = '{$email}',\n\t\t\t\tRealName = '{$RealName}',\n\t\t\t\tnonce = '{$nonce}',\n\t\t\t\tpass = password(lower('{$password}'))\n\t\t\t");
if ($rs) {
send_password($RealName, $name, $email, $password);
admin(gTxt('password_sent_to') . sp . $email);
return;
}
}
admin(gTxt('error_adding_new_author'));
}
/**
* Creates a new user.
*/
function author_save_new()
{
require_privs('admin.edit');
extract(psa(array('privs', 'name', 'email', 'RealName')));
$privs = assert_int($privs);
if (is_valid_username($name) && is_valid_email($email)) {
if (user_exists($name)) {
author_list(array(gTxt('author_already_exists', array('{name}' => $name)), E_ERROR));
return;
}
$password = generate_password(PASSWORD_LENGTH);
$rs = create_user($name, $email, $password, $RealName, $privs);
if ($rs) {
send_password($RealName, $name, $email, $password);
author_list(gTxt('password_sent_to') . sp . $email);
return;
}
}
author_list(array(gTxt('error_adding_new_author'), E_ERROR));
}
if (isset($_GET['action'])) {
$action = get_magic_quotes_gpc() ? $_GET['action'] : addslashes($_GET['action']);
}
$allowed_actions = array('reminder', 'change');
// set target page for redirects
$target = !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : $_SERVER['PHP_SELF'] . "?" . $_SERVER['QUERY_STRING'];
$loginmessage = "";
switch ($action) {
case "reminder":
include_once '_scripts/bouncer_params.php';
include_once '_scripts/bouncer_functions.php';
// process reminder
if (!empty($_POST['p_email'])) {
$p_email = get_magic_quotes_gpc() ? $_POST['p_email'] : addslashes($_POST['p_email']);
$target = $_POST['target'];
$loginmessage = send_password($p_email);
// close if totalrows
}
// text variables
$pass_title = "Password Reminder Service";
$pass_intro = "<p>To return to the previous page <a href=\"" . $target . "\">click here</a></p>\n\t\t\t <p>Enter the email address you registered with and your password will be sent to you.</p>";
// show reminder form
$pass_form = "\n\t\t\t\t<form id=\"emailreminder\" method=\"post\" action=\"" . $_SERVER['PHP_SELF'] . "?" . $_SERVER['QUERY_STRING'] . "\">\n\t\t\t\t\t\n\t\t\t\t\t<p><label for=\"p_email\">Email address:</label></p>\n\t\t\t\t\t<p><input name=\"p_email\" type=\"text\" id=\"p_email\" /></p>\n\t\t\t\t\t<p>\n\t\t\t\t\t\t<input type=\"hidden\" name=\"target\" value=\"" . $target . "\" />\n\t\t\t\t\t\t<input type=\"submit\" name=\"submit\" value=\"Send Password\" />\n\t\t\t\t\t</p>\n\t\t\t\t</form>\n\t\t\t";
break;
case "change":
include 'restrict.php';
// process change
if (!empty($_POST['change'])) {
if (isset($_POST['currentpass'])) {
$currentpass = get_magic_quotes_gpc() ? $_POST['currentpass'] : addslashes($_POST['currentpass']);
} else {
function author_save_new()
{
require_privs('admin.edit');
extract(doSlash(psa(array('privs', 'name', 'email', 'RealName'))));
$privs = assert_int($privs);
$length = function_exists('mb_strlen') ? mb_strlen($name, '8bit') : strlen($name);
if ($name and $length <= 64 and is_valid_email($email)) {
$exists = safe_field('name', 'txp_users', "name = '" . $name . "'");
if ($exists) {
author_list(array(gTxt('author_already_exists', array('{name}' => $name)), E_ERROR));
return;
}
$password = generate_password(PASSWORD_LENGTH);
$hash = doSlash(txp_hash_password($password));
$nonce = doSlash(md5(uniqid(mt_rand(), TRUE)));
$rs = safe_insert('txp_users', "\n\t\t\t\tprivs = {$privs},\n\t\t\t\tname = '{$name}',\n\t\t\t\temail = '{$email}',\n\t\t\t\tRealName = '{$RealName}',\n\t\t\t\tnonce = '{$nonce}',\n\t\t\t\tpass = '******'\n\t\t\t");
if ($rs) {
send_password($RealName, $name, $email, $password);
author_list(gTxt('password_sent_to') . sp . $email);
return;
}
}
author_list(array(gTxt('error_adding_new_author'), E_ERROR));
}
echo $_SESSION['msg'];
unset($_SESSION['msg']);
}
$dis = 'none';
if (isset($_SESSION['msg'])) {
$dis = block;
}
//
if (isset($_POST['email'])) {
mysql_select_db($database_contacts, $contacts);
$query_passwordcheck = "SELECT * FROM users WHERE user_email = '" . $_POST['email'] . "'";
$passwordcheck = mysql_query($query_passwordcheck, $contacts) or die(mysql_error());
$row_passwordcheck = mysql_fetch_assoc($passwordcheck);
$totalRows_passwordcheck = mysql_num_rows($passwordcheck);
$new_password = gen_password(8);
if (send_password($_POST["email"], $email_from_address, $website_address)) {
set_msg('A new password has been sent.');
header('Location: login.php');
die;
} else {
set_msg('Could not send the password.');
header('Location: password.php');
die;
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title><?php
$action = $_REQUEST['action'];
switch ($action) {
case "frm_login":
form_login();
break;
case "frm_register":
form_register();
break;
case "frm_send_password":
frm_send_password();
break;
case "Send_Password":
if (isset($_POST['email']) && isset($_POST['username'])) {
$user = $_POST['username'];
$email = $_POST['email'];
send_password($user, $email);
} else {
echo "Data error. Please retry.";
die;
}
case "login":
if (isset($_POST['username']) && isset($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];
} else {
echo "Data error. Please retry.";
die;
}
if (strlen($username) < 4 && strlen($password) < 6) {
echo "Invalid data (username>=4 chars, password >=6 chars). Please try again.";
die;
/**
* Reset Password
*
*/
function ResetPasswordForm()
{
log_err(__FILE__, __LINE__, "Request to reset password made.");
$this->c->plugins[form]->init(array('username', 'email'));
$this->c->plugins[form]->params($this->c->request->params);
$this->c->plugins[form]->validate_fields(array());
$this->c->plugins[form]->required_fields(array('username', 'email'));
$this->c->plugins[form]->templateobj->set_mod_dir('/users/');
// trailing slash required
if ($this->c->plugins[form]->submitted()) {
if ($this->c->plugins[form]->validate()) {
// start valid
// debug
// print "<strong>Validated</strong>";
/**
* Note: it is obvious, I hope, that the user should not need to
* be logged in when requesting this, otherwise they would not
* be in need of finding a password (unless an anonymous or guest
* user has a session). This means we don't know their
* user profile.
*/
$email = $this->c->request->params['email'];
// debug
//print "Email: $email";
// confirmation code is md5 of email,
// gives an opportunity to compare the input
// against the real email address
$confirmcode = md5($this->c->request->params['email']);
$this->model->setConfirm($this->c->request->params['username'], $confirmcode);
send_confirm_passwordreset($email, $confirmcode);
print "Password reset confirmation sent";
//log_err( __FILE__, __LINE__, "Successful password reset." );
} else {
print "<strong>Not Validated</strong>";
$form_html = $this->c->plugins[form]->render('mvc-users-resetpassword-form.tpl', FORM_STICKY);
$this->view->assign("form_view", $form_html);
$this->view->display('mvc-users-resetpassword');
}
} else {
if (empty($this->c->request->params['confirm'])) {
// ask for password to be reset
$form_html = $this->c->plugins[form]->render('mvc-users-resetpassword-form.tpl', FORM_NORMAL);
$this->view->assign("form_view", $form_html);
$this->view->display('mvc-users-resetpassword');
} else {
/**
* This is a tricky sequence. The raw password must be
* sent to the user, but the encrypted password is stored
* in the database.
*/
// confirming and reset password
$newpass = $this->model->setPassword($this->c->request->params['confirm']);
$profile = $this->model->getUserByConfirm($this->c->request->params['confirm']);
print_r($profile);
// Why isn't the profile an object?
// Damn, the password is not returned in the typical profile
// as a security measure. But to send a new password, it
// must retrieve it.
send_password($profile['email'], $newpass);
$this->view->display('mvc-users-passwordsent');
}
}
}
$totalRows_users = mysql_num_rows($users);
if (isset($_POST["user_email"]) && isset($_POST["user_type"])) {
$email = $_POST["user_email"];
$type = $_POST["user_type"];
$users_emails = array();
if ($type != "0" && $type != "1") {
set_msg("Invalid User Type");
} else {
do {
$users_emails[] = $row_users["user_email"];
} while ($row_users = mysql_fetch_assoc($users));
if (in_array($email, $users_emails)) {
set_msg("This email address is already in use. The account was not created.");
} else {
mysql_query("INSERT INTO users (`user_email`, `user_level`) VALUES ('" . mysql_real_escape_string($email) . "', '" . mysql_real_escape_string($type) . "')");
if (send_password($email, $email_from_address, $website_address, true)) {
set_msg("Account created");
} else {
set_msg("Account created but email failed to send.");
}
}
}
header('Location: users.php');
die;
} else {
if (isset($_POST["user"]) && isset($_POST["action"])) {
$target = $_POST["user"];
if (!is_numeric($target)) {
set_msg("Invalid user." . $target);
} else {
if ($target == $row_userinfo["user_id"]) {
