require_api('print_api.php'); require_api('user_api.php'); form_security_validate('manage_user_reset'); auth_reauthenticate(); access_ensure_global_level(config_get('manage_user_threshold')); $f_user_id = gpc_get_int('user_id'); user_ensure_exists($f_user_id); $t_user = user_get_row($f_user_id); # Ensure that the account to be reset is of equal or lower access to the # current user. access_ensure_global_level($t_user['access_level']); # If the password can be changed, we reset it, otherwise we unlock # the account (i.e. reset failed login count) $t_reset = helper_call_custom_function('auth_can_change_password', array()); if ($t_reset) { $t_result = user_reset_password($f_user_id); } else { $t_result = user_reset_failed_login_count_to_zero($f_user_id); } $t_redirect_url = 'manage_user_page.php'; form_security_purge('manage_user_reset'); html_page_top(null, $t_result ? $t_redirect_url : null); echo '<div class="success-msg">'; if ($t_reset) { if (false == $t_result) { # PROTECTED echo lang_get('account_reset_protected_msg'); } else { # SUCCESSFUL RESET if (ON == config_get('send_reset_password') && ON == config_get('enable_email_notification')) { # send the new random password via email
user_new_reset_password($email, $reset_link); $url = RTH_URL . "login_reset_password_action.php?reset_link={$reset_link}"; $subject = "RTH: Reset Password Request"; $message = "Someone has requested your RTH password to be reset. If it was not you, please ignore this email." . NEWLINE . NEWLINE; $message .= "If you do want to reset your password, please click the link below:" . NEWLINE; $message .= "{$url}"; email_send($recipients = array($email), $subject, $message, $headers = "RTH_Admin"); print lang_get("new_reset_password"); # if user clicks the reset link in email } elseif (isset($_GET['reset_link'])) { $reset_link = $_GET['reset_link']; # create new password $password = new rndPass(6); $new_password = $password->PassGen(); # reset password and return users email address $email = user_reset_password($reset_link, $new_password); # if reset password was successful, send out email with new password details if ($email) { $user_details = user_get_info_by_email($email); $username = $user_details[USER_UNAME]; $url = RTH_URL . "login.php"; $subject = "RTH: Password has been Reset"; $message = "Your RTH password has been reset." . NEWLINE . NEWLINE; $message .= "Username: {$username}" . NEWLINE; $message .= "Password: {$new_password}" . NEWLINE . NEWLINE; $message .= "You may change your password by clicking '" . lang_get('user_link') . "' on the RTH menu." . NEWLINE . NEWLINE; $message .= "Click the following link to login to RTH:" . NEWLINE; $message .= "{$url}"; email_send($recipients = array($email), $subject, $message, $headers = "RTH_Admin"); print lang_get("reset_password"); } else {
if ($valid) { if (htmlentities_array($pw) != $pw) { $error_msg_array[] = gettext("Password must not contain HTML tags"); $valid = false; } if (mb_strlen(trim($_POST['pw'])) < 6) { $error_msg_array[] = gettext("Password must be a minimum of 6 characters long"); $valid = false; } if ($pw != $cpw) { $error_msg_array[] = gettext("Passwords do not match"); $valid = false; } } if ($valid) { if (user_reset_password($uid, $pw, $key)) { html_draw_top(array('title' => gettext('Password changed'), 'class' => 'window_title')); html_display_msg(gettext("Password changed"), gettext("Your password has been changed."), 'index.php', 'get', array('continue' => gettext("Continue")), array(), '_top'); html_draw_bottom(); exit; } else { $error_msg_array[] = gettext("Update failed"); $valid = false; } } } if (isset($_REQUEST['u']) && isset($_REQUEST['h'])) { $uid = $_GET['u']; $key = $_GET['h']; } else { html_draw_error(gettext("Required information not found"));
function user_logon($logon, $password) { if (!($db = db::get())) { return false; } $logon = $db->escape(mb_strtoupper($logon)); $email = $db->escape($logon); $ipaddress = get_ip_address(); $ipaddress = $db->escape($ipaddress); $sql = "SELECT UID, PASSWD, SALT FROM USER WHERE LOGON = '{$logon}' OR EMAIL = '{$email}'"; if (!($result = $db->query($sql))) { return false; } if ($result->num_rows == 0) { return false; } list($uid, $passhash, $salt) = $result->fetch_row(); if (md5($password) == $passhash && strlen(trim($salt)) == 0) { if (!user_reset_password($uid, $password, $passhash)) { return false; } return $uid; } if (user_password_encrypt($password, $salt) != $passhash) { return false; } $sql = "UPDATE LOW_PRIORITY USER SET IPADDRESS = '{$ipaddress}' WHERE UID = '{$uid}'"; if (!($result = $db->query($sql))) { return false; } user_prune_expired_tokens($uid); return $uid; }