function passwords_validate_password_for_user($password, &$user, $more = array())
{
$defaults = array('ensure_bcrypt' => 1);
$more = array_merge($defaults, $more);
$enc_password = $user['password'];
$is_bcrypt = substr($enc_password, 0, 4) == '$2a$' ? 1 : 0;
$validate_more = array('use_bcrypt' => $is_bcrypt);
$is_ok = passwords_validate_password($password, $enc_password, $validate_more);
if ($is_ok && !$is_bcrypt && $more['ensure_bcrypt'] && $GLOBALS['passwords_canhas_bcrypt']) {
# note the pass-by-ref above
if (users_update_password($user, $password)) {
$user = users_get_by_id($user['id']);
}
}
return $is_ok;
}
function passwords_validate_password_for_user($password, &$user)
{
#
# is this is *not* a bcrypt hash, but we allow promotion,
# then verify & promote it.
#
$is_bcrypt = substr($user['password'], 0, 4) == '$2a$';
if ($GLOBALS['cfg']['passwords_use_bcrypt'] && $GLOBALS['cfg']['passwords_allow_promotion'] && !$is_bcrypt) {
$test = hash_hmac("sha256", $password, $GLOBALS['cfg']['crypto_password_secret']);
$is_ok = $test == $user['password'];
if ($is_ok) {
if (users_update_password($user, $password)) {
$user = users_get_by_id($user['id']);
}
}
return $is_ok;
}
#
# simple case
#
return passwords_validate_password($password, $user['password']);
}
if ((! $new_password1) || (! $new_password2)){
$GLOBALS['error']['missing_password'] = 1;
$GLOBALS['smarty']->display('page_reset.txt');
exit();
}
if ($new_password1 !== $new_password2){
$GLOBALS['error']['password_mismatch'] = 1;
$GLOBALS['smarty']->display('page_reset.txt');
exit();
}
$rsp = users_update_password($user, $new_password1);
if (! $rsp['ok']){
$GLOBALS['error']['update_failed'] = 1;
$GLOBALS['smarty']->display('page_reset.txt');
exit();
}
users_purge_password_reset_codes($user);
users_reload_user($user);
login_do_login($user);
exit();
}
$new_pass2 = trim(post_str('new_password2'));
$ok = 1;
if (login_encrypt_password($old_pass) !== $GLOBALS['cfg']['user']['password']) {
$smarty->assign('error_oldpass_mismatch', 1);
$ok = 0;
}
if ($ok && $new_pass1 !== $new_pass2) {
$smarty->assign('error_newpass_mismatch', 1);
$ok = 0;
}
if ($ok && !strlen($new_pass2)) {
$smarty->assign('error_newpass_empty', 1);
$ok = 0;
}
if ($ok) {
if (!users_update_password($GLOBALS['cfg']['user'], $new_pass1)) {
$smarty->assign('error_fail', 1);
$ok = 0;
}
}
if ($ok) {
#
# Refresh the user so that we pick up the newer password when
# we set new cookies. Should this be a function in lib_users?
# (20101012/asc)
#
$GLOBALS['cfg']['user'] = users_get_by_id($GLOBALS['cfg']['user']['id']);
login_do_login($GLOBALS['cfg']['user'], "/account/?password=1");
exit;
}
}
$smarty->display('page_reset.txt');
exit;
}
$smarty->assign('reset_code', $reset_code);
if (post_isset('done')) {
$new_password1 = post_str('new_password1');
$new_password2 = post_str('new_password2');
if (!$new_password1 || !$new_password2) {
$smarty->assign('error_missing_password', 1);
$smarty->display('page_reset.txt');
exit;
}
if ($new_password1 !== $new_password2) {
$smarty->assign('error_password_mismatch', 1);
$smarty->display('page_reset.txt');
exit;
}
if (!users_update_password($user, $new_password1)) {
$smarty->assign('error_update_failed', 1);
$smarty->display('page_reset.txt');
exit;
}
users_purge_password_reset_codes($user);
$user = users_get_by_id($user['id']);
login_do_login($user, "/account?password=1");
exit;
}
#
# output
#
$smarty->display('page_reset.txt');
