/**
* Set a user's password
*
* @return bool
* @since 1.8.0
* @access private
*/
function elgg_set_user_password()
{
$current_password = get_input('current_password', null, false);
$password = get_input('password', null, false);
$password2 = get_input('password2', null, false);
$user_guid = get_input('guid');
if (!$user_guid) {
$user = elgg_get_logged_in_user_entity();
} else {
$user = get_entity($user_guid);
}
if ($user && $password) {
// let admin user change anyone's password without knowing it except his own.
if (!elgg_is_admin_logged_in() || elgg_is_admin_logged_in() && $user->guid == elgg_get_logged_in_user_guid()) {
$credentials = array('username' => $user->username, 'password' => $current_password);
try {
pam_auth_userpass($credentials);
} catch (LoginException $e) {
register_error(elgg_echo('LoginException:ChangePasswordFailure'));
return false;
}
}
try {
$result = validate_password($password);
} catch (RegistrationException $e) {
register_error($e->getMessage());
return false;
}
if ($result) {
if ($password == $password2) {
$user->salt = _elgg_generate_password_salt();
$user->password = generate_user_password($user, $password);
$user->code = '';
if ($user->guid == elgg_get_logged_in_user_guid() && !empty($_COOKIE['elggperm'])) {
// regenerate remember me code so no other user could
// use it to authenticate later
$code = _elgg_generate_remember_me_token();
$_SESSION['code'] = $code;
$user->code = md5($code);
setcookie("elggperm", $code, time() + 86400 * 30, "/");
}
if ($user->save()) {
system_message(elgg_echo('user:password:success'));
return true;
} else {
register_error(elgg_echo('user:password:fail'));
}
} else {
register_error(elgg_echo('user:password:fail:notsame'));
}
} else {
register_error(elgg_echo('user:password:fail:tooshort'));
}
} else {
// no change
return null;
}
return false;
}
/**
* Initialises the system session and potentially logs the user in
*
* This function looks for:
*
* 1. $_SESSION['id'] - if not present, we're logged out, and this is set to 0
* 2. The cookie 'elggperm' - if present, checks it for an authentication
* token, validates it, and potentially logs the user in
*
* @uses $_SESSION
*
* @return bool
* @access private
*/
function _elgg_session_boot()
{
global $DB_PREFIX, $CONFIG;
// Use database for sessions
// HACK to allow access to prefix after object destruction
$DB_PREFIX = $CONFIG->dbprefix;
if (!isset($CONFIG->use_file_sessions)) {
session_set_save_handler("_elgg_session_open", "_elgg_session_close", "_elgg_session_read", "_elgg_session_write", "_elgg_session_destroy", "_elgg_session_gc");
}
session_name('Elgg');
session_start();
// Generate a simple token (private from potentially public session id)
if (!isset($_SESSION['__elgg_session'])) {
$_SESSION['__elgg_session'] = ElggCrypto::getRandomString(32, ElggCrypto::CHARS_HEX);
}
// test whether we have a user session
if (empty($_SESSION['guid'])) {
// clear session variables before checking cookie
unset($_SESSION['user']);
unset($_SESSION['id']);
unset($_SESSION['guid']);
unset($_SESSION['code']);
// is there a remember me cookie
if (!empty($_COOKIE['elggperm'])) {
// we have a cookie, so try to log the user in
$code = $_COOKIE['elggperm'];
$code = md5($code);
if ($user = get_user_by_code($code)) {
// we have a user, log him in
$_SESSION['user'] = $user;
$_SESSION['id'] = $user->getGUID();
$_SESSION['guid'] = $_SESSION['id'];
$_SESSION['code'] = $_COOKIE['elggperm'];
} else {
if (_elgg_is_legacy_remember_me_token($_COOKIE['elggperm'])) {
// may be attempt to brute force legacy low-entropy codes
sleep(1);
}
setcookie("elggperm", "", time() - 86400 * 30, "/");
}
}
} else {
// we have a session and we have already checked the fingerprint
// reload the user object from database in case it has changed during the session
if ($user = get_user($_SESSION['guid'])) {
$_SESSION['user'] = $user;
$_SESSION['id'] = $user->getGUID();
$_SESSION['guid'] = $_SESSION['id'];
} else {
// user must have been deleted with a session active
unset($_SESSION['user']);
unset($_SESSION['id']);
unset($_SESSION['guid']);
unset($_SESSION['code']);
if (!empty($_COOKIE['elggperm']) && _elgg_is_legacy_remember_me_token($_COOKIE['elggperm'])) {
// replace user's old weaker-entropy code with new one
$code = _elgg_generate_remember_me_token();
$_SESSION['code'] = $code;
$user->code = md5($code);
$user->save();
setcookie("elggperm", $code, time() + 86400 * 30, "/");
}
}
}
if (isset($_SESSION['guid'])) {
set_last_action($_SESSION['guid']);
}
elgg_register_action('login', '', 'public');
elgg_register_action('logout');
// Register a default PAM handler
register_pam_handler('pam_auth_userpass');
// Initialise the magic session
global $SESSION;
$SESSION = new ElggSession();
// Finally we ensure that a user who has been banned with an open session is kicked.
if (isset($_SESSION['user']) && $_SESSION['user']->isBanned()) {
session_destroy();
return false;
}
return true;
}
/**
* Called on usersettings save action - changes the users password
* locally and on stormpath
*
* @param type $hook
* @param type $type
* @param type $return
* @param type $params
* @return boolean|null
*/
function set_user_password($hook = 'usersettings:save', $type = 'user', $return = true, $params = array())
{
$current_password = get_input('current_password', null, false);
$password = get_input('password', null, false);
$password2 = get_input('password2', null, false);
$user_guid = get_input('guid');
if ($user_guid) {
$user = get_user($user_guid);
} else {
$user = elgg_get_logged_in_user_entity();
}
if ($user && $password) {
// let admin user change anyone's password without knowing it except his own.
if (!elgg_is_admin_logged_in() || elgg_is_admin_logged_in() && $user->guid == elgg_get_logged_in_user_guid()) {
$credentials = array('username' => $user->email, 'password' => $current_password);
try {
pam_handler($credentials);
} catch (\LoginException $e) {
register_error(elgg_echo('LoginException:ChangePasswordFailure'));
return false;
}
}
try {
$result = validate_password($password);
} catch (\RegistrationException $e) {
register_error($e->getMessage());
return false;
}
if ($result) {
if ($password == $password2) {
// change it on stormpath
if ($user->__stormpath_user) {
try {
$client = get_client();
$account = $client->dataStore->getResource($user->__stormpath_user, \Stormpath\Stormpath::ACCOUNT);
$account->password = $password;
$account->save();
} catch (\Exception $exc) {
register_error($exc->getMessage());
return false;
}
} else {
if ($password) {
add_to_stormpath($user, $password);
}
}
// change it locally
$user->salt = _elgg_generate_password_salt();
$user->password = generate_user_password($user, $password);
if (is_elgg18()) {
$user->code = '';
if ($user->guid == elgg_get_logged_in_user_guid() && !empty($_COOKIE['elggperm'])) {
// regenerate remember me code so no other user could
// use it to authenticate later
$code = _elgg_generate_remember_me_token();
$_SESSION['code'] = $code;
$user->code = md5($code);
setcookie("elggperm", $code, time() + 86400 * 30, "/");
}
} else {
_elgg_services()->persistentLogin->handlePasswordChange($user, elgg_get_logged_in_user_entity());
}
if ($user->save()) {
system_message(elgg_echo('user:password:success'));
return true;
} else {
register_error(elgg_echo('user:password:fail'));
}
} else {
register_error(elgg_echo('user:password:fail:notsame'));
}
} else {
register_error(elgg_echo('user:password:fail:tooshort'));
}
} else {
// no change
return null;
}
return false;
}
