/** * Set a user's password * * @return bool * @since 1.8.0 * @access private */ function elgg_set_user_password() { $current_password = get_input('current_password', null, false); $password = get_input('password', null, false); $password2 = get_input('password2', null, false); $user_guid = get_input('guid'); if (!$user_guid) { $user = elgg_get_logged_in_user_entity(); } else { $user = get_entity($user_guid); } if ($user && $password) { // let admin user change anyone's password without knowing it except his own. if (!elgg_is_admin_logged_in() || elgg_is_admin_logged_in() && $user->guid == elgg_get_logged_in_user_guid()) { $credentials = array('username' => $user->username, 'password' => $current_password); try { pam_auth_userpass($credentials); } catch (LoginException $e) { register_error(elgg_echo('LoginException:ChangePasswordFailure')); return false; } } try { $result = validate_password($password); } catch (RegistrationException $e) { register_error($e->getMessage()); return false; } if ($result) { if ($password == $password2) { $user->salt = _elgg_generate_password_salt(); $user->password = generate_user_password($user, $password); $user->code = ''; if ($user->guid == elgg_get_logged_in_user_guid() && !empty($_COOKIE['elggperm'])) { // regenerate remember me code so no other user could // use it to authenticate later $code = _elgg_generate_remember_me_token(); $_SESSION['code'] = $code; $user->code = md5($code); setcookie("elggperm", $code, time() + 86400 * 30, "/"); } if ($user->save()) { system_message(elgg_echo('user:password:success')); return true; } else { register_error(elgg_echo('user:password:fail')); } } else { register_error(elgg_echo('user:password:fail:notsame')); } } else { register_error(elgg_echo('user:password:fail:tooshort')); } } else { // no change return null; } return false; }
/** * Initialises the system session and potentially logs the user in * * This function looks for: * * 1. $_SESSION['id'] - if not present, we're logged out, and this is set to 0 * 2. The cookie 'elggperm' - if present, checks it for an authentication * token, validates it, and potentially logs the user in * * @uses $_SESSION * * @return bool * @access private */ function _elgg_session_boot() { global $DB_PREFIX, $CONFIG; // Use database for sessions // HACK to allow access to prefix after object destruction $DB_PREFIX = $CONFIG->dbprefix; if (!isset($CONFIG->use_file_sessions)) { session_set_save_handler("_elgg_session_open", "_elgg_session_close", "_elgg_session_read", "_elgg_session_write", "_elgg_session_destroy", "_elgg_session_gc"); } session_name('Elgg'); session_start(); // Generate a simple token (private from potentially public session id) if (!isset($_SESSION['__elgg_session'])) { $_SESSION['__elgg_session'] = ElggCrypto::getRandomString(32, ElggCrypto::CHARS_HEX); } // test whether we have a user session if (empty($_SESSION['guid'])) { // clear session variables before checking cookie unset($_SESSION['user']); unset($_SESSION['id']); unset($_SESSION['guid']); unset($_SESSION['code']); // is there a remember me cookie if (!empty($_COOKIE['elggperm'])) { // we have a cookie, so try to log the user in $code = $_COOKIE['elggperm']; $code = md5($code); if ($user = get_user_by_code($code)) { // we have a user, log him in $_SESSION['user'] = $user; $_SESSION['id'] = $user->getGUID(); $_SESSION['guid'] = $_SESSION['id']; $_SESSION['code'] = $_COOKIE['elggperm']; } else { if (_elgg_is_legacy_remember_me_token($_COOKIE['elggperm'])) { // may be attempt to brute force legacy low-entropy codes sleep(1); } setcookie("elggperm", "", time() - 86400 * 30, "/"); } } } else { // we have a session and we have already checked the fingerprint // reload the user object from database in case it has changed during the session if ($user = get_user($_SESSION['guid'])) { $_SESSION['user'] = $user; $_SESSION['id'] = $user->getGUID(); $_SESSION['guid'] = $_SESSION['id']; } else { // user must have been deleted with a session active unset($_SESSION['user']); unset($_SESSION['id']); unset($_SESSION['guid']); unset($_SESSION['code']); if (!empty($_COOKIE['elggperm']) && _elgg_is_legacy_remember_me_token($_COOKIE['elggperm'])) { // replace user's old weaker-entropy code with new one $code = _elgg_generate_remember_me_token(); $_SESSION['code'] = $code; $user->code = md5($code); $user->save(); setcookie("elggperm", $code, time() + 86400 * 30, "/"); } } } if (isset($_SESSION['guid'])) { set_last_action($_SESSION['guid']); } elgg_register_action('login', '', 'public'); elgg_register_action('logout'); // Register a default PAM handler register_pam_handler('pam_auth_userpass'); // Initialise the magic session global $SESSION; $SESSION = new ElggSession(); // Finally we ensure that a user who has been banned with an open session is kicked. if (isset($_SESSION['user']) && $_SESSION['user']->isBanned()) { session_destroy(); return false; } return true; }
/** * Called on usersettings save action - changes the users password * locally and on stormpath * * @param type $hook * @param type $type * @param type $return * @param type $params * @return boolean|null */ function set_user_password($hook = 'usersettings:save', $type = 'user', $return = true, $params = array()) { $current_password = get_input('current_password', null, false); $password = get_input('password', null, false); $password2 = get_input('password2', null, false); $user_guid = get_input('guid'); if ($user_guid) { $user = get_user($user_guid); } else { $user = elgg_get_logged_in_user_entity(); } if ($user && $password) { // let admin user change anyone's password without knowing it except his own. if (!elgg_is_admin_logged_in() || elgg_is_admin_logged_in() && $user->guid == elgg_get_logged_in_user_guid()) { $credentials = array('username' => $user->email, 'password' => $current_password); try { pam_handler($credentials); } catch (\LoginException $e) { register_error(elgg_echo('LoginException:ChangePasswordFailure')); return false; } } try { $result = validate_password($password); } catch (\RegistrationException $e) { register_error($e->getMessage()); return false; } if ($result) { if ($password == $password2) { // change it on stormpath if ($user->__stormpath_user) { try { $client = get_client(); $account = $client->dataStore->getResource($user->__stormpath_user, \Stormpath\Stormpath::ACCOUNT); $account->password = $password; $account->save(); } catch (\Exception $exc) { register_error($exc->getMessage()); return false; } } else { if ($password) { add_to_stormpath($user, $password); } } // change it locally $user->salt = _elgg_generate_password_salt(); $user->password = generate_user_password($user, $password); if (is_elgg18()) { $user->code = ''; if ($user->guid == elgg_get_logged_in_user_guid() && !empty($_COOKIE['elggperm'])) { // regenerate remember me code so no other user could // use it to authenticate later $code = _elgg_generate_remember_me_token(); $_SESSION['code'] = $code; $user->code = md5($code); setcookie("elggperm", $code, time() + 86400 * 30, "/"); } } else { _elgg_services()->persistentLogin->handlePasswordChange($user, elgg_get_logged_in_user_entity()); } if ($user->save()) { system_message(elgg_echo('user:password:success')); return true; } else { register_error(elgg_echo('user:password:fail')); } } else { register_error(elgg_echo('user:password:fail:notsame')); } } else { register_error(elgg_echo('user:password:fail:tooshort')); } } else { // no change return null; } return false; }