user_update_user($usernew, false, false);
// Set new password if specified.
if (!empty($usernew->newpassword)) {
if ($authplugin->can_change_password()) {
if (!$authplugin->user_update_password($usernew, $usernew->newpassword)) {
print_error('cannotupdatepasswordonextauth', '', '', $usernew->auth);
}
unset_user_preference('create_password', $usernew);
// Prevent cron from generating the password.
if (!empty($CFG->passwordchangelogout)) {
// We can use SID of other user safely here because they are unique,
// the problem here is we do not want to logout admin here when changing own password.
\core\session\manager::kill_user_sessions($usernew->id, session_id());
}
if (!empty($usernew->signoutofotherservices)) {
webservice::delete_user_ws_tokens($usernew->id);
}
}
}
// Force logout if user just suspended.
if (isset($usernew->suspended) and $usernew->suspended and !$user->suspended) {
\core\session\manager::kill_user_sessions($user->id);
}
}
$usercontext = context_user::instance($usernew->id);
// Update preferences.
useredit_update_user_preference($usernew);
// Update tags.
if (empty($USER->newadminuser) && isset($usernew->interests)) {
useredit_update_interests($usernew, $usernew->interests);
}
/**
* Update password hash in user object (if necessary).
*
* The password is updated if:
* 1. The password has changed (the hash of $user->password is different
* to the hash of $password).
* 2. The existing hash is using an out-of-date algorithm (or the legacy
* md5 algorithm).
*
* Updating the password will modify the $user object and the database
* record to use the current hashing algorithm.
* It will remove Web Services user tokens too.
*
* @param stdClass $user User object (password property may be updated).
* @param string $password Plain text password.
* @param bool $fasthash If true, use a low cost factor when generating the hash
* This is much faster to generate but makes the hash
* less secure. It is used when lots of hashes need to
* be generated quickly.
* @return bool Always returns true.
*/
function update_internal_user_password($user, $password, $fasthash = false)
{
global $CFG, $DB;
// Figure out what the hashed password should be.
if (!isset($user->auth)) {
debugging('User record in update_internal_user_password() must include field auth', DEBUG_DEVELOPER);
$user->auth = $DB->get_field('user', 'auth', array('id' => $user->id));
}
$authplugin = get_auth_plugin($user->auth);
if ($authplugin->prevent_local_passwords()) {
$hashedpassword = AUTH_PASSWORD_NOT_CACHED;
} else {
$hashedpassword = hash_internal_user_password($password, $fasthash);
}
$algorithmchanged = false;
if ($hashedpassword === AUTH_PASSWORD_NOT_CACHED) {
// Password is not cached, update it if not set to AUTH_PASSWORD_NOT_CACHED.
$passwordchanged = $user->password !== $hashedpassword;
} else {
if (isset($user->password)) {
// If verification fails then it means the password has changed.
$passwordchanged = !password_verify($password, $user->password);
$algorithmchanged = password_needs_rehash($user->password, PASSWORD_DEFAULT);
} else {
// While creating new user, password in unset in $user object, to avoid
// saving it with user_create()
$passwordchanged = true;
}
}
if ($passwordchanged || $algorithmchanged) {
$DB->set_field('user', 'password', $hashedpassword, array('id' => $user->id));
$user->password = $hashedpassword;
// Trigger event.
$user = $DB->get_record('user', array('id' => $user->id));
\core\event\user_password_updated::create_from_user($user)->trigger();
// Remove WS user tokens.
if (!empty($CFG->passwordchangetokendeletion)) {
require_once $CFG->dirroot . '/webservice/lib.php';
webservice::delete_user_ws_tokens($user->id);
}
}
return true;
}
$mform->set_data(array('id' => $course->id));
$navlinks = array();
$navlinks[] = array('name' => $strparticipants, 'link' => "{$CFG->wwwroot}/user/index.php?id={$course->id}", 'type' => 'misc');
if ($mform->is_cancelled()) {
redirect($CFG->wwwroot . '/user/preferences.php?userid=' . $USER->id . '&course=' . $course->id);
} else {
if ($data = $mform->get_data()) {
if (!$userauth->user_update_password($USER, $data->newpassword1)) {
print_error('errorpasswordupdate', 'auth');
}
user_add_password_history($USER->id, $data->newpassword1);
if (!empty($CFG->passwordchangelogout)) {
\core\session\manager::kill_user_sessions($USER->id, session_id());
}
if (!empty($data->signoutofotherservices)) {
webservice::delete_user_ws_tokens($USER->id);
}
// Reset login lockout - we want to prevent any accidental confusion here.
login_unlock_account($USER);
// register success changing password
unset_user_preference('auth_forcepasswordchange', $USER);
unset_user_preference('create_password', $USER);
$strpasswordchanged = get_string('passwordchanged');
$fullname = fullname($USER, true);
$PAGE->set_title($strpasswordchanged);
$PAGE->set_heading(fullname($USER));
echo $OUTPUT->header();
notice($strpasswordchanged, new moodle_url($PAGE->url, array('return' => 1)));
echo $OUTPUT->footer();
exit;
}
