user_update_user($usernew, false, false); // Set new password if specified. if (!empty($usernew->newpassword)) { if ($authplugin->can_change_password()) { if (!$authplugin->user_update_password($usernew, $usernew->newpassword)) { print_error('cannotupdatepasswordonextauth', '', '', $usernew->auth); } unset_user_preference('create_password', $usernew); // Prevent cron from generating the password. if (!empty($CFG->passwordchangelogout)) { // We can use SID of other user safely here because they are unique, // the problem here is we do not want to logout admin here when changing own password. \core\session\manager::kill_user_sessions($usernew->id, session_id()); } if (!empty($usernew->signoutofotherservices)) { webservice::delete_user_ws_tokens($usernew->id); } } } // Force logout if user just suspended. if (isset($usernew->suspended) and $usernew->suspended and !$user->suspended) { \core\session\manager::kill_user_sessions($user->id); } } $usercontext = context_user::instance($usernew->id); // Update preferences. useredit_update_user_preference($usernew); // Update tags. if (empty($USER->newadminuser) && isset($usernew->interests)) { useredit_update_interests($usernew, $usernew->interests); }
/** * Update password hash in user object (if necessary). * * The password is updated if: * 1. The password has changed (the hash of $user->password is different * to the hash of $password). * 2. The existing hash is using an out-of-date algorithm (or the legacy * md5 algorithm). * * Updating the password will modify the $user object and the database * record to use the current hashing algorithm. * It will remove Web Services user tokens too. * * @param stdClass $user User object (password property may be updated). * @param string $password Plain text password. * @param bool $fasthash If true, use a low cost factor when generating the hash * This is much faster to generate but makes the hash * less secure. It is used when lots of hashes need to * be generated quickly. * @return bool Always returns true. */ function update_internal_user_password($user, $password, $fasthash = false) { global $CFG, $DB; // Figure out what the hashed password should be. if (!isset($user->auth)) { debugging('User record in update_internal_user_password() must include field auth', DEBUG_DEVELOPER); $user->auth = $DB->get_field('user', 'auth', array('id' => $user->id)); } $authplugin = get_auth_plugin($user->auth); if ($authplugin->prevent_local_passwords()) { $hashedpassword = AUTH_PASSWORD_NOT_CACHED; } else { $hashedpassword = hash_internal_user_password($password, $fasthash); } $algorithmchanged = false; if ($hashedpassword === AUTH_PASSWORD_NOT_CACHED) { // Password is not cached, update it if not set to AUTH_PASSWORD_NOT_CACHED. $passwordchanged = $user->password !== $hashedpassword; } else { if (isset($user->password)) { // If verification fails then it means the password has changed. $passwordchanged = !password_verify($password, $user->password); $algorithmchanged = password_needs_rehash($user->password, PASSWORD_DEFAULT); } else { // While creating new user, password in unset in $user object, to avoid // saving it with user_create() $passwordchanged = true; } } if ($passwordchanged || $algorithmchanged) { $DB->set_field('user', 'password', $hashedpassword, array('id' => $user->id)); $user->password = $hashedpassword; // Trigger event. $user = $DB->get_record('user', array('id' => $user->id)); \core\event\user_password_updated::create_from_user($user)->trigger(); // Remove WS user tokens. if (!empty($CFG->passwordchangetokendeletion)) { require_once $CFG->dirroot . '/webservice/lib.php'; webservice::delete_user_ws_tokens($user->id); } } return true; }
$mform->set_data(array('id' => $course->id)); $navlinks = array(); $navlinks[] = array('name' => $strparticipants, 'link' => "{$CFG->wwwroot}/user/index.php?id={$course->id}", 'type' => 'misc'); if ($mform->is_cancelled()) { redirect($CFG->wwwroot . '/user/preferences.php?userid=' . $USER->id . '&course=' . $course->id); } else { if ($data = $mform->get_data()) { if (!$userauth->user_update_password($USER, $data->newpassword1)) { print_error('errorpasswordupdate', 'auth'); } user_add_password_history($USER->id, $data->newpassword1); if (!empty($CFG->passwordchangelogout)) { \core\session\manager::kill_user_sessions($USER->id, session_id()); } if (!empty($data->signoutofotherservices)) { webservice::delete_user_ws_tokens($USER->id); } // Reset login lockout - we want to prevent any accidental confusion here. login_unlock_account($USER); // register success changing password unset_user_preference('auth_forcepasswordchange', $USER); unset_user_preference('create_password', $USER); $strpasswordchanged = get_string('passwordchanged'); $fullname = fullname($USER, true); $PAGE->set_title($strpasswordchanged); $PAGE->set_heading(fullname($USER)); echo $OUTPUT->header(); notice($strpasswordchanged, new moodle_url($PAGE->url, array('return' => 1))); echo $OUTPUT->footer(); exit; }