password.php | searchcode

/users/password.php

https://github.com/bernard357/yacs
PHP | 271 lines | 136 code | 60 blank | 75 comment | 35 complexity | aeccedbac503b15ebe3c6903f844b2a4 MD5 | raw file

<?php
/**
 * change the password for an existing user
 *
 * This page allows users that have been registered locally to change their password.
 * Associates can change any password as well.
 *
 * Users that have only a shadow user profile are invited to go to the origin server.
 *
 * To avoid replay attacks YACS generates a random string and asks anonymous users to type it.
 *
 * This page also helps to recover from lost password. Non-authenticated users
 * can provide their nick name, and a message is sent to the related e-mail
 * address, with a link to authenticate back to the site.
 *
 * @author Bernard Paques
 * @author GnapZ
 * @tester Guillaume Perez
 * @reference
 * @license http://www.gnu.org/copyleft/lesser.txt GNU Lesser General Public License
 */

// common definitions and initial processing
include_once '../shared/global.php';

// look for the id
$id = NULL;
if(isset($_REQUEST['id']))
	$id = $_REQUEST['id'];
elseif(isset($context['arguments'][0]))
	$id = $context['arguments'][0];
elseif(Surfer::is_logged())
	$id = Surfer::get_id();
$id = strip_tags($id);

// get existing user data, if any
$item = Users::get($id);

// is this is a shadow record?
$origin = '';
if(isset($item['password'])) {
	$parts = parse_url($item['password']);
	if(isset($parts['host']))
		$origin = $parts['host'];
}

// optional processing steps
$with_form = FALSE;

// load the skin
load_skin('users');

// the path to this page
$context['path_bar'] = array( 'users/' => i18n::s('People') );

// the title of the page
if(!Surfer::is_logged())
	$context['page_title'] = i18n::s('Lost password');
elseif(isset($item['full_name']) && $item['full_name'])
	$context['page_title'] = sprintf(i18n::s('%s: %s'), i18n::s('Password'), $item['full_name']);
elseif(isset($item['nick_name']))
	$context['page_title'] = sprintf(i18n::s('%s: %s'), i18n::s('Password'), $item['nick_name']);
else
	$context['page_title'] = i18n::s('Change password');

// stop crawlers
if(Surfer::is_crawler()) {
	Safe::header('Status: 401 Unauthorized', TRUE, 401);
	Logger::error(i18n::s('You are not allowed to perform this operation.'));

// we are using an external authenticator
} elseif(isset($context['users_authenticator']) && $context['users_authenticator']) {
	Safe::header('Status: 401 Unauthorized', TRUE, 401);
	Logger::error(i18n::s('You are not allowed to perform this operation.'));

// no user id has been provided
} elseif(!isset($item['id']) || !$item['id']) {
	$context['page_title'] = i18n::s('Lost password');

	// redirect to the query form if mail has been enabled at this site
	if(!isset($context['with_email']) || ($context['with_email'] != 'Y'))
		Safe::redirect($context['url_to_home'].$context['url_to_root'].'query.php');

	// ask for nick name
	$with_form = TRUE;

// anonymous surfers that are recovering from lost password
} elseif(!Surfer::is_logged()) {

	// redirect to the query form if mail has been enabled at this site
	if(!isset($context['with_email']) || ($context['with_email'] != 'Y'))
		Safe::redirect($context['url_to_home'].$context['url_to_root'].'query.php');

	// redirect also if this user has no email address
	if(!isset($item['email']) || !trim($item['email']))
		Safe::redirect($context['url_to_home'].$context['url_to_root'].'query.php');

	// direct arrival
	if(Surfer::may_be_a_robot())
		$with_form = TRUE;

	// send authentication message
	else {

		// message title
		$subject = sprintf(i18n::s('Your account at %s'), strip_tags($context['site_name']));

		// top of the message
		$message = '<p>'.sprintf(i18n::s('This message relates to your account at %s.'),
			'<a href="'.$context['url_to_home'].$context['url_to_root'].'">'.strip_tags($context['site_name']).'</a>').'</p>';

		// mention nick name
		$message .= '<p>'.sprintf(i18n::s('Your nick name is %s'), $item['nick_name']).'</p>';

		// direct link to login page --see users/login.php
		$link = $context['url_to_home'].$context['url_to_root'].Users::get_login_url('login', $id, rand(1000, 9999), $item['handle']);
		$message .= '<p>'.i18n::s('Record this message and use the following link to authenticate to the site at any time:').'</p>'
			.'<p><a href="'.$link.'">'.$link.'</a></p>';

		// caution note
		$message .= '<p>'.i18n::s('Caution: This hyperlink contains your login credentials encrypted. Please be aware anyone who uses this link will have full access to your account.').'</p>';

		// bottom of the message
		$message .= '<p>'.sprintf(i18n::s('On-line help is available at %s'),
			'<a href="'.$context['url_to_home'].$context['url_to_root'].'help/'.'">'.$context['url_to_home'].$context['url_to_root'].'help/'.'</a>').'</p>'
			.'<p>'.sprintf(i18n::s('Thank you for your interest into %s.'),
				'<a href="'.$context['url_to_home'].$context['url_to_root'].'">'.strip_tags($context['site_name']).'</a>').'</p>';

		// enable threading
		$headers = Mailer::set_thread('user:'.$item['id']);

		// post the confirmation message
		Mailer::notify(NULL, $item['email'], $subject, $message, $headers);

		// feed-back message
		$context['text'] .= '<p>'.i18n::s('A reminder message has been sent to you. Check your mailbox and use provided information to authenticate to this site.').'</p>';

		// back to the anchor page
		$links = array();
		$links[] = Skin::build_link('users/login.php', i18n::s('Login'));
		$context['text'] .= Skin::finalize_list($links, 'assistant_bar');

	}


// redirect to the origin server
} elseif($origin) {
	Logger::error(sprintf(i18n::s('We are only keeping a shadow record for this profile. Please handle this account at %s'), Skin::build_link('http://'.$origin, $origin, 'external')));

// password is changing
} elseif(isset($_REQUEST['confirm'])) {

	// restrictions: anyone can modify its own profile; associates can modify everything
	if(($item['id'] != Surfer::get_id()) && !Surfer::is_associate()) {
		Safe::header('Status: 401 Unauthorized', TRUE, 401);
		Logger::error(i18n::s('You are not allowed to perform this operation.'));

	// passwords have to be confirmed
	} elseif(!isset($_REQUEST['password']) || !$_REQUEST['password'] || strcmp($_REQUEST['confirm'], $_REQUEST['password'])) {
		Logger::error(i18n::s('Please confirm your new password.'));
		$with_form = TRUE;

	// stop robots and replay attacks
	} elseif(Surfer::may_be_a_robot()) {
		Logger::error(i18n::s('Please prove you are not a robot.'));
		$with_form = TRUE;

	// display the form on error
	} elseif(!Users::put($_REQUEST)) {
		$with_form = TRUE;

	// save one click to associates
	} elseif(Surfer::is_associate())
		Safe::redirect(Users::get_permalink($item));

	// follow-up
	else {

		// splash message
		$context['text'] .= '<p>'.i18n::s('Password has been changed.').'</p>';

		// back to the anchor page
		$links = array();
		$links[] = Skin::build_link(Users::get_permalink($item), i18n::s('Done'), 'button');
		$context['text'] .= Skin::finalize_list($links, 'assistant_bar');

	}

// display the form on GET
} else
	$with_form = TRUE;

// display the form
if($with_form) {

	// splash message
	if(!isset($item['id']))
		$context['text'] .= '<p>'.i18n::s('If you have registered to this site, type your nick name below and we will send you a web link to authenticate.').'</p>';
	elseif(!Surfer::is_logged())
		$context['text'] .= '<p>'.i18n::s('Please confirm that you would like to receive a message to authenticate to the following account.').'</p>';

	// the form
	$context['text'] .= '<form method="post" action="'.$context['script_url'].'" id="main_form"><div>';
	$fields = array();

	// get nick name
	if(!isset($item['id'])) {
		$label = i18n::s('Nick name');
		$input = '<input type="text" name="id" size="40" />';
		$fields[] = array($label, $input);
	}

	// display full name
	if(isset($item['full_name']) && $item['full_name']) {
		$label = i18n::s('Full name');
		$field = $item['full_name'];
		$fields[] = array($label, $field);
	}

	// display email address
	if(isset($item['email']) && $item['email']) {
		$label = i18n::s('E-mail address');
		$field = $item['email'];
		$fields[] = array($label, $field);
	}

	// surfer is changing password
	if(Surfer::is_logged()) {

		// the password
		$label = i18n::s('New password');
		$input = '<input type="password" name="password" id="password" size="20" value="'.encode_field(isset($_REQUEST['password']) ? $_REQUEST['password'] : '').'" />';
		$fields[] = array($label, $input);

		// the password has to be repeated for confirmation
		$label = i18n::s('Password confirmation');
		$input = '<input type="password" name="confirm" size="20" value="'.encode_field(isset($_REQUEST['confirm']) ? $_REQUEST['confirm'] : '').'" />';
		$fields[] = array($label, $input);

		// append the script used for data checking on the browser
		$context['page_footer'] .= JS_PREFIX
			.'$("#password").focus();'."\n"
			.JS_SUFFIX."\n";

	}

	// stop replay attacks and robots
	if($field = Surfer::get_robot_stopper())
		$fields[] = $field;

	// build the form
	$context['text'] .= Skin::build_form($fields);

	// bottom commands
	$context['text'] .= Skin::finalize_list(array(
		Skin::build_submit_button(i18n::s('Submit'), i18n::s('Press [s] to submit data'), 's'),
		Skin::build_link(Users::get_permalink($item), i18n::s('Cancel'), 'span')
		), 'assistant_bar');

	// hidden field that have to be saved as well
	if(isset($item['id']) && $item['id'])
		$context['text'] .= '<input type="hidden" name="id" value="'.$item['id'].'" />';

	// end of the form
	$context['text'] .= '</div></form>';
}

// render the skin
render_skin();

?>