From 55a02149b3f6196b9f743f528dc0795f8c3e5460 Mon Sep 17 00:00:00 2001 From: Christian Fowler Date: Tue, 12 Sep 2006 19:26:48 +0000 Subject: major overhaul to change and remind password. This should fix outstanding issues, and clean up old TW code. It also reduced the lenght of the confirm URL so email apps are less likely to truncate it. If you need to change anything related to user password confirmation or changing, please check with spiderr first. --- BitUser.php | 49 ++++++++++++++++++++++++++++--------------------- 1 file changed, 28 insertions(+), 21 deletions(-) (limited to 'BitUser.php') diff --git a/BitUser.php b/BitUser.php index ad6e809..9c8bf67 100644 --- a/BitUser.php +++ b/BitUser.php @@ -1,6 +1,6 @@ - * @version $Revision: 1.104 $ + * @version $Revision: 1.105 $ * @package users * @subpackage BitUser */ @@ -363,18 +363,18 @@ class BitUser extends LibertyAttachable { return ( count($this->mErrors) == 0 ); } - function verifyPasswordFormat( $pPassword ) { + function verifyPasswordFormat( $pPassword, $pPassword2=NULL ) { global $gBitSystem; $minPassword = $gBitSystem->getConfig( 'users_min_pass_length', 4 ); if( strlen( $pPassword ) < $minPassword ) { return ( tra( 'Your password should be at least '.$minPassword.' characters long' ) ); } - if( !empty( $pParamHash['password2'] ) && ($pPassword != $pParamHash['password2']) ) { + if( !empty( $pPassword2 ) && ($pPassword != $pPassword2) ) { return( tra( 'The passwords do not match' ) ); } if( $gBitSystem->isFeatureActive( 'users_pass_chr_num' ) && - (!preg_match_all( "/[0-9]+/",$pParamHash["password"],$foo ) || !preg_match_all("/[A-Za-z]+/",$pParamHash["password"],$foo)) ) { + (!preg_match_all( "/[0-9]+/",$pPassword,$foo ) || !preg_match_all("/[A-Za-z]+/",$pPassword,$foo)) ) { return ( tra( 'Password must contain both letters and numbers' ) ); } @@ -706,8 +706,7 @@ return false; } // Verify user is valid - $validate_result = $this->validate($pLogin, $pPassword, $pChallenge, $pResponse); - if( $validate_result ) { + if( $this->validate($pLogin, $pPassword, $pChallenge, $pResponse) ) { $loginCol = strpos( $pLogin, '@' ) ? 'email' : 'login'; $userInfo = $this->getUserInfo( array( $loginCol => $pLogin ) ); // If the password is valid but it is due then force the user to change the password by @@ -717,11 +716,9 @@ return false; // Redirect the user to the screen where he must change his password. // Note that the user is not logged in he's just validated to change his password // The user must re-enter his old password so no secutiry risk involved - $url = USERS_PKG_URL.'change_password.php?user_id='.$userInfo['user_id']. '&oldpass=' . urlencode($pPassword); + $url = USERS_PKG_URL.'change_password.php?user_id='.$userInfo['user_id']; } elseif( $userInfo['user_id'] != ANONYMOUS_USER_ID ) { - // User is valid and not due to change pass.. start session - //session_register('user',$user); - //unset session variable in case user su's + // User is valid and not due to change pass.. $this->mUserId = $userInfo['user_id']; $this->load(); $this->loadPermissions(); @@ -742,6 +739,7 @@ return false; $this->updateSession( $_COOKIE[$user_cookie_site] ); } } else { +vd( $this->mErrors ); $url = USERS_PKG_URL.'login.php?error=' . urlencode(tra('Invalid username or password')); } $https_mode = isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on'; @@ -890,17 +888,15 @@ return false; return ($ret); } - function confirmRegistration( $pUser, $pProvpass ) { + function confirmRegistration( $pUserId, $pProvpass ) { global $gBitSystem; $now = $gBitSystem->getUTCTime(); $query = "select `user_id`, `provpass`, `user_password`, `login`, `email` FROM `".BIT_DB_PREFIX."users_users` - WHERE `login`=? AND `provpass`=? AND ( `provpass_expires` is NULL or `provpass_expires` > ?)"; - $user_found = $this->mDb->getRow($query, array( $pUser, $pProvpass, $now ) ) ; + WHERE `user_id`=? AND `provpass`=? AND ( `provpass_expires` is NULL or `provpass_expires` > ?)"; + $user_found = $this->mDb->getRow($query, array( $pUserId, $pProvpass, $now ) ) ; return ($user_found); } - - function change_user_email( $pUserId, $pUsername, $pEmail, $pPass ) { $query = "UPDATE `".BIT_DB_PREFIX."users_users` SET `email`=? WHERE `user_id`=?"; $result = $this->mDb->query( $query, array( $pEmail, $pUserId ) ); @@ -1047,6 +1043,7 @@ return false; $retval["cant"] = $cant; return $retval; } + /*shared*/ function getUserActivity( $pListHash=NULL ) { $bindVars = array(); @@ -1057,13 +1054,23 @@ return false; $whereSql = ''; if( !empty( $pListHash['last_get'] ) ) { - $whereSql .= ' AND `last_get` > ? '; + $whereSql .= ' AND uc.`last_get` > ? '; $bindVars[] = time() - $pListHash['last_get']; } - $query = "select DISTINCT ls.`user_id`, `login`, `real_name` ,`connect_time`, `ip`, `user_agent`, `last_get` - FROM `".BIT_DB_PREFIX."users_cnxn` ls INNER JOIN `".BIT_DB_PREFIX."users_users` uu ON (ls.`user_id`=uu.`user_id`) - WHERE ls.`user_id` IS NOT NULL $whereSql + if( @BitBase::verifyId( $pListHash['user_id'] ) ) { + $whereSql .= ' AND uc.`user_id` = ? '; + $bindVars[] = $pListHash['user_id']; + } + + if( !empty( $pListHash['ip'] ) ) { + $whereSql .= ' AND uc.`ip` = ? '; + $bindVars[] = $pListHash['ip']; + } + + $query = "select DISTINCT uc.`user_id`, `login`, `real_name` ,`connect_time`, `ip`, `user_agent`, `last_get` + FROM `".BIT_DB_PREFIX."users_cnxn` uc INNER JOIN `".BIT_DB_PREFIX."users_users` uu ON (uc.`user_id`=uu.`user_id`) + WHERE uc.`user_id` IS NOT NULL $whereSql ORDER BY ".$this->mDb->convert_sortmode( $pListHash['sort_mode'] ); $result = $this->mDb->query($query, $bindVars, $pListHash['max_records'] ); $ret = array(); -- cgit v1.3