login/forgot_password.php

   1 <?php
   2 // $Id$
   3 // forgot password routine.
   4 // find the user and call the appropriate routine for their authentication
   5 // type.
   6
   7 require_once('../config.php');
   8 require_once('forgot_password_form.php');
   9
  10 $action     = optional_param('action', '', PARAM_ALPHA);
  11 $p_secret   = optional_param('p', false, PARAM_RAW);
  12 $p_username = optional_param('s', false, PARAM_RAW);
  13
  14 httpsrequired();
  15
  16 $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
  17
  18 // setup text strings
  19 $strcancel             = get_string('cancel');
  20 $strconfirmednot       = get_string('confirmednot');
  21 $stremail              = get_string('email');
  22 $stremailnotfound      = get_string('emailnotfound');
  23 $strerror              = get_string('error');
  24 $strforgotten          = get_string('passwordforgotten');
  25 $strforgottenduplicate = get_string('forgottenduplicate', 'moodle', get_admin()); // does not exist in lang file??
  26 $strforgotteninstruct  = get_string('passwordforgotteninstructions');
  27 $strinvalidemail       = get_string('invalidemail');
  28 $strinvalidurl         = get_string('forgotteninvalidurl');
  29 $strlogin              = get_string('login');
  30 $strloginalready       = get_string('loginalready');
  31 $strok                 = get_string('ok');
  32 $strpasswordnohelp     = get_string('passwordnohelp');
  33 $strsecretalreadyused  = get_string('secretalreadyused');
  34 $strsenddetails        = get_string('senddetails');
  35 $strusername           = get_string('username');
  36 $strusernameemailmatch = get_string('usernameemailmatch');
  37 $strusernamenotfound   = get_string('usernamenotfound');
  38
  39 $errors = array();
  40 $page = ''; // page to display
  41
  42
  43 // if you are logged in then you shouldn't be here!
  44 if (isloggedin() && !isguestuser()) {
  45     redirect($CFG->wwwroot.'/index.php', $strloginalready, 5);
  46 }
  47
  48 $mform = new login_forgot_password_form();
  49
  50 if ($mform->is_cancelled()) {
  51     redirect($CFG->httpswwwroot.'/login/index.php');
  52 }
  53
  54 if ($action == 'find' and $param = $mform->get_data()) {
  55 ///=====================
  56 /// find the user in the database and mail info
  57 ///=====================
  58
  59     // first try the username
  60     if (!empty($param->username)) {
  61         if (!$user = get_complete_user_data('username', $param->username)) {
  62             $errors[] = $strusernamenotfound;
  63         }
  64     } else {
  65         $user = false;
  66     }
  67
  68     // now try email
  69     if (!empty($param->email)) {
  70         // validate email address 1st
  71         if (!validate_email($param->email)) {
  72             $errors[] = $strinvalidemail;
  73
  74         } else if (count_records('user', 'email', $param->email) > 1) {
  75             // (if there is more than one instance of the email then we
  76             // cannot complete automated recovery)
  77             $page = 'duplicateemail';
  78             $errors[] = $strforgottenduplicate;
  79
  80         } else if (!$mailuser = get_complete_user_data('email', $param->email)) {
  81             $errors[] = $stremailnotfound;
  82         }
  83
  84         // just in case they did specify both...
  85         // if $user exists then check they actually match (then just use $user)
  86         if (!empty($user) and !empty($mailuser)) {
  87             if ($user->id != $mailuser->id) {
  88                 $errors[] = $strusernameemailmatch;
  89             }
  90             $user = $mailuser;
  91         }
  92
  93         // use email user if username not used or located
  94         if (!empty($mailuser) and empty($user)) {
  95             $user = $mailuser;
  96         }
  97     }
  98
  99     // if user located (and no errors) take the appropriate action
 100     if (empty($errors) and !empty($user)) {
 101
 102          $userauth = get_auth_plugin($user->auth);
 103
 104         // check this user isn't 'unconfirmed'
 105         if (empty($user->confirmed)) {
 106             $errors[] = $strconfirmednot;
 107
 108         } else {
 109             if (method_exists($userauth, 'can_reset_password') and $userauth->can_reset_password()) {
 110                 // reset internal password and notify user
 111
 112                 // set 'secret' string
 113                 $user->secret = random_string(15);
 114                 if (!set_field('user', 'secret', $user->secret, 'id', $user->id)) {
 115                     error('error setting user secret string');
 116                 }
 117
 118                 // send email (make sure mail block is off)
 119                 $user->mailstop = 0;
 120                 if (!send_password_change_confirmation_email($user)) {
 121                     error('error sending password change confirmation email');
 122                 }
 123
 124                 // display confirm message
 125                 $page = 'emailconfirm';
 126
 127             } else {
 128                 // send email (make sure mail block is off)
 129                 $user->mailstop = 0;
 130                 if (!send_password_change_info($user)) {
 131                     error('error sending password change confirmation email');
 132                 }
 133
 134                 // display confirm message
 135                 $page = 'emailconfirm';
 136             }
 137         }
 138     }
 139
 140     if (!empty($CFG->protectusernames)) {
 141         // do not give any hints about usernames or email!
 142         $errors = array();
 143         $page = 'emailmaybeconfirmed';
 144     }
 145
 146     if (empty($param->username) and empty($param->email)) {
 147         // nothing supplied - show error in any case
 148         $errors[] = 'no email or username';
 149         $page = '';
 150     }
 151
 152
 153 } else if ($p_secret !== false) {
 154 ///=====================
 155 /// user clicked on link in email message
 156 ///=====================
 157
 158     update_login_count();
 159
 160     $user = get_complete_user_data('username', $p_username);
 161
 162     if (!empty($user) and $user->secret === '') {
 163         $errors[] = $strsecretalreadyused;
 164
 165     } else if (!empty($user) and $user->secret == stripslashes($p_secret)) {
 166         // make sure that url relates to a valid user
 167
 168         // check this isn't guest user
 169         // TODO: add change password capability so that we can prevent participants to change password
 170         if (isguestuser($user) or has_capability('moodle/legacy:guest', $sitecontext, $user->id, false)) {
 171             error('You cannot reset the guest password');
 172         }
 173
 174         // override email stop and mail new password
 175         $user->emailstop = 0;
 176         if (!reset_password_and_mail($user)) {
 177             error('Error resetting password and mailing you');
 178         }
 179
 180         // Clear secret so that it can not be used again
 181         $user->secret = '';
 182         if (!set_field('user', 'secret', $user->secret, 'id', $user->id)) {
 183             error('Error resetting user secret string');
 184         }
 185
 186         reset_login_count();
 187         $page = 'emailsent';
 188
 189         $changepasswordurl = "{$CFG->httpswwwroot}/login/change_password.php";
 190         $a = new object();
 191         $a->email = $user->email;
 192         $a->link = $changepasswordurl;
 193         $stremailpasswordsent = get_string('emailpasswordsent', '', $a);
 194     } else {
 195        $errors[] = $strinvalidurl;
 196     }
 197
 198 }
 199
 200
 201 //******************************
 202 // DISPLAY PART
 203 //******************************
 204
 205 print_header($strforgotten, $strforgotten,
 206     "<a href=\"{$CFG->wwwroot}/login/index.php\">{$strlogin}</a>->{$strforgotten}",
 207     'form.email');
 208
 209 if ($page == 'emailmaybeconfirmed') {
 210     // Print general confirmation message
 211     notice(get_string('emailpasswordconfirmmaybesent'), $CFG->wwwroot.'/index.php');
 212 }
 213
 214
 215 /// ---------------------------------------------
 216 /// check $page for appropriate page to display
 217 if ($page == 'emailconfirm') {
 218     // Confirm (internal method) email sent
 219     $protectedemail = preg_replace('/([^@]*)@(.*)/', '******@$2', $user->email); // obfuscate the email address to protect privacy
 220     $stremailpasswordconfirmsent = get_string('emailpasswordconfirmsent', '', $protectedemail);
 221     notice($stremailpasswordconfirmsent, $CFG->wwwroot.'/index.php');
 222
 223 } else if ($page == 'emailsent') {
 224     // mail sent with new password
 225     notice($stremailpasswordsent, $changepasswordurl);
 226
 227 } else if ($page == 'duplicateemail') {
 228     // email address appears more than once
 229     notice($strforgottenduplicate, $CFG->wwwroot.'/index.php');
 230
 231 } else {
 232     // display any errors
 233     if (!empty($errors)) {
 234         print_box_start('generalbox boxwidthnormal boxaligncenter');
 235         $s = $strerror;
 236         $s .= '<ul class="errors">';
 237         foreach ($errors as $error) {
 238             $s .= '<li>'.$error.'</li>';
 239         }
 240         $s .= '</ul>';
 241         notify($s, 'notifyproblem');
 242         print_box_end();
 243     }
 244 }
 245
 246 if(!$mform->get_data() or !empty($errors)) {
 247     print_box_start('generalbox boxwidthnormal boxaligncenter');
 248     echo $strforgotteninstruct;
 249     print_box_end();
 250     $mform->display();
 251 }
 252
 253 print_footer();
 254
 255 ?>