login/forgot_password.php

   1 <?php
   2
   3 // This file is part of Moodle - http://moodle.org/
   4 //
   5 // Moodle is free software: you can redistribute it and/or modify
   6 // it under the terms of the GNU General Public License as published by
   7 // the Free Software Foundation, either version 3 of the License, or
   8 // (at your option) any later version.
   9 //
  10 // Moodle is distributed in the hope that it will be useful,
  11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 // GNU General Public License for more details.
  14 //
  15 // You should have received a copy of the GNU General Public License
  16 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  17
  18 /**
  19  * Forgot password routine.
  20  *
  21  * Finds the user and calls the appropriate routine for their authentication type.
  22  *
  23  * @package    core
  24  * @subpackage auth
  25  * @copyright  1999 onwards Martin Dougiamas  http://dougiamas.com
  26  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  27  */
  28
  29 require('../config.php');
  30 require_once('forgot_password_form.php');
  31
  32 $p_secret   = optional_param('p', false, PARAM_RAW);
  33 $p_username = optional_param('s', false, PARAM_RAW);
  34
  35 //HTTPS is required in this page when $CFG->loginhttps enabled
  36 $PAGE->https_required();
  37
  38 $PAGE->set_url('/login/forgot_password.php');
  39 $systemcontext = get_context_instance(CONTEXT_SYSTEM);
  40 $PAGE->set_context($systemcontext);
  41
  42 // setup text strings
  43 $strforgotten = get_string('passwordforgotten');
  44 $strlogin     = get_string('login');
  45
  46 $PAGE->navbar->add($strlogin, get_login_url());
  47 $PAGE->navbar->add($strforgotten);
  48 $PAGE->set_title($strforgotten);
  49 $PAGE->set_heading($COURSE->fullname);
  50
  51 // if alternatepasswordurl is defined, then we'll just head there
  52 if (!empty($CFG->forgottenpasswordurl)) {
  53     redirect($CFG->forgottenpasswordurl);
  54 }
  55
  56 // if you are logged in then you shouldn't be here!
  57 if (isloggedin() and !isguestuser()) {
  58     redirect($CFG->wwwroot.'/index.php', get_string('loginalready'), 5);
  59 }
  60
  61 if ($p_secret !== false) {
  62 ///=====================
  63 /// user clicked on link in email message
  64 ///=====================
  65
  66     update_login_count();
  67
  68     $user = $DB->get_record('user', array('username'=>$p_username, 'mnethostid'=>$CFG->mnet_localhost_id, 'deleted'=>0, 'suspended'=>0));
  69
  70     if ($user and ($user->auth === 'nologin' or !is_enabled_auth($user->auth))) {
  71         // bad luck - user is not able to login, do not let them reset password
  72         $user = false;
  73     }
  74
  75     if (!empty($user) and $user->secret === '') {
  76         echo $OUTPUT->header();
  77         print_error('secretalreadyused');
  78     } else if (!empty($user) and $user->secret == $p_secret) {
  79         // make sure that url relates to a valid user
  80
  81         // check this isn't guest user
  82         if (isguestuser($user)) {
  83             print_error('cannotresetguestpwd');
  84         }
  85
  86         // make sure user is allowed to change password
  87         require_capability('moodle/user:changeownpassword', $systemcontext, $user->id);
  88
  89         if (!reset_password_and_mail($user)) {
  90             print_error('cannotresetmail');
  91         }
  92
  93         // Clear secret so that it can not be used again
  94         $user->secret = '';
  95         $DB->set_field('user', 'secret', $user->secret, array('id'=>$user->id));
  96
  97         reset_login_count();
  98
  99         $changepasswordurl = "{$CFG->httpswwwroot}/login/change_password.php";
 100         $a = new stdClass();
 101         $a->email = $user->email;
 102         $a->link = $changepasswordurl;
 103
 104         echo $OUTPUT->header();
 105         notice(get_string('emailpasswordsent', '', $a), $changepasswordurl);
 106
 107     } else {
 108         if (!empty($user) and strlen($p_secret) === 15) {
 109             // somebody probably tries to hack in by guessing secret - stop them!
 110             $DB->set_field('user', 'secret', '', array('id'=>$user->id));
 111         }
 112         echo $OUTPUT->header();
 113         print_error('forgotteninvalidurl');
 114     }
 115
 116     die; //never reached
 117 }
 118
 119 $mform = new login_forgot_password_form();
 120
 121 if ($mform->is_cancelled()) {
 122     redirect(get_login_url());
 123
 124 } else if ($data = $mform->get_data()) {
 125 /// find the user in the database and mail info
 126
 127     // first try the username
 128     if (!empty($data->username)) {
 129         $username = textlib_get_instance()->strtolower($data->username); // mimic the login page process, if they forget username they need to use email for reset
 130         $user = $DB->get_record('user', array('username'=>$username, 'mnethostid'=>$CFG->mnet_localhost_id, 'deleted'=>0, 'suspended'=>0));
 131
 132     } else {
 133         // this is tricky because
 134         // 1/ the email is not guaranteed to be unique - TODO: send email with all usernames to select the correct account for pw reset
 135         // 2/ mailbox may be case sensitive, the email domain is case insensitive - let's pretend it is all case-insensitive
 136
 137         $select = $DB->sql_like('email', ':email', false, true, false, '|'). " AND mnethostid = :mnethostid AND deleted=0 AND suspended=0";
 138         $params = array('email'=>$DB->sql_like_escape($data->email, '|'), 'mnethostid'=>$CFG->mnet_localhost_id);
 139         $user = $DB->get_record_select('user', $select, $params, '*', IGNORE_MULTIPLE);
 140     }
 141
 142     if ($user and !empty($user->confirmed)) {
 143
 144         $userauth = get_auth_plugin($user->auth);
 145         if (has_capability('moodle/user:changeownpassword', $systemcontext, $user->id)) {
 146             // send email
 147         }
 148
 149         if ($userauth->can_reset_password() and is_enabled_auth($user->auth)
 150           and has_capability('moodle/user:changeownpassword', $systemcontext, $user->id)) {
 151             // send reset password confirmation
 152
 153             // set 'secret' string
 154             $user->secret = random_string(15);
 155             $DB->set_field('user', 'secret', $user->secret, array('id'=>$user->id));
 156
 157             if (!send_password_change_confirmation_email($user)) {
 158                 print_error('cannotmailconfirm');
 159             }
 160
 161         } else {
 162             if (!send_password_change_info($user)) {
 163                 print_error('cannotmailconfirm');
 164             }
 165         }
 166     }
 167
 168     echo $OUTPUT->header();
 169
 170     if (empty($user->email) or !empty($CFG->protectusernames)) {
 171         // Print general confirmation message
 172         notice(get_string('emailpasswordconfirmmaybesent'), $CFG->wwwroot.'/index.php');
 173
 174     } else {
 175         // Confirm email sent
 176         $protectedemail = preg_replace('/([^@]*)@(.*)/', '******@$2', $user->email); // obfuscate the email address to protect privacy
 177         $stremailpasswordconfirmsent = get_string('emailpasswordconfirmsent', '', $protectedemail);
 178         notice($stremailpasswordconfirmsent, $CFG->wwwroot.'/index.php');
 179     }
 180
 181     die; // never reached
 182 }
 183
 184 // make sure we really are on the https page when https login required
 185 $PAGE->verify_https_required();
 186
 187
 188 /// DISPLAY FORM
 189
 190 echo $OUTPUT->header();
 191 echo $OUTPUT->box(get_string('passwordforgotteninstructions2'), 'generalbox boxwidthnormal boxaligncenter');
 192 $mform->display();
 193
 194 echo $OUTPUT->footer();