MDL-22631 Added some clean_param calls to clean the $_GET data and also added lots...
[moodle.git] / login / forgot_password.php
blob94954cb323f5bb4d7cb12681603ee0540d29687f
1 <?php
2 // $Id$
3 // forgot password routine.
4 // find the user and call the appropriate routine for their authentication
5 // type.
7 require_once('../config.php');
8 require_once('forgot_password_form.php');
10 $p_secret = optional_param('p', false, PARAM_RAW);
11 $p_username = optional_param('s', false, PARAM_RAW);
13 httpsrequired();
15 $systemcontext = get_context_instance(CONTEXT_SYSTEM);
17 // setup text strings
18 $strforgotten = get_string('passwordforgotten');
19 $strlogin = get_string('login');
21 $navigation = build_navigation(array(array('name' => $strlogin, 'link' => "$CFG->wwwroot/login/index.php", 'type' => 'misc'),
22 array('name' => $strforgotten, 'link' => null, 'type' => 'misc')));
24 // if alternatepasswordurl is defined, then we'll just head there
25 if (!empty($CFG->forgottenpasswordurl)) {
26 redirect($CFG->forgottenpasswordurl);
29 // if you are logged in then you shouldn't be here!
30 if (isloggedin() and !isguestuser()) {
31 redirect($CFG->wwwroot.'/index.php', get_string('loginalready'), 5);
34 if ($p_secret !== false) {
35 ///=====================
36 /// user clicked on link in email message
37 ///=====================
39 update_login_count();
41 $user = get_complete_user_data('username', $p_username);
42 if (!empty($user) and $user->secret === '') {
43 print_header($strforgotten, $strforgotten, $navigation);
44 print_error('secretalreadyused');
46 } else if (!empty($user) and $user->secret == stripslashes($p_secret)) {
47 // make sure that url relates to a valid user
49 // check this isn't guest user
50 if (isguestuser($user)) {
51 error('You cannot reset the guest password');
54 // make sure user is allowed to change password
55 require_capability('moodle/user:changeownpassword', $systemcontext, $user->id);
57 // override email stop and mail new password
58 $user->emailstop = 0;
59 if (!reset_password_and_mail($user)) {
60 error('Error resetting password and mailing you');
63 // Clear secret so that it can not be used again
64 $user->secret = '';
65 if (!set_field('user', 'secret', $user->secret, 'id', $user->id)) {
66 error('Error resetting user secret string');
69 reset_login_count();
71 $changepasswordurl = "{$CFG->httpswwwroot}/login/change_password.php";
72 $a = new object();
73 $a->email = $user->email;
74 $a->link = $changepasswordurl;
76 print_header($strforgotten, $strforgotten, $navigation);
77 notice(get_string('emailpasswordsent', '', $a), $changepasswordurl);
79 } else {
80 if (!empty($user) and strlen($p_secret) === 15) {
81 // somebody probably tries to hack in by guessing secret - stop them!
82 set_field('user', 'secret', '', 'id', $user->id);
84 print_header($strforgotten, $strforgotten, $navigation);
85 print_error('forgotteninvalidurl');
88 die; //never reached
91 $mform = new login_forgot_password_form();
93 if ($mform->is_cancelled()) {
94 redirect($CFG->httpswwwroot.'/login/index.php');
96 } else if ($data = $mform->get_data()) {
97 /// find the user in the database and mail info
99 // first try the username
100 if (!empty($data->username)) {
101 $user = get_complete_user_data('username', $data->username);
102 } else {
104 $user = get_complete_user_data('email', $data->email);
107 if ($user and !empty($user->confirmed)) {
109 $userauth = get_auth_plugin($user->auth);
110 if (has_capability('moodle/user:changeownpassword', $systemcontext, $user->id)) {
111 // send email (make sure mail block is off)
112 $user->emailstop = 0;
115 if ($userauth->can_reset_password() and is_enabled_auth($user->auth)
116 and has_capability('moodle/user:changeownpassword', $systemcontext, $user->id)) {
117 // send reset password confirmation
119 // set 'secret' string
120 $user->secret = random_string(15);
121 if (!set_field('user', 'secret', $user->secret, 'id', $user->id)) {
122 error('error setting user secret string');
125 if (!send_password_change_confirmation_email($user)) {
126 error('error sending password change confirmation email');
129 } else {
130 if (!send_password_change_info($user)) {
131 error('error sending password change confirmation email');
136 print_header($strforgotten, $strforgotten, $navigation);
138 if (empty($user->email) or !empty($CFG->protectusernames)) {
139 // Print general confirmation message
140 notice(get_string('emailpasswordconfirmmaybesent'), $CFG->wwwroot.'/index.php');
142 } else {
143 // Confirm email sent
144 $protectedemail = preg_replace('/([^@]*)@(.*)/', '******@$2', $user->email); // obfuscate the email address to protect privacy
145 $stremailpasswordconfirmsent = get_string('emailpasswordconfirmsent', '', $protectedemail);
146 notice($stremailpasswordconfirmsent, $CFG->wwwroot.'/index.php');
149 die; // never reached
153 /// DISPLAY FORM
154 print_header($strforgotten, $strforgotten, $navigation, 'id_email');
156 print_box(get_string('passwordforgotteninstructions'), 'generalbox boxwidthnormal boxaligncenter');
157 $mform->display();
159 print_footer();