documentation/moodle/forgot__password_8php_source.html

00001 <?php
00002
00003 // This file is part of Moodle - http://moodle.org/
00004 //
00005 // Moodle is free software: you can redistribute it and/or modify
00006 // it under the terms of the GNU General Public License as published by
00007 // the Free Software Foundation, either version 3 of the License, or
00008 // (at your option) any later version.
00009 //
00010 // Moodle is distributed in the hope that it will be useful,
00011 // but WITHOUT ANY WARRANTY; without even the implied warranty of
00012 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00013 // GNU General Public License for more details.
00014 //
00015 // You should have received a copy of the GNU General Public License
00016 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
00017
00029 require('../config.php');
00030 require_once('forgot_password_form.php');
00031
00032 $p_secret   = optional_param('p', false, PARAM_RAW);
00033 $p_username = optional_param('s', false, PARAM_RAW);
00034
00035 //HTTPS is required in this page when $CFG->loginhttps enabled
00036 $PAGE->https_required();
00037
00038 $PAGE->set_url('/login/forgot_password.php');
00039 $systemcontext = get_context_instance(CONTEXT_SYSTEM);
00040 $PAGE->set_context($systemcontext);
00041
00042 // setup text strings
00043 $strforgotten = get_string('passwordforgotten');
00044 $strlogin     = get_string('login');
00045
00046 $PAGE->navbar->add($strlogin, get_login_url());
00047 $PAGE->navbar->add($strforgotten);
00048 $PAGE->set_title($strforgotten);
00049 $PAGE->set_heading($COURSE->fullname);
00050
00051 // if alternatepasswordurl is defined, then we'll just head there
00052 if (!empty($CFG->forgottenpasswordurl)) {
00053     redirect($CFG->forgottenpasswordurl);
00054 }
00055
00056 // if you are logged in then you shouldn't be here!
00057 if (isloggedin() and !isguestuser()) {
00058     redirect($CFG->wwwroot.'/index.php', get_string('loginalready'), 5);
00059 }
00060
00061 if ($p_secret !== false) {
00065
00066     update_login_count();
00067
00068     $user = $DB->get_record('user', array('username'=>$p_username, 'mnethostid'=>$CFG->mnet_localhost_id, 'deleted'=>0, 'suspended'=>0));
00069
00070     if ($user and ($user->auth === 'nologin' or !is_enabled_auth($user->auth))) {
00071         // bad luck - user is not able to login, do not let them reset password
00072         $user = false;
00073     }
00074
00075     if (!empty($user) and $user->secret === '') {
00076         echo $OUTPUT->header();
00077         print_error('secretalreadyused');
00078     } else if (!empty($user) and $user->secret == $p_secret) {
00079         // make sure that url relates to a valid user
00080
00081         // check this isn't guest user
00082         if (isguestuser($user)) {
00083             print_error('cannotresetguestpwd');
00084         }
00085
00086         // make sure user is allowed to change password
00087         require_capability('moodle/user:changeownpassword', $systemcontext, $user->id);
00088
00089         if (!reset_password_and_mail($user)) {
00090             print_error('cannotresetmail');
00091         }
00092
00093         // Clear secret so that it can not be used again
00094         $user->secret = '';
00095         $DB->set_field('user', 'secret', $user->secret, array('id'=>$user->id));
00096
00097         reset_login_count();
00098
00099         $changepasswordurl = "{$CFG->httpswwwroot}/login/change_password.php";
00100         $a = new stdClass();
00101         $a->email = $user->email;
00102         $a->link = $changepasswordurl;
00103
00104         echo $OUTPUT->header();
00105         notice(get_string('emailpasswordsent', '', $a), $changepasswordurl);
00106
00107     } else {
00108         if (!empty($user) and strlen($p_secret) === 15) {
00109             // somebody probably tries to hack in by guessing secret - stop them!
00110             $DB->set_field('user', 'secret', '', array('id'=>$user->id));
00111         }
00112         echo $OUTPUT->header();
00113         print_error('forgotteninvalidurl');
00114     }
00115
00116     die; //never reached
00117 }
00118
00119 $mform = new login_forgot_password_form();
00120
00121 if ($mform->is_cancelled()) {
00122     redirect(get_login_url());
00123
00124 } else if ($data = $mform->get_data()) {
00126
00127     // first try the username
00128     if (!empty($data->username)) {
00129         $username = textlib_get_instance()->strtolower($data->username); // mimic the login page process, if they forget username they need to use email for reset
00130         $user = $DB->get_record('user', array('username'=>$username, 'mnethostid'=>$CFG->mnet_localhost_id, 'deleted'=>0, 'suspended'=>0));
00131
00132     } else {
00133         // this is tricky because
00134         // 1/ the email is not guaranteed to be unique - TODO: send email with all usernames to select the correct account for pw reset
00135         // 2/ mailbox may be case sensitive, the email domain is case insensitive - let's pretend it is all case-insensitive
00136
00137         $select = $DB->sql_like('email', ':email', false, true, false, '|'). " AND mnethostid = :mnethostid AND deleted=0 AND suspended=0";
00138         $params = array('email'=>$DB->sql_like_escape($data->email, '|'), 'mnethostid'=>$CFG->mnet_localhost_id);
00139         $user = $DB->get_record_select('user', $select, $params, '*', IGNORE_MULTIPLE);
00140     }
00141
00142     if ($user and !empty($user->confirmed)) {
00143
00144         $userauth = get_auth_plugin($user->auth);
00145         if (has_capability('moodle/user:changeownpassword', $systemcontext, $user->id)) {
00146             // send email
00147         }
00148
00149         if ($userauth->can_reset_password() and is_enabled_auth($user->auth)
00150           and has_capability('moodle/user:changeownpassword', $systemcontext, $user->id)) {
00151             // send reset password confirmation
00152
00153             // set 'secret' string
00154             $user->secret = random_string(15);
00155             $DB->set_field('user', 'secret', $user->secret, array('id'=>$user->id));
00156
00157             if (!send_password_change_confirmation_email($user)) {
00158                 print_error('cannotmailconfirm');
00159             }
00160
00161         } else {
00162             if (!send_password_change_info($user)) {
00163                 print_error('cannotmailconfirm');
00164             }
00165         }
00166     }
00167
00168     echo $OUTPUT->header();
00169
00170     if (empty($user->email) or !empty($CFG->protectusernames)) {
00171         // Print general confirmation message
00172         notice(get_string('emailpasswordconfirmmaybesent'), $CFG->wwwroot.'/index.php');
00173
00174     } else {
00175         // Confirm email sent
00176         $protectedemail = preg_replace('/([^@]*)@(.*)/', '******@$2', $user->email); // obfuscate the email address to protect privacy
00177         $stremailpasswordconfirmsent = get_string('emailpasswordconfirmsent', '', $protectedemail);
00178         notice($stremailpasswordconfirmsent, $CFG->wwwroot.'/index.php');
00179     }
00180
00181     die; // never reached
00182 }
00183
00184 // make sure we really are on the https page when https login required
00185 $PAGE->verify_https_required();
00186
00187
00189
00190 echo $OUTPUT->header();
00191 echo $OUTPUT->box(get_string('passwordforgotteninstructions2'), 'generalbox boxwidthnormal boxaligncenter');
00192 $mform->display();
00193
00194 echo $OUTPUT->footer();