3 UserCake Version: 2.0.2
\r
7 require_once("models/config.php");
\r
8 if (!securePage($_SERVER['PHP_SELF'])){die();}
\r
14 $username = sanitize(trim($_POST["username"]));
\r
15 $password = trim($_POST["password"]);
\r
16 $password_new = trim($_POST["password_new"]);
\r
17 $password_confirm = trim($_POST["password_confirm"]);
\r
19 //Perform some validation
\r
20 //Feel free to edit / change as required
\r
23 $errors[] = lang("ACCOUNT_SPECIFY_USERNAME");
\r
27 $errors[] = lang("ACCOUNT_SPECIFY_PASSWORD");
\r
30 if(count($errors) == 0)
\r
32 //A security note here, never tell the user which credential was incorrect
\r
33 if(!usernameExists($username))
\r
35 $errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");
\r
39 $userdetails = fetchUserDetails($username);
\r
40 //See if the user's account is activated
\r
41 if($userdetails["active"]==0)
\r
43 $errors[] = lang("ACCOUNT_INACTIVE");
\r
47 //Hash the password and use the salt from the database to compare the password.
\r
48 $entered_pass = generateHash($password,$userdetails["password"]);
\r
50 //echo "".$userdetails["password"]; //Wut is dis
\r
52 if($entered_pass != $userdetails["password"])
\r
54 //Again, we know the password is at fault here, but lets not give away the combination incase of someone bruteforcing
\r
55 $errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");
\r
59 //Passwords match! we're good to go'
\r
61 //Construct a new logged in user object
\r
62 //Transfer some db data to the session object
\r
63 $loggedInUser = new loggedInUser();
\r
64 $loggedInUser->email = $userdetails["email"];
\r
65 $loggedInUser->user_id = $userdetails["id"];
\r
66 $loggedInUser->hash_pw = $userdetails["password"];
\r
67 $loggedInUser->title = $userdetails["title"];
\r
68 $loggedInUser->displayname = $userdetails["display_name"];
\r
69 $loggedInUser->username = $userdetails["user_name"];
\r
71 if(trim($password_new) == "")
\r
73 $errors[] = lang("ACCOUNT_SPECIFY_NEW_PASSWORD");
\r
75 else if(trim($password_confirm) == "")
\r
77 $errors[] = lang("ACCOUNT_SPECIFY_CONFIRM_PASSWORD");
\r
79 else if(minMaxRange(6,50,$password_new))
\r
81 $errors[] = lang("ACCOUNT_NEW_PASSWORD_LENGTH",array(6,50));
\r
83 else if($password_new != $password_confirm)
\r
85 $errors[] = lang("ACCOUNT_PASS_MISMATCH");
\r
88 //End data validation
\r
89 if(count($errors) == 0)
\r
91 //Also prevent updating if someone attempts to update with the same password
\r
92 $entered_pass_new = generateHash($password_new,$loggedInUser->hash_pw);
\r
94 if($entered_pass_new == $loggedInUser->hash_pw)
\r
96 //Don't update, this fool is trying to update with the same password ¬¬
\r
97 $errors[] = lang("ACCOUNT_PASSWORD_NOTHING_TO_UPDATE");
\r
101 //This function will create the new hash and update the hash_pw property.
\r
102 $loggedInUser->updatePassword($password_new);
\r
103 $successes[] = lang("ACCOUNT_PASSWORD_UPDATED");
\r
112 if (isUserLoggedIn())
\r
114 //If not admin, log them out after pw change
\r
115 if (!$loggedInUser->checkPermission(array(2)))
\r
117 $loggedInUser->userLogOut();
\r
121 require_once("models/header.php");
\r
125 <div id="login-container">
\r
126 <div class="widget">
\r
127 <div class="title centre">Change of password</div>
\r
128 <form id="login-update" class="clear" name="login-update" action="'.$_SERVER["PHP_SELF"].'" method="post">
\r
132 <input name="username" type="text">
\r
138 <input name="password" type="password">
\r
144 <input name="password_new" type="password">
\r
149 Confirm password<br>
\r
150 <input name="password_confirm" type="password">
\r
153 <p style="float:left; margin:0;">
\r
154 <a href="forgot-password.php">Forgotten password?</a>
\r
156 <p style="float:right; margin:0;">
\r
157 <input type="submit" value="Update">
\r
161 echo resultBlock($errors,$successes);
\r