Index: user.module =================================================================== RCS file: /cvs/drupal/drupal/modules/user.module,v retrieving revision 1.453 diff -u -r1.453 user.module --- user.module 31 Mar 2005 09:25:33 -0000 1.453 +++ user.module 31 Mar 2005 16:39:38 -0000 @@ -636,6 +636,8 @@ 'callback' => 'user_page', 'access' => $user->uid == 0 && variable_get('user_register', 1), 'type' => MENU_LOCAL_TASK); $items[] = array('path' => 'user/password', 'title' => t('request new password'), 'callback' => 'user_pass', 'access' => $user->uid == 0, 'type' => MENU_LOCAL_TASK); + $items[] = array('path' => 'user/reset', 'title' => t('reset password'), + 'callback' => 'user_pass_reset', 'access' => $user->uid == 0, 'type' => MENU_CALLBACK); $items[] = array('path' => 'user/help', 'title' => t('help'), 'callback' => 'user_help_page', 'type' => MENU_CALLBACK); @@ -911,31 +913,27 @@ } if ($account) { $from = variable_get('site_mail', ini_get('sendmail_from')); - $pass = user_password(); - // Save new password: - user_save($account, array('pass' => $pass)); - - // Mail new password: - $variables = array('%username' => $account->name, '%site' => variable_get('site_name', 'drupal'), '%password' => $pass, '%uri' => $base_url, '%uri_brief' => substr($base_url, strlen('http://')), '%mailto' => $account->mail, '%date' => format_date(time()), '%login_uri' => url('user', NULL, NULL, TRUE), '%edit_uri' => url('user/'. $account->uid .'/edit', NULL, NULL, TRUE)); + // Mail one time login URL and instructions + $variables = array('%username' => $account->name, '%site' => variable_get('site_name', 'drupal'), '%login_url' => user_pass_reset_url($account), '%login_expires' =>_user_pass_reset_timeout(variable_get('user_pass_reset_timeout', 86400)), '%uri' => $base_url, '%uri_brief' => substr($base_url, strlen('http://')), '%mailto' => $account->mail, '%date' => format_date(time()), '%login_uri' => url('user', NULL, NULL, TRUE), '%edit_uri' => url('user/'. $account->uid .'/edit', NULL, NULL, TRUE)); $subject = _user_mail_text('pass_subject', $variables); $body = _user_mail_text('pass_body', $variables); $headers = "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from"; $mail_success = user_mail($account->mail, $subject, $body, $headers); if ($mail_success) { - watchdog('user', t('Password mailed to %name at %email.', array('%name' => theme('placeholder', $account->mail)))); - drupal_set_message(t('Your password and further instructions have been sent to your e-mail address.')); + watchdog('user', t('Password reset instructions mailed to %name at %email.', array('%name' => ''. $account->name .'', '%email' => ''. $account->mail .''))); + drupal_set_message(t('Further instructions have been sent to your e-mail address.')); } else { - watchdog('user', t('Error mailing password to %name at %email.', array('%name' => theme('placeholder', $account->name), '%email' => theme('placeholder', $account->mail))), WATCHDOG_ERROR); + watchdog('user', t('Error mailing password reset instructions to %name at %email.', array('%name' => ''. $account->name .'', '%email' => ''. $account->mail .'')), WATCHDOG_ERROR); drupal_set_message(t('Unable to send mail. Please contact the site admin.')); } drupal_goto('user'); } else { if ($edit) { - drupal_set_message(t('You must provider either a username or e-mail address.'), 'error'); + drupal_set_message(t('You must provide either a username or e-mail address.'), 'error'); } // Display form: $output = '

'. t('Enter your username or your e-mail address.') .'

'; @@ -946,6 +944,46 @@ } } +function user_pass_reset($uid, $timestamp, $hashed_pass) { + global $user; + $current = time(); + // Some redundant checks for extra security ? + if( $timestamp < $current && is_numeric($uid) && $account = user_load(array('uid' => $uid, 'status' => 1)) ) { + // No time out for first time login. + $timeout = ($account->created == $account->changed) ? 0 : variable_get('user_pass_reset_timeout', 86400); + if ($timeout && $current - $timestamp > $timeout) { + drupal_set_message(t('You have tried to use a one time login URL which has expired. Please request a new one using the form below.')); + drupal_goto('user/password'); + } + if($account->uid && !$user->uid && !empty($account) && $timestamp > $account->changed && $timestamp < $current && + $hashed_pass == user_pass_rehash($account->pass, $timestamp, $account->changed)) { + watchdog('user', t('One time login URL used for %name with timestamp %timestamp.', array('%name' => "$account->name", '%timestamp' => $timestamp))); + // Update the user table timestamp noting user has logged in. + // And this also makes this hased password a one-try-only login. + db_query("UPDATE {users} SET changed = '%d' WHERE uid = %d", time(), $account->uid); + // Now we can set the new user. + $user = $account; + // And proceed with normal login, going to user page. + user_module_invoke('login', $edit, $user); + drupal_set_message(t("You have used a one-time login, which won't be valid anymore.")); + drupal_set_message(t('Please change your password.')); + drupal_goto('user/'. $user->uid .'/edit'); + } + } + // Deny access, no more clues. + // Everything will be in the watchdog's URL for the admin to check. + drupal_access_denied(); +} + +function user_pass_reset_url($account){ + $timestamp = time(); + return url("user/reset/$account->uid/$timestamp/".user_pass_rehash($account->pass, $timestamp, $account->changed), NULL, NULL, TRUE); +} + +function user_pass_rehash($password, $timestamp, $last_login){ + return md5($timestamp . $password . $last_login); +} + function user_register($edit = array()) { global $user, $base_url; @@ -966,7 +1004,7 @@ $account = user_save('', array_merge(array('name' => $edit['name'], 'pass' => $pass, 'init' => $edit['mail'], 'mail' => $edit['mail'], 'roles' => array(_user_authenticated_id()), 'status' => (variable_get('user_register', 1) == 1 ? 1 : 0)), $edit)); watchdog('user', t('New user: %name %email.', array('%name' => theme('placeholder', $edit['name']), '%email' => theme('placeholder', '<'. $edit['mail'] .'>'))), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $account->uid .'/edit')); - $variables = array('%username' => $edit['name'], '%site' => variable_get('site_name', 'drupal'), '%password' => $pass, '%uri' => $base_url, '%uri_brief' => substr($base_url, strlen('http://')), '%mailto' => $edit['mail'], '%date' => format_date(time()), '%login_uri' => url('user', NULL, NULL, TRUE), '%edit_uri' => url('user/'. $account->uid .'/edit', NULL, NULL, TRUE)); + $variables = array('%username' => $edit['name'], '%site' => variable_get('site_name', 'drupal'), '%password' => $pass, '%uri' => $base_url, '%uri_brief' => substr($base_url, strlen('http://')), '%mailto' => $edit['mail'], '%date' => format_date(time()), '%login_uri' => url('user', NULL, NULL, TRUE), '%edit_uri' => url('user/'. $account->uid .'/edit', NULL, NULL, TRUE), '%login_url' => user_pass_reset_url($account), '%login_expires' =>_user_pass_reset_timeout(variable_get('user_pass_reset_timeout', 86400))); // The first user may login immediately, and receives a customized welcome e-mail. if ($account->uid == 1) { @@ -1245,19 +1283,27 @@ case 'welcome_subject': return t('Account details for %username at %site', $variables); case 'welcome_body': - return t("%username,\n\nThank you for registering at %site. You may now log in to %login_uri using the following username and password:\n\nusername: %username\npassword: %password\n\nAfter logging in, you may wish to change your password at %edit_uri\n\nYour new %site membership also enables to you to login to other Drupal powered websites (e.g. http://www.drop.org/) without registering. Just use the following Drupal ID and password:\n\nDrupal ID: %username@%uri_brief\npassword: %password\n\n\n-- %site team", $variables); + return t("%username,\n\nThank you for registering at %site. You may now log in to %login_uri using the following username and password:\n\nusername: %username\npassword: %password\n\nAfter logging in, you may wish to change your password at %edit_uri\n\nYou may also login by clicking on this link or copying and pasting it in your browser:\n\n%login_url\n\nThis is a one-time login, so it can be used only once.\n\nAfter logging in, you will be redirected to %edit_uri so you can change your password.\n\nYour new %site membership also enables to you to login to other Drupal powered websites (e.g. http://www.drop.org/) without registering. Just use the following Drupal ID and password:\n\nDrupal ID: %username@%uri_brief\npassword: %password\n\n\n-- %site team", $variables); case 'approval_subject': return t('Account details for %username at %site (pending admin approval)', $variables); case 'approval_body': return t("%username,\n\nThank you for registering at %site. Your application for an account is currently pending approval. Once it has been granted, you may log in to %login_uri using the following username and password:\n\nusername: %username\npassword: %password\n\nAfter logging in, you may wish to change your password at %edit_uri\n\nYour new %site membership also enables to you to login to other Drupal powered websites (e.g. http://www.drop.org/) without registering. Just use the following Drupal ID and password:\n\nDrupal ID: %username@%uri_brief\npassword: %password\n\n\n-- %site team", $variables); case 'pass_subject': - return t('Replacement login information for %username at %site', $variables); + return t('New login information for %username at %site', $variables); case 'pass_body': - return t("%username,\n\nHere is your new password for %site. You may now login to %login_uri using the following username and password:\n\nusername: %username\npassword: %password\n\nAfter logging in, you may wish to change your password at %edit_uri", $variables); + return t("%username,\n\nHere is your new login information for %site. You may now login to %uri_brief clicking on this link or copying and pasting it in your browser:\n\n%login_url\n\nThis is a one-time login, so it can be used only once.%login_expires\n\nAfter logging in, you will be redirected to %edit_uri so you can change your password.", $variables); } } } +function _user_pass_reset_timeout($value = NULL){ + $options = array('3600' => t('1 hour'), '43200' => t('12 hours'), '86400' => t('one day'), '604800' => t('one week') ,'0' => t('Unlimited')); + if ($value) { + return $options[$value] ? t("\n\nThis login link expires after %time.", array('%time' => $options[$value])) : ''; + } else { + return $options; + } +} function user_configure_settings() { // User registration settings. $group = form_radios(t('Public registrations'), 'user_register', variable_get('user_register', 1), array(t('Only site administrators can create new user accounts.'), t('Visitors can create accounts and no administrator approval is required.'), t('Visitors can create accounts but administrator approval is required.'))); @@ -1271,6 +1317,7 @@ $group .= form_textarea(t('Body of welcome e-mail (awaiting admin approval)'), 'user_mail_approval_body', _user_mail_text('approval_body'), 70, 10, t('Customize the body of the awaiting approval welcome e-mail, which is sent to new members upon registering.') .' '. t('Available variables are:') .' %username, %site, %password, %uri, %uri_brief, %mailto, %login_uri, %edit_uri.'); $group .= form_textfield(t('Subject of password recovery e-mail'), 'user_mail_pass_subject', _user_mail_text('pass_subject'), 70, 180, t('Customize the Subject of your forgotten password e-mail.') .' '. t('Available variables are:') .' %username, %site, %password, %uri, %uri_brief, %mailto, %date, %login_uri, %edit_uri.'); $group .= form_textarea(t('Body of password recovery e-mail'), 'user_mail_pass_body', _user_mail_text('pass_body'), 70, 10, t('Customize the body of the forgotten password e-mail.') .' '. t('Available variables are:') .' %username, %site, %password, %uri, %uri_brief, %mailto, %login_uri, %edit_uri.'); + $group .= form_select(t('Time out for password reset e-mail'), 'user_pass_reset_timeout', variable_get('user_pass_reset_timeout', 86400), _user_pass_reset_timeout(), t('How long the link in password reset e-mail will be valid. New accounts have unlimited time for first login, so this will not apply for them.')); $output .= form_group(t('User email settings'), $group); // Picture settings.